Chrome allowing unauthorized local storage

I wanted to make a new thread for what I already mentioned here
https://www.wilderssecurity.com/showpost.php?p=2022463&postcount=14

Chrome, Chromium and Chromium based browsers are allowing cookies to be saved when all local data setting is disabled. I've not found any bug reports or Google support threads talking about this.

I made a short video clearly showing what I describe.
http://thesimplecomputer.info/chrome-allowing-all-cookies.html

Surely this can't be the first time it's been noticed? Does anyone know anything more? Can any Chrome, Chromium, Iron, etc. users add to the list of super special allowed domain cookies?

So far I've seen:
Amazon
Blekko
Yippy
Ecosia
Cluuz
CNN
Youtube


(but on the plus side, Chrome now offers DuckDuckGo as a default search choice on installation)


Update: 3/2/2012
According to Mike West, the patched Chrome stable is going through QA checks now so it should be sent out in a browser update at the beginning of next week.

Update: 3/1/2012
The patch (code here) is in Chromium build 124404 and later.
http://commondatastorage.googleapis.com/chromium-browser-continuous/index.html

Update: 2/29/12
Got an email from Mike West, they're on it and all should be smoothed out soon. The problem is that Chrome's URLFetcher is ignoring the cookie policy for some search engines and some sites that have internal searching. I have his full explanation on my page (the 2nd link above) and I'll be updating it and this post until the issue is resolved.

 

File a bug report/ email Mike West? They'll know more than anyone here will I assume.

edit: And thanks for the new topic, i doubt i'd have seen tha tpost.

 

No problem, Hungry. This is urgent and I'm still a bit in disbelief that it's a newfound issue.

I did file a bug report and I emailed Mike West both the below link and one to my vid. He's usually quick with responses.
http://code.google.com/p/chromium/issues/detail?id=116253

Let's see where this goes.

 

I tried www.blekko.com with your instructions and have two cookies. One, searchsessionid expiring Mar 1, 2012 and the other, longsessionid, expiring Feb 26, 2022 !!!

This is with Chrome 17.0.963.56 on Ubuntu.

I starred the bug.

 

I sent Mike a message with a link to your article when you posted it - I should have said that lol he got back to me a while ago.

Mike West - Thanks. That does indeed look like a bad bug, and I can reproduce it on stable (but not on Canary). Flagging it, looking into it.

 

I accessed Blekko and even allowed JavaScript (just in case), and see no cookies. I'm using Chromium Developer Build 124016 Windows.

Then again, I've got a freakish Chromium profiling system...

-edit-

A relative of mine is using Google Chrome (stable channel) and I'll see if it does store cookies.

 

amazon, cnn and youtube set cookies on stable 17, Win7

 

Patch landed on trunk ~45 minutes ago. It'll be merged back to stable and released with the next update.

-- Mike West

 

OP should get some Google currency

 

What about the famous Iron? Did you take a look at that (since no other Iron user has volunteered information)?

 

It's not like Iron really changes much in the code - I seriously doubt it's fixed there.

 

I certainly did. Iron 16.0.950.0 and 17.0.1000.0 in Windows and Linux, do the exact same thing. I assume Dragon and others do to since urlfetcher is an inherent part of the source that no one would have reason to remove.

Never heard of Google currency before. The Federal Reserve Act ends this year so maybe G.dolla$ will replace FR notes!

 

But it would be nice to get an answer from an actual user, don't you think? After all, I don't think they're that reticent otherwise

Didn't see OP's post but I would still like to hear from others because it really, really, really shatters my belief that Iron protects its users' privacy if especially they didn't verify that they are actually protecting their users since that's their raison d'etre.

I think it's this whole rapid release thing that Iron is blindly copying. They owe it to their loyal users to check out the RC more thoroughly.

 

Is it really so surprising having seen the multitude of evidence against the browser?

 

OP, are you following https://chromiumcodereview.appspot.com/9545005 ?

It's a bit of an interesting read (even if I don't understand much of it).

 

Well, at least those claiming to make a better browser than Chrome in terms of PRIVACY should have verified their claims?

If you don't mind, I'm gonna point a blogger to your post

 

I was expecting at least a few Iron regular users to chime in but this thread has one of the lowest view counts in the subforum. Maybe I shoulda worded the title with something more exciting.

I am following their progress. I just tried Chromium build 124280 which (from what I can tell) has the patch, no change yet.
http://build.chromium.org/p/tryserver.chromium/builders/linux_rel/builds/5184

I admit, I have a hard time following it all too. They have a lot of acronyms and references for other code chunks I've never seen before. M17 to me is the Omega Nebula so I'm learning as I go.

Not at all! The more the merrier.

 

EVIL GOOGLE MALICIouSLY prevents privacy evil evil COOKIES BAD

M17 means milestone 17.

 

I'm sending you some e-thanks by PM if you don't mind

 

nice, pm responded

 

which means (to me) that they intend to push out an update to the current stable because we're already at ver. 17.

 

That is indeed what it means.

 

Chromium is patched and working fine now.

 

Good job! So have you figured out what exactly went wrong? ... in simple terms please!

 

Basically, when OpenSearch (which can be read about here) descriptions (which looks like this) were downloaded by the browser for sites with embedded search features, the browser profile's cookie rules weren't followed.

I didn't know Amazon basically created OpenSearch. I thought that was a Google effort.