[GH-ISSUE #2107] Floccus on Firefox leaks cookies from Incognito into regular mode. #1414

New issue

Closed

opened 2026-02-25 22:39:57 +03:00 by kerem · 3 comments

kerem commented 2026-02-25 22:39:57 +03:00

Owner

Copy link

Originally created by @kenrestivo on GitHub (Nov 26, 2025).
Original GitHub issue: https://github.com/floccusaddon/floccus/issues/2107

Which version of floccus are you using?

5.8.1

How many bookmarks do you have, roughly?

100

Are you using other means to sync bookmarks in parallel to floccus?

no

Sync method

WebDAV

Which browser are you using? In case you are using the phone App, specify the Android or iOS version and device please.

Firefox 128.5.0esr-1~deb12u1

Which version of Nextcloud Bookmarks are you using? (if relevant)

No response

Which version of Nextcloud? (if relevant)

No response

What kind of WebDAV server are you using? (if relevant)

nginx

Describe the Bug

If you click the bookmark star icon in an incognito window, the cookies from that page show up in your regular browser. This is surprising at least and potentially a significant security risk at worst.

Expected Behavior

When bookmarking from an incognito window, cookies from that window should not show up in the non-incognito regular browser windows.

To Reproduce

Perform these steps to duplicate:

1. Have Floccus set to synchronize on changes
2. Clear all cookies
3. Inspect privacy by going to about:preferences#privacy and then Manage Data, to see you have no cookies
4. Open an incognito window
5. Go to a site that has cookies (99% of sites do)
6. Click the bookmark star icon in the incognito tab
7. Go to your non-incognito window
8. Inspect privacy by going to about:preferences#privacy and then Manage Data,
9. Notice the cookie from your incognito page has leaked into your non-incognito regular browser window

Debug log provided

• I have provided a debug log file

Originally created by @kenrestivo on GitHub (Nov 26, 2025). Original GitHub issue: https://github.com/floccusaddon/floccus/issues/2107 ### Which version of floccus are you using? 5.8.1 ### How many bookmarks do you have, roughly? 100 ### Are you using other means to sync bookmarks in parallel to floccus? no ### Sync method WebDAV ### Which browser are you using? In case you are using the phone App, specify the Android or iOS version and device please. Firefox 128.5.0esr-1~deb12u1 ### Which version of Nextcloud Bookmarks are you using? (if relevant) _No response_ ### Which version of Nextcloud? (if relevant) _No response_ ### What kind of WebDAV server are you using? (if relevant) nginx ### Describe the Bug If you click the bookmark star icon in an incognito window, the cookies from that page show up in your regular browser. This is surprising at least and potentially a significant security risk at worst. ### Expected Behavior When bookmarking from an incognito window, cookies from that window should not show up in the non-incognito regular browser windows. ### To Reproduce Perform these steps to duplicate: 1. Have Floccus set to synchronize on changes 2. Clear all cookies 3. Inspect privacy by going to about:preferences#privacy and then Manage Data, to see you have no cookies 4. Open an incognito window 5. Go to a site that has cookies (99% of sites do) 6. Click the bookmark star icon in the incognito tab 7. Go to your non-incognito window 8. Inspect privacy by going to about:preferences#privacy and then Manage Data, 9. Notice the cookie from your incognito page has leaked into your non-incognito regular browser window ### Debug log provided - [ ] I have provided a debug log file

kerem 2026-02-25 22:39:57 +03:00

• closed this issue
• added the
  bug
  waiting for more information
  labels

kerem commented 2026-02-25 22:39:57 +03:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (Nov 26, 2025):

Hello! 👋

Thank you for taking the time to open this issue with floccus. I know it's frustrating when software causes problems. You have made the right choice to come here and open an issue to make sure your problem gets looked at and if possible solved. Let me give you a short introduction on what to expect from this issue tracker to avoid misunderstandings. I'm Marcel. I created floccus a few years ago, and have been maintaining it since. I currently work for Nextcloud which leaves me with less time for side projects like this one than I used to have. I still try to answer all issues and if possible fix all bugs here, but it sometimes takes a while until I get to it. Until then, please be patient. It helps when you stick around to answer follow up questions I may have, as very few bugs can be fixed directly from the first bug report, without any interaction. If information is missing in your bug report and the issue cannot be solved without it, I will have to close the issue after a while. Note also that GitHub in general is a place where people meet to make software better together. Nobody here is under any obligation to help you, solve your problems or deliver on any expectations or demands you may have, but if enough people come together we can collaborate to make this software better. For everyone. Thus, if you can, you could also have a look at other issues to see whether you can help other people with your knowledge and experience. If you have coding experience it would also be awesome if you could step up to dive into the code and try to fix the odd bug yourself. Everyone will be thankful for extra helping hands! If you cannot lend a helping hand, to continue the development and maintenance of this project in a sustainable way, I ask that you donate to the project when opening an issue (or at least once your issue is solved), if you're not a donor already. You can find donation options at https://floccus.org/donate/. Thank you!

One last word: If you feel, at any point, like you need to vent, this is not the place for it; you can go to the Nextcloud forum, to twitter or somewhere else. But this is a technical issue tracker, so please make sure to focus on the tech and keep your opinions to yourself.

Thank you for reading through this primer. I look forward to working with you on this issue! Cheers! 💙

<!-- gh-comment-id:3583371063 --> @github-actions[bot] commented on GitHub (Nov 26, 2025): Hello! :wave: Thank you for taking the time to open this issue with floccus. I know it's frustrating when software causes problems. You have made the right choice to come here and open an issue to make sure your problem gets looked at and if possible solved. Let me give you a short introduction on what to expect from this issue tracker to avoid misunderstandings. I'm Marcel. I created floccus a few years ago, and have been maintaining it since. I currently work for Nextcloud which leaves me with less time for side projects like this one than I used to have. I still try to answer all issues and if possible fix all bugs here, but it sometimes takes a while until I get to it. Until then, please be patient. It helps when you stick around to answer follow up questions I may have, as very few bugs can be fixed directly from the first bug report, without any interaction. If information is missing in your bug report and the issue cannot be solved without it, I will have to close the issue after a while. Note also that GitHub in general is a place where people meet to make software better *together*. Nobody here is under any obligation to help you, solve your problems or deliver on any expectations or demands you may have, but if enough people come together we can collaborate to make this software better. For everyone. Thus, if you can, you could also have a look at other issues to see whether you can help other people with your knowledge and experience. If you have coding experience it would also be awesome if you could step up to dive into the code and try to fix the odd bug yourself. Everyone will be thankful for extra helping hands! If you cannot lend a helping hand, to continue the development and maintenance of this project in a sustainable way, I ask that you donate to the project when opening an issue (or at least once your issue is solved), if you're not a donor already. You can find donation options at <https://floccus.org/donate/>. Thank you! One last word: If you feel, at any point, like you need to vent, this is not the place for it; you can go to the Nextcloud forum, to twitter or somewhere else. But this is a technical issue tracker, so please make sure to focus on the tech and keep your opinions to yourself. Thank you for reading through this primer. I look forward to working with you on this issue! Cheers! :blue_heart:

kerem commented 2026-02-25 22:39:57 +03:00

Author

Owner

Copy link

@marcelklehr commented on GitHub (Nov 28, 2025):

Hi @kenrestivo
Thank you for taking the time to give feedback by opening this issue!
I'm wondering if this is actually due to floccus or if this is simply a bug in firefox 128 🤔
Could you try disabling floccus and trying your steps again?

<!-- gh-comment-id:3588596465 --> @marcelklehr commented on GitHub (Nov 28, 2025): Hi @kenrestivo Thank you for taking the time to give feedback by opening this issue! I'm wondering if this is actually due to floccus or if this is simply a bug in firefox 128 🤔 Could you try disabling floccus and trying your steps again?

kerem commented 2026-02-25 22:39:57 +03:00

Author

Owner

Copy link

@kenrestivo commented on GitHub (Nov 30, 2025):

Yep that's it, it appears to be a severe bug in Firefox! Even with the Floccus extension turned off, cookies from incognito mode are showing up in regular mode. How bizarre.

Thanks for your time, closing.

<!-- gh-comment-id:3592281107 --> @kenrestivo commented on GitHub (Nov 30, 2025): Yep that's it, it appears to be a severe bug in Firefox! Even with the Floccus extension turned off, cookies from incognito mode are showing up in regular mode. How bizarre. Thanks for your time, closing.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

dependabot/npm_and_yarn/fast-xml-parser-5.7.0

dependabot/npm_and_yarn/xmldom/xmldom-0.8.13

dependabot/npm_and_yarn/protocol-buffers-schema-3.6.1

master

fix/xml-entity-limit

all-contributors/add-aaryanvangari

fix/subscanner-residuals

test/subscanner-residuals

test/problematic-seeds

perf/improve-build-time

perf/native-startup

fix/continuation-null-cheks

dropbox

fix/clear-indexeddb-after-sync

dependabot/npm_and_yarn/vuetify-3.11.4

fix/slim-down-continuation

test/background-worker

refactor/fail-build-if-native-uses-browser-api

feat/improve-failsafe-wording

dependabot/npm_and_yarn/multi-0520f5abeb

feat/release-build

fix/more-mapping-errors

dependabot/npm_and_yarn/intl-messageformat-10.7.18

enh/split-sync-interval-and-auto-sync

enh/gdrive-timeout

feat/safari

feat/capabilities

feat/xxhash3

feat/murmur3

fix/gdrive-error-handling

fix/correctness-fixes

fix/linkwarden

feat/orion

fix/nocache-tests

feat/tab-groups

fix/git-never-force-push

fix/xbel-parse-errors

fix/git-push-errors

fix/chrome-main-folder-ids

dependabot/npm_and_yarn/multi-a9f852c250

chore/use-local-linkwarden-container-in-ci

all-contributors/add-balthanon

dependabot/npm_and_yarn/multi-7c5da94753

fix/revert-indexeddb-logger

fix/acknowlegde-abuse

dependabot/npm_and_yarn/eslint-import-resolver-webpack-0.13.10

fix/rip-out-continuations

fix/webdav-filesize-depth-header

fix/changes-while-syncing

fix/addition-failsafe-minimum

feat/indexeddb-logs

feat/addition-failsafe

fix/webdav-check-filesize

fix/orion

fix/bounded-exponential-backoff

fix/dont-repeat-on-sync-fail

fix-tests

fix/speedup-tab-update-cb

all-contributors/add-andybalaam

all-contributors/add-macrogreg

fix/parse-tag-value

fix/cleanup-deps

refactor/partial-set-data-with-lock

fix/nc-bookmarks-update

fix/move-stabiltiy-same-titled-folders

fix/ios-share-extension

fix/update-selenium

fix/chrome-net-errors

enh/nc-bm-js

sentry

fix/unidirectional-scanner-shoudl-use-mappings

enh/interrupts

dependabot/npm_and_yarn/vue-loader-17.4.2

ci/build-ios

enh/manifest-v3

release/4.19.0

fix/codeql

fix/google-drive-ios

all-contributors/add-dmotte

fix/unidirectional-sync

fix/interrupts

all-contributors/add-pinpontitit

all-contributors/add-dsiminiuk

test/old-apis

test/interrupts-on-nextcloud-bookmarks

feature/no-hashing-in-diff

feature/improve-diff-performance

capacitor

enh/rename-nextcloud-folders

fix/complex-hierarchy-reversal-2

tests/coverage

feature/google-drive

dependabot/npm_and_yarn/eslint-plugin-vue-7.6.0

fix/crypto

dependabot/npm_and_yarn/sass-1.32.7

dependabot/npm_and_yarn/css-loader-5.0.2

dependabot/npm_and_yarn/webpack-cli-4.5.0

fix/performance-hash-caching

dependabot/npm_and_yarn/eslint-plugin-standard-5.0.0

dependabot/npm_and_yarn/sass-loader-10.1.1

dependabot/npm_and_yarn/eslint-import-resolver-webpack-0.13.0

dependabot/npm_and_yarn/webpack-merge-5.7.3

dependabot/npm_and_yarn/p-queue-6.6.2

dependabot/npm_and_yarn/throttle-debounce-3.0.1

fix/lww-move-test

fix/overwrite-strategy

fix/root-folder-sync

enh/local-hash-cash

test/ci

ui/vue

cookie-hack

fix/travis

rollup

refactor/ui

webdav

refactor/modularize

v5.9.1

v5.9.0

v5.8.6

v5.8.5

v5.8.4

v5.8.3

v5.8.2

v5.8.1

v5.8.0

v5.7.0

v5.6.0

v5.5.6

v5.5.5

v5.5.4

v5.5.3

v5.5.2

v5.5.1

v5.5.0

v5.4.5

v5.4.4

v5.4.3

v5.4.2

v5.4.2-alpha.1

v5.4.1

v5.4.0

v5.3.4

v5.3.3

v5.3.1

v5.3.0

v5.3.0-beta.1

v5.2.7

v5.2.6

v5.2.5

v5.2.4

v5.2.3

v5.2.2

v5.2.1

v5.2.0

v5.2.0-beta.3

v5.2.0-beta.2

v5.2.0-beta.1

v5.1.7

v5.1.6

v5.1.5

v5.1.4

v5.1.3

5.1.3-beta.1

v5.1.2

v5.1.1

v5.1.0

v5.0.12

v5.0.12-beta.1

v5.0.11

v5.0.10

v5.0.9

v5.0.8

v5.0.7

v5.0.6

v5.0.5

v5.0.4

v5.0.3

v5.0.2

v5.0.1

v5.0.0

v4.19.1

v4.19.0

v4.18.1

v4.18.0

v4.17.1

v4.17.0

v4.16.0

v4.15.0

v4.14.0

v4.13.1

v4.13.0

v4.12.0

v4.11.0

v4.11.0-alpha.0

v4.10.1

v4.10.0

v4.9.0

v4.8.7

v4.8.6

v4.8.4

v4.8.3

v4.8.2

v4.8.1

v4.8.0

v4.7.0

v4.6.4

v4.6.3

v4.6.2

v4.6.1

v4.6.0

v4.5.0

v4.4.10

v4.4.9

v4.4.8

v4.4.7

v4.4.6

v4.4.5

v4.4.4

v4.4.3

v4.4.2

v4.4.1

v4.4.0

v4.4.0-rc1

v4.3.0

v4.2.6

v4.2.5

v4.2.4

v4.2.3

v4.2.2

v4.2.1

v4.2.0

v4.2.0-beta.4

v4.2.0-beta.3

v4.2.0-beta.2

v4.2.0-beta.1

v4.1.0

v4.0.4

v4.0.3

v4.0.2

v4.0.1

v4.0.0

v4

v4.0.0-alpha.3

v4.0.0-alpha.2

v4.0.0-alpha.1

v3.5.3

v3.5.2

v3.5.1

v3.5.0

v3.4.2

v3.4.1

v3.4.0

v3.4.0-beta.3

v3.4.0-beta.2

v3.4.0-beta.1

v3.3.2

v3.3.1

v3.3.0

v3.3.0-beta.5

v3.3.0-beta.4

v3.3.0-beta.3

v3.3.0-beta.2

v3.3.0-beta.1

v3.2.16

v3.2.15

v3.2.14

v3.2.13

v3.2.12

v3.2.11

v3.2.10

v3.2.9

v3.2.8

v3.2.7

v3.2.6

v3.2.5

v3.2.4

v3.2.3

v3.2.2

v3.2.1

v3.2.0

v3.1.15

v3.1.14

v3.1.13

v3.1.12

v3.1.11

v3.1.10

v3.1.9

v3.1.8

v3.1.7

v3.1.6

v3.1.5

v3.1.4

v3.1.3

v3.1.2

v3.1.1

v3.1.0

v3.0.10

v3.0.9

v3.0.8

v3.0.7

v3.0.6

v3.0.5

v3.0.4

v3.0.3

v3.0.2

v3.0.1

v3.0.0

v3.0.0-beta.9

v3.0.0-beta.8

v3.0.0-beta.7

v2.2.9

v3.0.0-beta.6

v3.0.0-beta.5

v3.0.0-beta.4

v3.0.0-beta.3

v3.0.0-beta.2

v3.0.0-beta-1

v3.0.0-alpha-1

v2.2.8

v2.2.7

v2.2.6

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.0

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v2.0.0-beta.2

v1.3.4

v2.0.0-beta.1

v1.3.3

v1.3.2

v1.3.1

v1.3.0

v1.3.0-beta.5

v1.3.0-beta.4

v1.3.0-beta.3

v1.3.0-beta.2

v1.3.0-beta1

v1.2.0

v1.1.2

v1.1.1

v1.1.0

v1.0.1

v1.0.0

Labels

Clear labels   

browser-specific

  

bug

  

correctness issues

  

enhancement

  

feature: Google Drive

  

feature: Linkwarden

  

feature: git

  

feature: nextcloud-bookmarks

  

feature: tabs

  

feature: webdav

  

help wanted

  

native-app

  

priority: high

  

priority: low

  

priority: medium

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question

  

stale

  

upstream

  

waiting for more information

  

wontfix

  

🙁 Not following issue template

No labels

browser-specific

bug

correctness issues

enhancement

feature: Google Drive

feature: Linkwarden

feature: git

feature: nextcloud-bookmarks

feature: tabs

feature: webdav

help wanted

native-app

priority: high

priority: low

priority: medium

pull-request

question

question

stale

upstream

waiting for more information

wontfix

🙁 Not following issue template

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/floccus#1414

No description provided.