Cookies are leaked into private browsing mode for range requests

[Lekensteyn]

During a visit to a website, I gathered some session cookies. These got expired and therefore required me to re-login.

When I opened a PDF of that website in private browsing mode, I obviously had to login again. Note that my session in non-private mode is still expired. After logging in, I was presented by a blank page (see #4233). It turns out that the expired session cookie leaked in a range request.

Order of requests and responses are similar to #4233 (which was simplified to that test-case):

1. browser: GET /some.pdf (no cookie)
2. server: HTML login form (+ new cookie)
3. browser: POST /login (with cookie)
4. server: 302 to /some.pdf
5. browser: GET /some.pdf (with cookie)
6. server: 200 OK with appropriate content type and Accept-Ranges: bytes
7. browser: sends another GET request, with a Range header (with cookie and non-private cookie)
8. server: 204 Partial Content with non-pdf content (the HTML login form)

What happened: pdf.js (or Firefox) leaks the cookie to the private browsing session.

What should happend instead: pdf.js should not leak the cookie from the non-private browsing session.

Firefox 26 on Arch Linux x86_64