Provide an option for first-party isolation in Private Browsing Mode
Categories
(Firefox :: Private Browsing, enhancement, P3)
Tracking
()
People
(Reporter: arthur, Unassigned)
References
(Blocks 2 open bugs)
Details
(Whiteboard: [tor])
Attachments
(4 files)
Reporter | ||
Comment 1•7 years ago
|
||
Reporter | ||
Comment 2•7 years ago
|
||
Comment 3•7 years ago
|
||
Reporter | ||
Comment 4•7 years ago
|
||
Comment 5•7 years ago
|
||
Updated•7 years ago
|
Comment 6•7 years ago
|
||
Comment 7•7 years ago
|
||
Comment 8•7 years ago
|
||
Comment 9•7 years ago
|
||
Comment 10•7 years ago
|
||
Updated•7 years ago
|
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Updated•7 years ago
|
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment 20•7 years ago
|
||
mozreview-review |
Comment 21•7 years ago
|
||
mozreview-review |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (off-topic) |
Comment hidden (off-topic) |
Comment 29•7 years ago
|
||
mozreview-review |
Comment 30•7 years ago
|
||
mozreview-review |
Comment 31•7 years ago
|
||
mozreview-review |
Comment 32•7 years ago
|
||
mozreview-review |
Comment 33•7 years ago
|
||
mozreview-review |
Comment 34•7 years ago
|
||
mozreview-review-reply |
Comment 35•7 years ago
|
||
mozreview-review-reply |
Comment 36•7 years ago
|
||
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Updated•7 years ago
|
Comment 41•7 years ago
|
||
mozreview-review |
Comment 42•7 years ago
|
||
mozreview-review-reply |
Comment 43•7 years ago
|
||
Comment 44•7 years ago
|
||
mozreview-review-reply |
Comment 45•7 years ago
|
||
mozreview-review |
Comment 46•7 years ago
|
||
Comment 47•6 years ago
|
||
Comment 48•6 years ago
|
||
Updated•6 years ago
|
Updated•5 years ago
|
Comment 49•4 years ago
|
||
Firefox provides now State Partitioning ( https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Privacy/State_Partitioning ) which includes:
-
Network Partitioning to isolate storages that are not intended to store specific data (e.g. Caches; and thus might be used for tracking) which should be enabled at default via privacy.partition.network_state = true if I'm not wrong.
-
Dynamic State Partitioning to isolate all storages that are intended to store data (e.g. Cookies and localStorage) which can be enabled by setting network.cookie.cookieBehavior = 5 (also exposed via the options GUI). There are heuristics that allow access out if this partitioned sandbox to presumably avoid the breakages that the old first party isolation ( privacy.firstparty.isolate = true ) caused (e.g. paying on the PayPal popup called by the Steam storesite not working) which can in theory also be abused for tracking. But there are options to disable these heuristics (privacy.restrict3rdpartystorage.heuristic.opened_window_after_interaction, privacy.restrict3rdpartystorage.heuristic.recently_visited, privacy.restrict3rdpartystorage.heuristic.redirect, privacy.restrict3rdpartystorage.heuristic.window_open; presumably all set to true to enable the heuristics (the default) and to false to disable them - but the linked article isn't clear about that).
I have now disabled the old first party isolation by reverting my settings for it (setting privacy.firstparty.isolate and privacy.firstparty.isolate.block_post_message both to false) and enabled both State Partitions (by setting network.cookie.cookieBehavior = 5 via the GUI; the Network Partitioning via privacy.partition.network_state was already set to true as expected). I also did set all 4 heuristic settings mentioned above to false to allow no tracking exceptions (and assuming e.g. the above mentioned PayPal window and similar things break again until I temporary enabled the related heuristic settings again).
Since in my private browsing setup Network Partitioning was enabled at default and Dynamic State Partitioning was provided via the GUI I assume this will work reliable and official in (permanent) private browsing mode. Doesn't that mean this ticket is in theory outdated and can be closed or is there still something missing (e.g. what happens actually now if Cookies get fully disabled in the options GUI? I guess it simply disables read/write access to cookies and all other items that fall under Dynamic Storage Partitioning too like localStorage. But what happens if an user disables all cookies that way but enables them only for specific sites? Will they be double-paired or is third-party read/write access denied? Also I guess with the old FPI implementation an user could disable all third-party cookies while having FPI active while with the new FPI implementation third-party cookies should always work - but that should not be an issue as they should never be able to track (besides the heuristic-exceptions if enabled). And disabling cookies for specific sites (e.g. Google Services and other sites to disable their cookie/GDPR dialogues) while Dynamic Storage Partitioning is enabled works straightforward as well)?
I guess if userContext gets also ready in the future for (permanent) private browsing mode this would now be very good as for example I would not have to always restart the browser again to avoid mixing up stuff (e.g. Gmail and the Google Search) which requires me to always setup again some site-specific settings once I visit them (e.g. disabling Cookies on Google Services for the reason mentioned above). But I guess I should test it myself and create a ticket for that if needed (if it not already exists).
Comment 50•4 years ago
|
||
Doesn't that mean this ticket is in theory outdated and can be closed or is there still something missing
It probably can be closed in favor of Bug 1649876 which would switch our FPI implementation over to dFPI; and bring along with it the ability to enable it selectively in PBM. However until we've been able to do that, and also until Tor has been able to audit dFPI to the point where they're comfortable switching over to it (e.g. there isn't some heuristic enabled by default that can't be disabled) I'd like to keep this open.
Comment 51•4 years ago
|
||
Note that we will be shipping dFPI in Private Browsing in 89, if all goes to plan (bug 1698810). I don't really see a point in keeping this bug since I'm confident we will never implement FPI in PBM.
Updated•2 years ago
|
Description
•