Closed Bug 1486944 Opened Last year Closed Last year

Make the reject foreign cookie behavior honor the content blocking pref

Categories

(Core :: DOM: Core & HTML, enhancement)

enhancement
Not set

Tracking

()

RESOLVED FIXED
mozilla63
Tracking Status
firefox63 --- fixed

People

(Reporter: ehsan, Assigned: ehsan)

References

Details

Attachments

(2 files)

This option is being exposed as part of the Content Blocking UI, so we would like to make it honor the same pref as well.
Attachment #9004713 - Flags: review?(amarchesini) → review+
Attachment #9004714 - Flags: review?(amarchesini) → review+
Is the browser_contentblocking_enabled pref currently non-existent,
and will it be enabled by default when introduced?
Flags: needinfo?(ehsan)
Pushed by eakhgari@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/5fc45a7e2b35
Part 1: Make the reject foreign cookie behavior also depend on the browser.contentblocking.enabled pref; r=baku
https://hg.mozilla.org/integration/mozilla-inbound/rev/b536e2deff08
Part 2: Add tests to ensure that the reject foreign cookie behavior also depends on the browser.contentblocking.enabled pref; r=baku
(In reply to Mats Palmgren (:mats) from comment #3)
> Is the browser_contentblocking_enabled pref currently non-existent,
> and will it be enabled by default when introduced?

That pref is an existing pref, defined here: https://hg.mozilla.org/mozilla-central/file/b75561ff5ffe/modules/libpref/init/StaticPrefList.h#l1270
Flags: needinfo?(ehsan)
Hmm, so if a user currently have blocked 3rd party cookies,
but haven't enabled content blocking, are 3rd party cookies
still blocked or not?  The logic in the patch seems to
suggest it's not - am I missing something?
Flags: needinfo?(ehsan)
Or to phrase it more generally - does these planned changes potentially result
in reduced privacy for any user?
Pushed by eakhgari@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/188b13da9862
Part 1: Make the reject foreign cookie behavior also depend on the browser.contentblocking.enabled pref; r=baku
https://hg.mozilla.org/integration/mozilla-inbound/rev/ceb6a933997f
Part 2: Add tests to ensure that the reject foreign cookie behavior also depends on the browser.contentblocking.enabled pref; r=baku
(In reply to Mats Palmgren (:mats) from comment #7)
> Or to phrase it more generally - does these planned changes potentially
> result
> in reduced privacy for any user?

They shouldn't, since the browser.contentblocking.enabled pref is enabled *by default*.  The only case where third-party cookie blocking would stop for the said user is if they go and turn this new pref off, and only if they're blocking all third-party cookies *or* blocking third-party cookies from trackers.

Does this answer your question?
Flags: needinfo?(ehsan) → needinfo?(mats)
https://hg.mozilla.org/mozilla-central/rev/188b13da9862
https://hg.mozilla.org/mozilla-central/rev/ceb6a933997f
Status: NEW → RESOLVED
Closed: Last year
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
(In reply to :Ehsan Akhgari from comment #10)
> Does this answer your question?

Yes it does, thank you.

> The only case where third-party cookie blocking would stop
> for the said user is if they go and turn this new pref off,
> and only if they're blocking all third-party cookies *or*
> blocking third-party cookies from trackers.

OK, fair enough.  I think it's a rather serious flaw though
that our UI is basically lying now if you do turn content
blocking off and have cookies set to "Blocked: All 3rd party...".
There's no indication whatsoever that that configuration
will not work as advertised.

Perhaps the "Cookies and Site Data" and "Content Blocking"
UIs needs to be integrated now, so that it doesn't mislead
users about what's actually blocked or not.
Flags: needinfo?(mats)
(In reply to Mats Palmgren (:mats) from comment #12)
> > The only case where third-party cookie blocking would stop
> > for the said user is if they go and turn this new pref off,
> > and only if they're blocking all third-party cookies *or*
> > blocking third-party cookies from trackers.
> 
> OK, fair enough.  I think it's a rather serious flaw though
> that our UI is basically lying now if you do turn content
> blocking off and have cookies set to "Blocked: All 3rd party...".
> There's no indication whatsoever that that configuration
> will not work as advertised.
> 
> Perhaps the "Cookies and Site Data" and "Content Blocking"
> UIs needs to be integrated now, so that it doesn't mislead
> users about what's actually blocked or not.

Indeed, this is something we have also paid attention to.  I'm waiting for a UX mock-up to write the last patch in this series which will finish this UI by addressing this one last major flaw, but while the mock is being made, I filed bug 1487556 to keep track of the work and CCed you there.  :-)
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.