Get rid of not-used prefs in cookie service

RESOLVED FIXED in Firefox 67

Status

()

enhancement
P2
normal
RESOLVED FIXED
3 months ago
3 months ago

People

(Reporter: baku, Assigned: baku)

Tracking

Trunk
mozilla67
Points:
---

Firefox Tracking Flags

(firefox67 fixed)

Details

(Whiteboard: [necko-triaged])

Attachments

(2 attachments, 2 obsolete attachments)

Assignee

Description

3 months ago

network.cookie.leave-secure-alone, network.cookie.thirdparty.nonsecureSessionOnly, and network.cookie.thirdparty.sessionOnly are not used and not exposed to web-extensions/UI. We should remove them.

(In reply to Andrea Marchesini [:baku] from comment #0)

network.cookie.leave-secure-alone, network.cookie.thirdparty.nonsecureSessionOnly, and network.cookie.thirdparty.sessionOnly are not used and not exposed to web-extensions/UI. We should remove them.

Sure, let's remove network.cookie.leave-secure-alone, but I disagree about the other two. What are your reasons for wanting to remove them? I actually would like to some day experiment with enabling them by default in some form (e.g. as part of Content Blocking Strict mode, or maybe even the default configuration if we ever get there...)

Flags: needinfo?(amarchesini)
Priority: -- → P2
Whiteboard: [necko-triaged]
Assignee

Comment 5

3 months ago

Sure, let's remove network.cookie.leave-secure-alone, but I disagree about the other two. What are your reasons for wanting to remove them? I actually would like to some day experiment with enabling them by default in some form (e.g. as part of Content Blocking Strict mode, or maybe even the default configuration if we ever get there...)

I like this idea, but we can add them when we need them, right? Maybe we can file bugs to test and land these features and mark them as blocked by this bug.

Flags: needinfo?(amarchesini) → needinfo?(ehsan)

When you say "add them when we need them" what are you specifically referring to?

What I was trying to say was that I think both network.cookie.thirdparty.sessionOnly and network.cookie.thirdparty.nonsecureSessionOnly are useful as they are right now. It is possible we may want to modify how they work in the future, but I'm puzzled on why we would want to remove these useful privacy prefs right now to add them again in the future potentially? Am I missing something? Did you want to do something in the cookie backend that the code behind these two prefs is blocking you to currently?

Flags: needinfo?(ehsan) → needinfo?(amarchesini)
Assignee

Comment 7

3 months ago

These features are disabled by default and it's impossible to enabled them from the UI nor from webExtensions.
Plus, both feature work only with cookies, what about any other DOM storage APIs?

If we want to test these 2 ideas, we should transform them in a project where any component behave consistently. If we want to implement these 2 feature correctly, I think they should be removed from cookieService, and implemented in nsContentUtils::StorageAllowedForWindow()/ForChannel(), for instance.

Flags: needinfo?(amarchesini) → needinfo?(ehsan)

network.cookie.thirdparty.nonsecureSessionOnly is a cookie specific feature, since the notion of non-secure doesn't really apply to other DOM storage APIs. network.cookie.thirdparty.sessionOnly is in theory something that we can make other DOM storage APIs support as well (even though right now only DOM Storage has any notion of session lifetime in addition to the cookie backend.) That would be a welcome improvement I would think. (Hopefully some day that could be our default behaviour for handling third-party cookies/storage.)

The fact that these can only be turned on in about:config isn't a good reason to remove them, I think. We have a lot of features which aren't togglable from our UI or or WebExtensions and we don't do work to remove them all, I usually prefer if we have better reasons for removing features (such as knowing they're dead-end ideas which we have no interest in continuing to support.)

Flags: needinfo?(ehsan)
Attachment #9042413 - Attachment is obsolete: true
Attachment #9042414 - Attachment is obsolete: true

Comment 10

3 months ago
Pushed by amarchesini@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/9ce3161eadeb
Get rid of network.cookie.leave-secure-alone, r=Ehsan
https://hg.mozilla.org/integration/autoland/rev/4000cae4b60a
Get rid of telemetry for network.cookie.leave-secure-alone, r=Ehsan

Comment 11

3 months ago
bugherder
Status: NEW → RESOLVED
Last Resolved: 3 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla67
You need to log in before you can comment on or make changes to this bug.