Closed Bug 1547813 Opened 5 years ago Closed 5 years ago

Implement a new cookie policy: block storage from trackers and partition all other third-party contexts

Categories

(Core :: Privacy: Anti-Tracking, enhancement)

Product:
Core
Component:
Privacy: Anti-Tracking
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla69
Tracking Flags:
Tracking Status
firefox69 --- fixed

People

(Reporter: ehsan.akhgari, Assigned: ehsan.akhgari)

References

(Blocks 1 open bug)

Details

Attachments

(12 files)

Bug 1547813 - Part 1: Introduce nsICookieService::BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN;
47 bytes, text/x-phabricator-request
Details | Review
Bug 1547813 - Part 2: Introduce nsIWebProgressListener::STATE_COOKIES_PARTITIONED_FOREIGN;
47 bytes, text/x-phabricator-request
Details | Review
Bug 1547813 - Part 3: Modify the antitracking algorithms to work with nsICookieService::BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN;
47 bytes, text/x-phabricator-request
Details | Review
Bug 1547813 - Part 4: Rename StorageAccess::ePartitionedOrDeny to ePartitionTrackersOrDeny;
47 bytes, text/x-phabricator-request
Details | Review
Bug 1547813 - Part 5: Introduce StorageAccess::ePartitionForeignOrDeny;
47 bytes, text/x-phabricator-request
Details | Review
Bug 1547813 - Part 6: Return StorageAccess::ePartitionForeignOrDeny from storage access APIs when the antitracking backend mandates that;
47 bytes, text/x-phabricator-request
Details | Review
Bug 1547813 - Part 7: Introduce a storage partitioning API;
47 bytes, text/x-phabricator-request
Details | Review
Bug 1547813 - Part 8: Introduce a CookieSettings API to query whether cookies from third-party trackers must be rejected and use it in Gecko;
47 bytes, text/x-phabricator-request
Details | Review
Bug 1547813 - Part 9: Ensure the cookie service does third-party checks when the cookie policy is set to nsICookieService::BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN;
47 bytes, text/x-phabricator-request
Details | Review
Bug 1547813 - Part 10: Add support for nsICookieService.BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN to the content blocking category pref;
47 bytes, text/x-phabricator-request
Details | Review
Bug 1547813 - Part 11: Add support for reporting breakage when the nsICookieService.BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN cookie policy is active;
47 bytes, text/x-phabricator-request
Details | Review
Bug 1547813 - Part 12: Add some tests for partitioning third-party storage/messaging with dynamic FPI;
47 bytes, text/x-phabricator-request
Details | Review

STR:

  1. Set privacy.storagePrincipal.enabledForTrackers to true.
  2. Browse around.
  3. Look inside your cookie db: sqlite3 /path/to/profile/cookies.sqlite.

This is because this code https://searchfox.org/mozilla-central/rev/b756e6d00728dda4121f8278a744381d8643317a/netwerk/cookie/nsCookieService.cpp#4045 isn't exactly correct, it accepts cookies which the anti-tracking backend tells us to reject!

I think it would be nice to have a testing pref that applies the current cookie policy but uses storagePrincipal for all third-party loads.

The thing that should really happen here is to implement a new cookie policy where we keep blocking trackers like we do today, but switch to partitioning everything else.

Here is a rough plan I've started to work on:

  1. define cookie policy value 5 in nsICookieService.idl
  2. modify the IsFirstPartyStorageGranted algorithms to work with it:
    2.1 mostly follow BEHAVIOR_REJECT_TRACKER
    2.2 if you're a third-party but not a tracker, return false with a new error code
    (let's call it STATE_COOKIES_BLOCKED_FOREIGN_TO_PARTITION for now)
    otherwise things will work mostly the same as BEHAVIOR_REJECT_TRACKER at the antitracking level
  3. Rename ePartitionedOrDeny to ePartitionTrackersOrDeny
  4. introduce ePartitionForeignOrDeny = -2
  5. here, connect our new error code to ePartitionForeignOrDeny: https://searchfox.org/mozilla-central/source/dom/base/nsContentUtils.cpp#8564
  6. triage this list: https://searchfox.org/mozilla-central/search?q=symbol:E_%3CT_nsContentUtils%3A%3AStorageAccess%3E_ePartitionedOrDeny&redirect=false
    most of the occurrences are cases where you're also checking the current storagePrincipal pref
  7. in those cases, introduce a new branch to allow partitioning third-party contexts where we have ePartitionForeignOrDeny and cookie policy is BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN
Summary: Browsing with the storageprincipal pref set causes us to set all cookies from third-party trackers → Implement a new cookie policy: block storage from trackers and partition all other third-party contexts
Type: defect → enhancement

This new code designates our new cookie policy for blocking cookies and
storage access from third-party trackers and partitioning the cookie jar
of the rest of third-party resources.

This error code indicates the specific case where the antitracking backend
rejects a particular access request because the resource is third-party and
the cookie policy mandates that third-party resources must be partitioned.

The policy that this patch implements in the antitracking backend is to treat
third-party trackers exactly the same way as BEHAVIOR_REJECT_TRACKER, and
additionally partition all third-party contexts as well.

This StorageAccess code tells callers that they must partition third-party
storage, or deny storage access if that is not possible.

This API abstracts away the details of the decision on what context should be
partitioned away from the consumers and centralizes the decision making into
the same location in the code base.

Depends on: 1548863

I still have some try failures: https://treeherder.mozilla.org/#/jobs?repo=try&revision=61f650214eb2564247708fb4f180f29c32429b28

I decided to hold off posting patches for now until this is fully green, but if you'd like to try things out the patches are available from the try push!

Depends on: 1531920

OK, my patches are now ready for review and landing. I'll upload them now.

Blocks: DynamicFirstPartyIsolation
Assignee: nobody → ehsan

This patch doesn't port all of the existing tests because some of them
do not pass yet and some others need more work to be ported. This will
happen in follow-up bugs.

Pushed by eakhgari@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/0e0241f3d366
Part 1: Introduce nsICookieService::BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN; r=baku
https://hg.mozilla.org/integration/autoland/rev/279c140a4d71
Part 2: Introduce nsIWebProgressListener::STATE_COOKIES_PARTITIONED_FOREIGN; r=baku
https://hg.mozilla.org/integration/autoland/rev/b4651cfaff30
Part 3: Modify the antitracking algorithms to work with nsICookieService::BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN; r=baku
https://hg.mozilla.org/integration/autoland/rev/77a040f527e9
Part 4: Rename StorageAccess::ePartitionedOrDeny to ePartitionTrackersOrDeny; r=baku
https://hg.mozilla.org/integration/autoland/rev/4ced8d49ddc3
Part 5: Introduce StorageAccess::ePartitionForeignOrDeny; r=baku
https://hg.mozilla.org/integration/autoland/rev/06943593738c
Part 6: Return StorageAccess::ePartitionForeignOrDeny from storage access APIs when the antitracking backend mandates that; r=baku
https://hg.mozilla.org/integration/autoland/rev/807ce59e7e6e
Part 7: Introduce a storage partitioning API; r=baku
https://hg.mozilla.org/integration/autoland/rev/8cad4fd197b1
Part 8: Introduce a CookieSettings API to query whether cookies from third-party trackers must be rejected and use it in Gecko; r=baku
https://hg.mozilla.org/integration/autoland/rev/c1288949de1c
Part 9: Ensure the cookie service does third-party checks when the cookie policy is set to nsICookieService::BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN; r=baku
https://hg.mozilla.org/integration/autoland/rev/a29f58cef022
Part 10: Add support for nsICookieService.BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN to the content blocking category pref; r=ewright
https://hg.mozilla.org/integration/autoland/rev/f9d790139a26
Part 11: Add support for reporting breakage when the nsICookieService.BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN cookie policy is active; r=johannh
https://hg.mozilla.org/integration/autoland/rev/98989127264b
Part 12: Add some tests for partitioning third-party storage/messaging with dynamic FPI; r=baku
Pushed by eakhgari@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/b26c4b43e858
Part 1: Introduce nsICookieService::BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN; r=baku
https://hg.mozilla.org/integration/autoland/rev/a65a40d02a83
Part 2: Introduce nsIWebProgressListener::STATE_COOKIES_PARTITIONED_FOREIGN; r=baku
https://hg.mozilla.org/integration/autoland/rev/01ed57a466b7
Part 3: Modify the antitracking algorithms to work with nsICookieService::BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN; r=baku
https://hg.mozilla.org/integration/autoland/rev/230cca204ae1
Part 4: Rename StorageAccess::ePartitionedOrDeny to ePartitionTrackersOrDeny; r=baku
https://hg.mozilla.org/integration/autoland/rev/c8636d91f3bd
Part 5: Introduce StorageAccess::ePartitionForeignOrDeny; r=baku
https://hg.mozilla.org/integration/autoland/rev/56d3c90d31dd
Part 6: Return StorageAccess::ePartitionForeignOrDeny from storage access APIs when the antitracking backend mandates that; r=baku
https://hg.mozilla.org/integration/autoland/rev/e016de0230b1
Part 7: Introduce a storage partitioning API; r=baku
https://hg.mozilla.org/integration/autoland/rev/ae4c8556193a
Part 8: Introduce a CookieSettings API to query whether cookies from third-party trackers must be rejected and use it in Gecko; r=baku
https://hg.mozilla.org/integration/autoland/rev/014736b1491c
Part 9: Ensure the cookie service does third-party checks when the cookie policy is set to nsICookieService::BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN; r=baku
https://hg.mozilla.org/integration/autoland/rev/fc834315384d
Part 10: Add support for nsICookieService.BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN to the content blocking category pref; r=ewright
https://hg.mozilla.org/integration/autoland/rev/e646f2b47472
Part 11: Add support for reporting breakage when the nsICookieService.BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN cookie policy is active; r=johannh
https://hg.mozilla.org/integration/autoland/rev/f481cd618aa1
Part 12: Add some tests for partitioning third-party storage/messaging with dynamic FPI; r=baku
Flags: needinfo?(ehsan)
Blocks: 1710241
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: