1547813 - Implement a new cookie policy: block storage from trackers and partition all other third-party contexts

Status: RESOLVED FIXED

(Core :: Privacy: Anti-Tracking, enhancement)

Description

[(no longer active)]

STR:

1. Set privacy.storagePrincipal.enabledForTrackers to true.
2. Browse around.
3. Look inside your cookie db: sqlite3 /path/to/profile/cookies.sqlite.

This is because this code https://searchfox.org/mozilla-central/rev/b756e6d00728dda4121f8278a744381d8643317a/netwerk/cookie/nsCookieService.cpp#4045 isn't exactly correct, it accepts cookies which the anti-tracking backend tells us to reject!

Comment 1

[(no longer active)]

I think it would be nice to have a testing pref that applies the current cookie policy but uses storagePrincipal for all third-party loads.

Comment 2

[(no longer active)]

The thing that should really happen here is to implement a new cookie policy where we keep blocking trackers like we do today, but switch to partitioning everything else.

Here is a rough plan I've started to work on:

1. define cookie policy value 5 in nsICookieService.idl
2. modify the IsFirstPartyStorageGranted algorithms to work with it:
   2.1 mostly follow BEHAVIOR_REJECT_TRACKER
   2.2 if you're a third-party but not a tracker, return false with a new error code
   (let's call it STATE_COOKIES_BLOCKED_FOREIGN_TO_PARTITION for now)
   otherwise things will work mostly the same as BEHAVIOR_REJECT_TRACKER at the antitracking level
3. Rename ePartitionedOrDeny to ePartitionTrackersOrDeny
4. introduce ePartitionForeignOrDeny = -2
5. here, connect our new error code to ePartitionForeignOrDeny: https://searchfox.org/mozilla-central/source/dom/base/nsContentUtils.cpp#8564
6. triage this list: https://searchfox.org/mozilla-central/search?q=symbol:E_%3CT_nsContentUtils%3A%3AStorageAccess%3E_ePartitionedOrDeny&redirect=false
   most of the occurrences are cases where you're also checking the current storagePrincipal pref
7. in those cases, introduce a new branch to allow partitioning third-party contexts where we have ePartitionForeignOrDeny and cookie policy is BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN

Comment 3

[(no longer active)]

Attachment: Bug 1547813 - Part 1: Introduce nsICookieService::BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN;

This new code designates our new cookie policy for blocking cookies and
storage access from third-party trackers and partitioning the cookie jar
of the rest of third-party resources.

Comment 4

[(no longer active)]

Attachment: Bug 1547813 - Part 2: Introduce nsIWebProgressListener::STATE_COOKIES_PARTITIONED_FOREIGN;

This error code indicates the specific case where the antitracking backend
rejects a particular access request because the resource is third-party and
the cookie policy mandates that third-party resources must be partitioned.

Comment 5

[(no longer active)]

Attachment: Bug 1547813 - Part 3: Modify the antitracking algorithms to work with nsICookieService::BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN;

The policy that this patch implements in the antitracking backend is to treat
third-party trackers exactly the same way as BEHAVIOR_REJECT_TRACKER, and
additionally partition all third-party contexts as well.

Comment 6

[(no longer active)]

Attachment: Bug 1547813 - Part 4: Rename StorageAccess::ePartitionedOrDeny to ePartitionTrackersOrDeny;

Comment 7

[(no longer active)]

Attachment: Bug 1547813 - Part 5: Introduce StorageAccess::ePartitionForeignOrDeny;

This StorageAccess code tells callers that they must partition third-party
storage, or deny storage access if that is not possible.

Comment 8

[(no longer active)]

Attachment: Bug 1547813 - Part 6: Return StorageAccess::ePartitionForeignOrDeny from storage access APIs when the antitracking backend mandates that;

Comment 9

[(no longer active)]

Attachment: Bug 1547813 - Part 7: Introduce a storage partitioning API;

This API abstracts away the details of the decision on what context should be
partitioned away from the consumers and centralizes the decision making into
the same location in the code base.

Comment 10

[(no longer active)]

I still have some try failures: https://treeherder.mozilla.org/#/jobs?repo=try&revision=61f650214eb2564247708fb4f180f29c32429b28

I decided to hold off posting patches for now until this is fully green, but if you'd like to try things out the patches are available from the try push!

Comment 11

[(no longer active)]

OK, my patches are now ready for review and landing. I'll upload them now.

Comment 12

[(no longer active)]

Attachment: Bug 1547813 - Part 8: Introduce a CookieSettings API to query whether cookies from third-party trackers must be rejected and use it in Gecko;

Comment 13

[(no longer active)]

Attachment: Bug 1547813 - Part 9: Ensure the cookie service does third-party checks when the cookie policy is set to nsICookieService::BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN;

Comment 14

[(no longer active)]

Attachment: Bug 1547813 - Part 10: Add support for nsICookieService.BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN to the content blocking category pref;

Comment 15

[(no longer active)]

Attachment: Bug 1547813 - Part 11: Add support for reporting breakage when the nsICookieService.BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN cookie policy is active;

Comment 16

[(no longer active)]

Attachment: Bug 1547813 - Part 12: Add some tests for partitioning third-party storage/messaging with dynamic FPI;

This patch doesn't port all of the existing tests because some of them
do not pass yet and some others need more work to be ported. This will
happen in follow-up bugs.

Comment 17

[Pulsebot]

Pushed by eakhgari@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/0e0241f3d366
Part 1: Introduce nsICookieService::BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN; r=baku
https://hg.mozilla.org/integration/autoland/rev/279c140a4d71
Part 2: Introduce nsIWebProgressListener::STATE_COOKIES_PARTITIONED_FOREIGN; r=baku
https://hg.mozilla.org/integration/autoland/rev/b4651cfaff30
Part 3: Modify the antitracking algorithms to work with nsICookieService::BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN; r=baku
https://hg.mozilla.org/integration/autoland/rev/77a040f527e9
Part 4: Rename StorageAccess::ePartitionedOrDeny to ePartitionTrackersOrDeny; r=baku
https://hg.mozilla.org/integration/autoland/rev/4ced8d49ddc3
Part 5: Introduce StorageAccess::ePartitionForeignOrDeny; r=baku
https://hg.mozilla.org/integration/autoland/rev/06943593738c
Part 6: Return StorageAccess::ePartitionForeignOrDeny from storage access APIs when the antitracking backend mandates that; r=baku
https://hg.mozilla.org/integration/autoland/rev/807ce59e7e6e
Part 7: Introduce a storage partitioning API; r=baku
https://hg.mozilla.org/integration/autoland/rev/8cad4fd197b1
Part 8: Introduce a CookieSettings API to query whether cookies from third-party trackers must be rejected and use it in Gecko; r=baku
https://hg.mozilla.org/integration/autoland/rev/c1288949de1c
Part 9: Ensure the cookie service does third-party checks when the cookie policy is set to nsICookieService::BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN; r=baku
https://hg.mozilla.org/integration/autoland/rev/a29f58cef022
Part 10: Add support for nsICookieService.BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN to the content blocking category pref; r=ewright
https://hg.mozilla.org/integration/autoland/rev/f9d790139a26
Part 11: Add support for reporting breakage when the nsICookieService.BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN cookie policy is active; r=johannh
https://hg.mozilla.org/integration/autoland/rev/98989127264b
Part 12: Add some tests for partitioning third-party storage/messaging with dynamic FPI; r=baku

Comment 18

[Narcis Beleuzu [:NarcisB]]

Backed out for failures in browser_partitionedIndexedDB.js

Backout link: https://hg.mozilla.org/integration/autoland/rev/8fea661662875f667e79d9204438ce3cbfacbb46
Log link: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=245572200&repo=autoland&lineNumber=4215

Comment 19

[Pulsebot]

Pushed by eakhgari@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/b26c4b43e858
Part 1: Introduce nsICookieService::BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN; r=baku
https://hg.mozilla.org/integration/autoland/rev/a65a40d02a83
Part 2: Introduce nsIWebProgressListener::STATE_COOKIES_PARTITIONED_FOREIGN; r=baku
https://hg.mozilla.org/integration/autoland/rev/01ed57a466b7
Part 3: Modify the antitracking algorithms to work with nsICookieService::BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN; r=baku
https://hg.mozilla.org/integration/autoland/rev/230cca204ae1
Part 4: Rename StorageAccess::ePartitionedOrDeny to ePartitionTrackersOrDeny; r=baku
https://hg.mozilla.org/integration/autoland/rev/c8636d91f3bd
Part 5: Introduce StorageAccess::ePartitionForeignOrDeny; r=baku
https://hg.mozilla.org/integration/autoland/rev/56d3c90d31dd
Part 6: Return StorageAccess::ePartitionForeignOrDeny from storage access APIs when the antitracking backend mandates that; r=baku
https://hg.mozilla.org/integration/autoland/rev/e016de0230b1
Part 7: Introduce a storage partitioning API; r=baku
https://hg.mozilla.org/integration/autoland/rev/ae4c8556193a
Part 8: Introduce a CookieSettings API to query whether cookies from third-party trackers must be rejected and use it in Gecko; r=baku
https://hg.mozilla.org/integration/autoland/rev/014736b1491c
Part 9: Ensure the cookie service does third-party checks when the cookie policy is set to nsICookieService::BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN; r=baku
https://hg.mozilla.org/integration/autoland/rev/fc834315384d
Part 10: Add support for nsICookieService.BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN to the content blocking category pref; r=ewright
https://hg.mozilla.org/integration/autoland/rev/e646f2b47472
Part 11: Add support for reporting breakage when the nsICookieService.BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN cookie policy is active; r=johannh
https://hg.mozilla.org/integration/autoland/rev/f481cd618aa1
Part 12: Add some tests for partitioning third-party storage/messaging with dynamic FPI; r=baku

Comment 20

[Andrei Ciure[:aciure]]

https://hg.mozilla.org/mozilla-central/rev/b26c4b43e858
https://hg.mozilla.org/mozilla-central/rev/a65a40d02a83
https://hg.mozilla.org/mozilla-central/rev/01ed57a466b7
https://hg.mozilla.org/mozilla-central/rev/230cca204ae1
https://hg.mozilla.org/mozilla-central/rev/c8636d91f3bd
https://hg.mozilla.org/mozilla-central/rev/56d3c90d31dd
https://hg.mozilla.org/mozilla-central/rev/e016de0230b1
https://hg.mozilla.org/mozilla-central/rev/ae4c8556193a
https://hg.mozilla.org/mozilla-central/rev/014736b1491c
https://hg.mozilla.org/mozilla-central/rev/fc834315384d
https://hg.mozilla.org/mozilla-central/rev/e646f2b47472
https://hg.mozilla.org/mozilla-central/rev/f481cd618aa1