Implement a new cookie policy: block storage from trackers and partition all other third-party contexts
Categories
(Core :: Privacy: Anti-Tracking, enhancement)
Tracking
()
Tracking | Status | |
---|---|---|
firefox69 | --- | fixed |
People
(Reporter: ehsan.akhgari, Assigned: ehsan.akhgari)
References
(Blocks 1 open bug)
Details
Attachments
(12 files)
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review |
STR:
- Set privacy.storagePrincipal.enabledForTrackers to true.
- Browse around.
- Look inside your cookie db:
sqlite3 /path/to/profile/cookies.sqlite
.
This is because this code https://searchfox.org/mozilla-central/rev/b756e6d00728dda4121f8278a744381d8643317a/netwerk/cookie/nsCookieService.cpp#4045 isn't exactly correct, it accepts cookies which the anti-tracking backend tells us to reject!
Assignee | ||
Comment 1•5 years ago
|
||
I think it would be nice to have a testing pref that applies the current cookie policy but uses storagePrincipal for all third-party loads.
Assignee | ||
Comment 2•5 years ago
|
||
The thing that should really happen here is to implement a new cookie policy where we keep blocking trackers like we do today, but switch to partitioning everything else.
Here is a rough plan I've started to work on:
- define cookie policy value 5 in nsICookieService.idl
- modify the IsFirstPartyStorageGranted algorithms to work with it:
2.1 mostly follow BEHAVIOR_REJECT_TRACKER
2.2 if you're a third-party but not a tracker, return false with a new error code
(let's call it STATE_COOKIES_BLOCKED_FOREIGN_TO_PARTITION for now)
otherwise things will work mostly the same as BEHAVIOR_REJECT_TRACKER at the antitracking level - Rename ePartitionedOrDeny to ePartitionTrackersOrDeny
- introduce ePartitionForeignOrDeny = -2
- here, connect our new error code to ePartitionForeignOrDeny: https://searchfox.org/mozilla-central/source/dom/base/nsContentUtils.cpp#8564
- triage this list: https://searchfox.org/mozilla-central/search?q=symbol:E_%3CT_nsContentUtils%3A%3AStorageAccess%3E_ePartitionedOrDeny&redirect=false
most of the occurrences are cases where you're also checking the current storagePrincipal pref - in those cases, introduce a new branch to allow partitioning third-party contexts where we have ePartitionForeignOrDeny and cookie policy is BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN
Updated•5 years ago
|
Assignee | ||
Comment 3•5 years ago
|
||
This new code designates our new cookie policy for blocking cookies and
storage access from third-party trackers and partitioning the cookie jar
of the rest of third-party resources.
Assignee | ||
Comment 4•5 years ago
|
||
This error code indicates the specific case where the antitracking backend
rejects a particular access request because the resource is third-party and
the cookie policy mandates that third-party resources must be partitioned.
Assignee | ||
Comment 5•5 years ago
|
||
The policy that this patch implements in the antitracking backend is to treat
third-party trackers exactly the same way as BEHAVIOR_REJECT_TRACKER, and
additionally partition all third-party contexts as well.
Assignee | ||
Comment 6•5 years ago
|
||
Assignee | ||
Comment 7•5 years ago
|
||
This StorageAccess code tells callers that they must partition third-party
storage, or deny storage access if that is not possible.
Assignee | ||
Comment 8•5 years ago
|
||
Assignee | ||
Comment 9•5 years ago
|
||
This API abstracts away the details of the decision on what context should be
partitioned away from the consumers and centralizes the decision making into
the same location in the code base.
Assignee | ||
Comment 10•5 years ago
|
||
I still have some try failures: https://treeherder.mozilla.org/#/jobs?repo=try&revision=61f650214eb2564247708fb4f180f29c32429b28
I decided to hold off posting patches for now until this is fully green, but if you'd like to try things out the patches are available from the try push!
Assignee | ||
Comment 11•5 years ago
|
||
OK, my patches are now ready for review and landing. I'll upload them now.
Assignee | ||
Comment 12•5 years ago
|
||
Assignee | ||
Comment 13•5 years ago
|
||
Assignee | ||
Comment 14•5 years ago
|
||
Assignee | ||
Comment 15•5 years ago
|
||
Assignee | ||
Updated•5 years ago
|
Assignee | ||
Updated•5 years ago
|
Assignee | ||
Comment 16•5 years ago
|
||
This patch doesn't port all of the existing tests because some of them
do not pass yet and some others need more work to be ported. This will
happen in follow-up bugs.
Comment 17•5 years ago
|
||
Pushed by eakhgari@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/0e0241f3d366 Part 1: Introduce nsICookieService::BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN; r=baku https://hg.mozilla.org/integration/autoland/rev/279c140a4d71 Part 2: Introduce nsIWebProgressListener::STATE_COOKIES_PARTITIONED_FOREIGN; r=baku https://hg.mozilla.org/integration/autoland/rev/b4651cfaff30 Part 3: Modify the antitracking algorithms to work with nsICookieService::BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN; r=baku https://hg.mozilla.org/integration/autoland/rev/77a040f527e9 Part 4: Rename StorageAccess::ePartitionedOrDeny to ePartitionTrackersOrDeny; r=baku https://hg.mozilla.org/integration/autoland/rev/4ced8d49ddc3 Part 5: Introduce StorageAccess::ePartitionForeignOrDeny; r=baku https://hg.mozilla.org/integration/autoland/rev/06943593738c Part 6: Return StorageAccess::ePartitionForeignOrDeny from storage access APIs when the antitracking backend mandates that; r=baku https://hg.mozilla.org/integration/autoland/rev/807ce59e7e6e Part 7: Introduce a storage partitioning API; r=baku https://hg.mozilla.org/integration/autoland/rev/8cad4fd197b1 Part 8: Introduce a CookieSettings API to query whether cookies from third-party trackers must be rejected and use it in Gecko; r=baku https://hg.mozilla.org/integration/autoland/rev/c1288949de1c Part 9: Ensure the cookie service does third-party checks when the cookie policy is set to nsICookieService::BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN; r=baku https://hg.mozilla.org/integration/autoland/rev/a29f58cef022 Part 10: Add support for nsICookieService.BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN to the content blocking category pref; r=ewright https://hg.mozilla.org/integration/autoland/rev/f9d790139a26 Part 11: Add support for reporting breakage when the nsICookieService.BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN cookie policy is active; r=johannh https://hg.mozilla.org/integration/autoland/rev/98989127264b Part 12: Add some tests for partitioning third-party storage/messaging with dynamic FPI; r=baku
Comment 18•5 years ago
|
||
Backed out for failures in browser_partitionedIndexedDB.js
Backout link: https://hg.mozilla.org/integration/autoland/rev/8fea661662875f667e79d9204438ce3cbfacbb46
Log link: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=245572200&repo=autoland&lineNumber=4215
Comment 19•5 years ago
|
||
Pushed by eakhgari@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/b26c4b43e858 Part 1: Introduce nsICookieService::BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN; r=baku https://hg.mozilla.org/integration/autoland/rev/a65a40d02a83 Part 2: Introduce nsIWebProgressListener::STATE_COOKIES_PARTITIONED_FOREIGN; r=baku https://hg.mozilla.org/integration/autoland/rev/01ed57a466b7 Part 3: Modify the antitracking algorithms to work with nsICookieService::BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN; r=baku https://hg.mozilla.org/integration/autoland/rev/230cca204ae1 Part 4: Rename StorageAccess::ePartitionedOrDeny to ePartitionTrackersOrDeny; r=baku https://hg.mozilla.org/integration/autoland/rev/c8636d91f3bd Part 5: Introduce StorageAccess::ePartitionForeignOrDeny; r=baku https://hg.mozilla.org/integration/autoland/rev/56d3c90d31dd Part 6: Return StorageAccess::ePartitionForeignOrDeny from storage access APIs when the antitracking backend mandates that; r=baku https://hg.mozilla.org/integration/autoland/rev/e016de0230b1 Part 7: Introduce a storage partitioning API; r=baku https://hg.mozilla.org/integration/autoland/rev/ae4c8556193a Part 8: Introduce a CookieSettings API to query whether cookies from third-party trackers must be rejected and use it in Gecko; r=baku https://hg.mozilla.org/integration/autoland/rev/014736b1491c Part 9: Ensure the cookie service does third-party checks when the cookie policy is set to nsICookieService::BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN; r=baku https://hg.mozilla.org/integration/autoland/rev/fc834315384d Part 10: Add support for nsICookieService.BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN to the content blocking category pref; r=ewright https://hg.mozilla.org/integration/autoland/rev/e646f2b47472 Part 11: Add support for reporting breakage when the nsICookieService.BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN cookie policy is active; r=johannh https://hg.mozilla.org/integration/autoland/rev/f481cd618aa1 Part 12: Add some tests for partitioning third-party storage/messaging with dynamic FPI; r=baku
Comment 20•5 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/b26c4b43e858
https://hg.mozilla.org/mozilla-central/rev/a65a40d02a83
https://hg.mozilla.org/mozilla-central/rev/01ed57a466b7
https://hg.mozilla.org/mozilla-central/rev/230cca204ae1
https://hg.mozilla.org/mozilla-central/rev/c8636d91f3bd
https://hg.mozilla.org/mozilla-central/rev/56d3c90d31dd
https://hg.mozilla.org/mozilla-central/rev/e016de0230b1
https://hg.mozilla.org/mozilla-central/rev/ae4c8556193a
https://hg.mozilla.org/mozilla-central/rev/014736b1491c
https://hg.mozilla.org/mozilla-central/rev/fc834315384d
https://hg.mozilla.org/mozilla-central/rev/e646f2b47472
https://hg.mozilla.org/mozilla-central/rev/f481cd618aa1
Assignee | ||
Updated•5 years ago
|
Description
•