Implement a new cookie policy: block storage from trackers and partition all other third-party contexts

RESOLVED FIXED in Firefox 69

Status

()

enhancement
RESOLVED FIXED
2 months ago
20 days ago

People

(Reporter: Ehsan, Assigned: Ehsan)

Tracking

(Depends on 1 bug, Blocks 1 bug)

unspecified
mozilla69
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox69 fixed)

Details

Attachments

(12 attachments)

47 bytes, text/x-phabricator-request
Details | Review
47 bytes, text/x-phabricator-request
Details | Review
47 bytes, text/x-phabricator-request
Details | Review
47 bytes, text/x-phabricator-request
Details | Review
47 bytes, text/x-phabricator-request
Details | Review
47 bytes, text/x-phabricator-request
Details | Review
47 bytes, text/x-phabricator-request
Details | Review
47 bytes, text/x-phabricator-request
Details | Review
47 bytes, text/x-phabricator-request
Details | Review
47 bytes, text/x-phabricator-request
Details | Review
47 bytes, text/x-phabricator-request
Details | Review
47 bytes, text/x-phabricator-request
Details | Review
Assignee

Description

2 months ago

STR:

  1. Set privacy.storagePrincipal.enabledForTrackers to true.
  2. Browse around.
  3. Look inside your cookie db: sqlite3 /path/to/profile/cookies.sqlite.

This is because this code https://searchfox.org/mozilla-central/rev/b756e6d00728dda4121f8278a744381d8643317a/netwerk/cookie/nsCookieService.cpp#4045 isn't exactly correct, it accepts cookies which the anti-tracking backend tells us to reject!

Assignee

Comment 1

2 months ago

I think it would be nice to have a testing pref that applies the current cookie policy but uses storagePrincipal for all third-party loads.

Assignee

Comment 2

2 months ago

The thing that should really happen here is to implement a new cookie policy where we keep blocking trackers like we do today, but switch to partitioning everything else.

Here is a rough plan I've started to work on:

  1. define cookie policy value 5 in nsICookieService.idl
  2. modify the IsFirstPartyStorageGranted algorithms to work with it:
    2.1 mostly follow BEHAVIOR_REJECT_TRACKER
    2.2 if you're a third-party but not a tracker, return false with a new error code
    (let's call it STATE_COOKIES_BLOCKED_FOREIGN_TO_PARTITION for now)
    otherwise things will work mostly the same as BEHAVIOR_REJECT_TRACKER at the antitracking level
  3. Rename ePartitionedOrDeny to ePartitionTrackersOrDeny
  4. introduce ePartitionForeignOrDeny = -2
  5. here, connect our new error code to ePartitionForeignOrDeny: https://searchfox.org/mozilla-central/source/dom/base/nsContentUtils.cpp#8564
  6. triage this list: https://searchfox.org/mozilla-central/search?q=symbol:E_%3CT_nsContentUtils%3A%3AStorageAccess%3E_ePartitionedOrDeny&redirect=false
    most of the occurrences are cases where you're also checking the current storagePrincipal pref
  7. in those cases, introduce a new branch to allow partitioning third-party contexts where we have ePartitionForeignOrDeny and cookie policy is BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN
Summary: Browsing with the storageprincipal pref set causes us to set all cookies from third-party trackers → Implement a new cookie policy: block storage from trackers and partition all other third-party contexts
Type: defect → enhancement
Assignee

Comment 3

2 months ago

This new code designates our new cookie policy for blocking cookies and
storage access from third-party trackers and partitioning the cookie jar
of the rest of third-party resources.

Assignee

Comment 4

2 months ago

This error code indicates the specific case where the antitracking backend
rejects a particular access request because the resource is third-party and
the cookie policy mandates that third-party resources must be partitioned.

Assignee

Comment 5

2 months ago

The policy that this patch implements in the antitracking backend is to treat
third-party trackers exactly the same way as BEHAVIOR_REJECT_TRACKER, and
additionally partition all third-party contexts as well.

Assignee

Comment 7

2 months ago

This StorageAccess code tells callers that they must partition third-party
storage, or deny storage access if that is not possible.

Assignee

Comment 9

2 months ago

This API abstracts away the details of the decision on what context should be
partitioned away from the consumers and centralizes the decision making into
the same location in the code base.

Assignee

Updated

2 months ago
Depends on: 1548863
Assignee

Comment 10

2 months ago

I still have some try failures: https://treeherder.mozilla.org/#/jobs?repo=try&revision=61f650214eb2564247708fb4f180f29c32429b28

I decided to hold off posting patches for now until this is fully green, but if you'd like to try things out the patches are available from the try push!

Assignee

Updated

Last month
Depends on: 1531920
Assignee

Comment 11

Last month

OK, my patches are now ready for review and landing. I'll upload them now.

Assignee

Updated

Last month
Assignee

Updated

Last month
Assignee: nobody → ehsan
Assignee

Comment 16

Last month

This patch doesn't port all of the existing tests because some of them
do not pass yet and some others need more work to be ported. This will
happen in follow-up bugs.

Comment 17

Last month
Pushed by eakhgari@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/0e0241f3d366
Part 1: Introduce nsICookieService::BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN; r=baku
https://hg.mozilla.org/integration/autoland/rev/279c140a4d71
Part 2: Introduce nsIWebProgressListener::STATE_COOKIES_PARTITIONED_FOREIGN; r=baku
https://hg.mozilla.org/integration/autoland/rev/b4651cfaff30
Part 3: Modify the antitracking algorithms to work with nsICookieService::BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN; r=baku
https://hg.mozilla.org/integration/autoland/rev/77a040f527e9
Part 4: Rename StorageAccess::ePartitionedOrDeny to ePartitionTrackersOrDeny; r=baku
https://hg.mozilla.org/integration/autoland/rev/4ced8d49ddc3
Part 5: Introduce StorageAccess::ePartitionForeignOrDeny; r=baku
https://hg.mozilla.org/integration/autoland/rev/06943593738c
Part 6: Return StorageAccess::ePartitionForeignOrDeny from storage access APIs when the antitracking backend mandates that; r=baku
https://hg.mozilla.org/integration/autoland/rev/807ce59e7e6e
Part 7: Introduce a storage partitioning API; r=baku
https://hg.mozilla.org/integration/autoland/rev/8cad4fd197b1
Part 8: Introduce a CookieSettings API to query whether cookies from third-party trackers must be rejected and use it in Gecko; r=baku
https://hg.mozilla.org/integration/autoland/rev/c1288949de1c
Part 9: Ensure the cookie service does third-party checks when the cookie policy is set to nsICookieService::BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN; r=baku
https://hg.mozilla.org/integration/autoland/rev/a29f58cef022
Part 10: Add support for nsICookieService.BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN to the content blocking category pref; r=ewright
https://hg.mozilla.org/integration/autoland/rev/f9d790139a26
Part 11: Add support for reporting breakage when the nsICookieService.BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN cookie policy is active; r=johannh
https://hg.mozilla.org/integration/autoland/rev/98989127264b
Part 12: Add some tests for partitioning third-party storage/messaging with dynamic FPI; r=baku

Comment 19

24 days ago
Pushed by eakhgari@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/b26c4b43e858
Part 1: Introduce nsICookieService::BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN; r=baku
https://hg.mozilla.org/integration/autoland/rev/a65a40d02a83
Part 2: Introduce nsIWebProgressListener::STATE_COOKIES_PARTITIONED_FOREIGN; r=baku
https://hg.mozilla.org/integration/autoland/rev/01ed57a466b7
Part 3: Modify the antitracking algorithms to work with nsICookieService::BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN; r=baku
https://hg.mozilla.org/integration/autoland/rev/230cca204ae1
Part 4: Rename StorageAccess::ePartitionedOrDeny to ePartitionTrackersOrDeny; r=baku
https://hg.mozilla.org/integration/autoland/rev/c8636d91f3bd
Part 5: Introduce StorageAccess::ePartitionForeignOrDeny; r=baku
https://hg.mozilla.org/integration/autoland/rev/56d3c90d31dd
Part 6: Return StorageAccess::ePartitionForeignOrDeny from storage access APIs when the antitracking backend mandates that; r=baku
https://hg.mozilla.org/integration/autoland/rev/e016de0230b1
Part 7: Introduce a storage partitioning API; r=baku
https://hg.mozilla.org/integration/autoland/rev/ae4c8556193a
Part 8: Introduce a CookieSettings API to query whether cookies from third-party trackers must be rejected and use it in Gecko; r=baku
https://hg.mozilla.org/integration/autoland/rev/014736b1491c
Part 9: Ensure the cookie service does third-party checks when the cookie policy is set to nsICookieService::BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN; r=baku
https://hg.mozilla.org/integration/autoland/rev/fc834315384d
Part 10: Add support for nsICookieService.BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN to the content blocking category pref; r=ewright
https://hg.mozilla.org/integration/autoland/rev/e646f2b47472
Part 11: Add support for reporting breakage when the nsICookieService.BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN cookie policy is active; r=johannh
https://hg.mozilla.org/integration/autoland/rev/f481cd618aa1
Part 12: Add some tests for partitioning third-party storage/messaging with dynamic FPI; r=baku
Assignee

Updated

20 days ago
Flags: needinfo?(ehsan)
You need to log in before you can comment on or make changes to this bug.