Closed Bug 1642051 Opened 4 years ago Closed 4 years ago

Add the ability to remotely exempt urls from partitioning

Categories

(Core :: Privacy: Anti-Tracking, enhancement, P3)

Product:
Core
Component:
Privacy: Anti-Tracking
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla80
Tracking Flags:
Tracking Status
firefox80 --- fixed

People

(Reporter: englehardt, Assigned: xeonchen)

References

(Blocks 1 open bug)

Details

Attachments

(2 files)

Bug 1642051 - add PartitioningSkipListService;
47 bytes, text/x-phabricator-request
Details | Review
Bug 1642051 - add PartitioningSkipList to relax partitioning on specific domains;
47 bytes, text/x-phabricator-request
Details | Review

We currently have a url-classifier-skip-urls collection on remote settings that allows us to remotely unblock trackers immediately across all channels. This has proven quite useful in fixing breakage (sometime pretty significant) temporarily while we work on a more permanent fix. See Bug 1537702 for examples.

We should consider adding something similar for dFPI. It would have to be a bit different from url-classifier-skip-urls since this operates on the URL classifier features, and dFPI doesn't depend on the url classifier. It seems like we'd still want it to apply to third parties, but perhaps it would be useful to be able to scope the exception to specific first parties.

Assignee: nobody → xeonchen

During our meeting today Gray proposed three possible approaches to implementing this:

  1. Use the new pairwise remote settings list to generate temporary storage access permission (reusing the same permission we currently use)
  2. Use the new pairwise remote settings list to generate a new type of storage access permission (NOT reusing the same permission we currently have)
  3. Check the list directly at the same time we check the current storage access permissions. This is similar to what we do for the url-classifier-skip-urls remote settings collection.

IMO which direction we go depends on whether we'd want these exceptions to be included in the UI as part of the work we're doing in Bug 1643191 Comment 6.

If we want the exceptions in the UI then it seems like (1) is the right option. In the user's eyes, the exceptions granted by this mechanism are no different than those granted by the Storage Access API or a web compatibility heuristic. We wouldn't want users to have to manage them separately. There's a lot of complexity here though:

  • If a user attempts to delete any permission granted by this allowlist it would pop back up during the next session. A sort of "zombie" permission.
  • We can consider implementing an "Allow/Block" mechanism instead, and refuse to re-create a permission from the list when the user has manually toggled it to "Block" in the past. Perhaps the Storage Access API could still override this.
  • We'd like the mechanism to be specific to partitioning, but adding a storage access permission would exempt the third party from ETP's cookie blocking as well (maybe that's acceptable).
  • We don't have such a UI mechanism for url-classifer-skip-urls or the various skipUrl prefs. These ETP allowlist mechanisms would override whatever choices the user has made in the UI (e.g., if the user says to "Block" a certain third party from getting permission again in the future).

If we don't want exemptions in the UI, then (3) seems preferable unless there are other implementation / performance concerns we didn't get to discuss during our meeting. The downside of (2) is that the permission would be sticky. We wouldn't be able to remove it if the list changes and would have to wait for it to expire. It's not clear to me what the lifetime would be? If these are session-bound and could survive a session restore than this would be pretty bad. We could implement some kind of diffing method to mitigate this.

Given the complexities above, I think it's better to not try to display these as part of the new UI. Like the ETP exemptions, we don't want these to stay around forever and should use them sparingly as we fix breakage.

Blocks: 1638383

Gary, would you mind to use skip instead of exempt? That way we'll align with url-classifier-skip-urls and the various skipUrls prefs?

Flags: needinfo?(xeonchen)

(In reply to Steven Englehardt [:englehardt] from comment #4)

Gary, would you mind to use skip instead of exempt? That way we'll align with url-classifier-skip-urls and the various skipUrls prefs?

No problem.

Flags: needinfo?(xeonchen)
Attachment #9160172 - Attachment description: Bug 1642051 - add PartitioningExemptUrlsService; → Bug 1642051 - add PartitioningSkipListService;
Attachment #9160173 - Attachment description: Bug 1642051 - add PartitioningExemptList to relax partitioning on specific domains; → Bug 1642051 - add PartitioningSkipList to relax partitioning on specific domains;
Pushed by xeonchen@gmail.com: https://hg.mozilla.org/integration/autoland/rev/1b209c413deb add PartitioningSkipListService; r=baku https://hg.mozilla.org/integration/autoland/rev/fee9e0ff87fe add PartitioningSkipList to relax partitioning on specific domains; r=baku

https://hg.mozilla.org/mozilla-central/rev/1b209c413deb
https://hg.mozilla.org/mozilla-central/rev/fee9e0ff87fe

Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox80: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla80
Regressions: 1667942
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: