Add a way for cookie-clearing exceptions to not also affect cookie partitioning
Categories
(Core :: Privacy: Anti-Tracking, enhancement, P3)
Tracking
()
People
(Reporter: twisniewski, Assigned: wwen)
References
Details
(Keywords: priv-triaged)
Attachments
(1 file)
Right now, I believe that if a user sets a cookie-clearing exception (via Cookies and Site data > Delete cookies and site data when Firefox closes > Manage Exceptions), it also ends up disabling partitioning for that cookie.
According to :pbz, this should be because the two share the same underlying permission, rather than having a separate one for each use-case.
I'm not 100% sure what implications it would have to add this complexity, given that cookie-clearing is less relevant with partitioning on, but it sounds like something that would at least be nice to have (as there will always be desired exceptions, especially for users wishing to be as strict as possible).
As Total Cookie Protection has been shipped to all Firefox users I think this ticket is very very relevant.
Given that TCP is presented in the ETP section of the UI, and exceptions are instead in the Cookie and Site Data part, it is also not very easy to figure out for end users that they might be disabling partitioning for a certain domain. On top of that it is most likely to affect users who want to sanitize on close (so privacy conscious ones), and who are instead introducing a hole in this otherwise great mechanism.
Comment 2•2 years ago
|
||
Bump
Updated•2 years ago
|
Updated•2 years ago
|
Comment 4•2 years ago
|
||
We had a brief discussion with the team about this today. The overlap of this permission seems unexpected for users so this is worth addressing.
I'm in favor of changing the permission used for shutdown clearing exceptions to a new one. Updating our existing cookie permission that's consumed all over anti-tracking code is probably more work.
When we switch over we also need to migrate existing values over. Since we can't tell apart "cookie" exceptions and clear-on-shutdown exceptions we should migrate everything over and only separate the mechanism going forward.
Apologies for the comment without any additional information, but is this issue still planned to be addressed? There do not seem to be any comments since five months ago, so it is not clear to me.
While I would like to fix it myself, I do not have enough experience with the source code (namely zero) to actually conduct such a large change by myself.
Updated•2 years ago
|
Comment 6•1 year ago
|
||
Apologies for the comment without any additional information, but is this issue still planned to be addressed? There do not seem to be any comments since five months ago, so it is not clear to me.
While I would like to fix it myself, I do not have enough experience with the source code (namely zero) to actually conduct such a large change by myself.
Yes! But we can't prioritize it in the short-term. I'm adding this to our internal backlog.
Comment 7•1 year ago
•
|
||
Ideally we can split up the two permissions into separate permissions with separate management UI:
- "cookie" permissions: These can be used to relax cookie restrictions for specific sites, such as disabling Total Cookie Protection, or enabling cookies if they're blocked globally. They can also be used to have stricter rules or block cookies for a specific site. This permission is currently exposed via the permissions panel when you visit a site, it's also shown in the pageInfo window permissions tab. They also need a global management UI in preferences (that's currently the "manage exceptions" button).
- "shutdownclearing" exception permissions (NEW): These will be used for exempting sites from being cleared on shutdown by our Sanitizer.sys.mjs code. To preserve current functionality they should also support clearing only specific sites by setting not an
ALLOW
for the permission value/capability but e.g. aSESSION
. This permission does not have to exposed on a per-site basis in the permission panel or pageInfo window.
As already mentioned, when splitting up the two permissions we will need a migration mechanism so that all "cookie" permissions are also added as shutdown exceptions one-off. After the migration they will be split.
Atleast inform users about this. It is privacy nightmare.
Updated•4 months ago
|
Comment 10•4 months ago
|
||
https://searchfox.org/mozilla-central/query/default?q=calls-to%3A%27mozilla%3A%3Anet%3A%3ACookieJarSettings%3A%3ACookiePermission%27%20depth%3A4 shows all the calls to the cookie permission getter.
I believe this is where partitioning gets disabled for explicit "cookie" ALLOW
permissions: https://searchfox.org/mozilla-central/rev/4582d908c17fbf7924f5699609fe4a12c28ddc4a/toolkit/components/antitracking/StorageAccess.cpp#484
Comment 11•4 months ago
|
||
William, would you like to take this one next? This work would involve adding a separate permission type / id for clearing on shutdown.
Assignee | ||
Comment 12•4 months ago
|
||
Yeah I can definitely take this one after I fix up 1658094. Would extra UI elements be in the scope of this bug or would this just be separating the two permissions with a way to add them independently coming later?
Assignee | ||
Comment 13•3 months ago
|
||
Updated•3 months ago
|
Updated•3 months ago
|
Updated•2 months ago
|
Description
•