Open Bug 1767271 Opened 2 years ago Updated 2 months ago

Add a way for cookie-clearing exceptions to not also affect cookie partitioning

Categories

(Core :: Privacy: Anti-Tracking, enhancement, P3)

Product:
Core
Component:
Privacy: Anti-Tracking
Type:
enhancement

Tracking

()

Status:
ASSIGNED

People

(Reporter: twisniewski, Assigned: wwen)

References

Details

(Keywords: priv-triaged)

Attachments

(1 file)

Bug 1767271 - Add new permission for shutdown exceptions. r=pbz
48 bytes, text/x-phabricator-request
Details | Review

Right now, I believe that if a user sets a cookie-clearing exception (via Cookies and Site data > Delete cookies and site data when Firefox closes > Manage Exceptions), it also ends up disabling partitioning for that cookie.

According to :pbz, this should be because the two share the same underlying permission, rather than having a separate one for each use-case.

I'm not 100% sure what implications it would have to add this complexity, given that cookie-clearing is less relevant with partitioning on, but it sounds like something that would at least be nice to have (as there will always be desired exceptions, especially for users wishing to be as strict as possible).

As Total Cookie Protection has been shipped to all Firefox users I think this ticket is very very relevant.

Given that TCP is presented in the ETP section of the UI, and exceptions are instead in the Cookie and Site Data part, it is also not very easy to figure out for end users that they might be disabling partitioning for a certain domain. On top of that it is most likely to affect users who want to sanitize on close (so privacy conscious ones), and who are instead introducing a hole in this otherwise great mechanism.

Bump

Oh wow this is a horrific discovery.

Severity: -- → S3
Priority: -- → P2
Flags: needinfo?(pbz)

We had a brief discussion with the team about this today. The overlap of this permission seems unexpected for users so this is worth addressing.

I'm in favor of changing the permission used for shutdown clearing exceptions to a new one. Updating our existing cookie permission that's consumed all over anti-tracking code is probably more work.
When we switch over we also need to migrate existing values over. Since we can't tell apart "cookie" exceptions and clear-on-shutdown exceptions we should migrate everything over and only separate the mechanism going forward.

Flags: needinfo?(pbz)

Apologies for the comment without any additional information, but is this issue still planned to be addressed? There do not seem to be any comments since five months ago, so it is not clear to me.

While I would like to fix it myself, I do not have enough experience with the source code (namely zero) to actually conduct such a large change by myself.

Flags: needinfo?(pbz)

Apologies for the comment without any additional information, but is this issue still planned to be addressed? There do not seem to be any comments since five months ago, so it is not clear to me.

While I would like to fix it myself, I do not have enough experience with the source code (namely zero) to actually conduct such a large change by myself.

Yes! But we can't prioritize it in the short-term. I'm adding this to our internal backlog.

Flags: needinfo?(pbz)
Priority: P2 → P3

Ideally we can split up the two permissions into separate permissions with separate management UI:

  1. "cookie" permissions: These can be used to relax cookie restrictions for specific sites, such as disabling Total Cookie Protection, or enabling cookies if they're blocked globally. They can also be used to have stricter rules or block cookies for a specific site. This permission is currently exposed via the permissions panel when you visit a site, it's also shown in the pageInfo window permissions tab. They also need a global management UI in preferences (that's currently the "manage exceptions" button).
  2. "shutdownclearing" exception permissions (NEW): These will be used for exempting sites from being cleared on shutdown by our Sanitizer.sys.mjs code. To preserve current functionality they should also support clearing only specific sites by setting not an ALLOW for the permission value/capability but e.g. a SESSION. This permission does not have to exposed on a per-site basis in the permission panel or pageInfo window.

As already mentioned, when splitting up the two permissions we will need a migration mechanism so that all "cookie" permissions are also added as shutdown exceptions one-off. After the migration they will be split.

Duplicate of this bug: 1859191
Keywords: priv-triaged
See Also: → 1884683

Atleast inform users about this. It is privacy nightmare.

Flags: needinfo?(pbz)
Flags: needinfo?(pbz)
See Also: → 1658094

William, would you like to take this one next? This work would involve adding a separate permission type / id for clearing on shutdown.

Flags: needinfo?(wwen)

Yeah I can definitely take this one after I fix up 1658094. Would extra UI elements be in the scope of this bug or would this just be separating the two permissions with a way to add them independently coming later?

Flags: needinfo?(wwen)
Assignee: nobody → wwen
Attachment #9410204 - Attachment description: WIP: Bug 1767271 - Add new permission for shutdown exceptions. r=pbz → Bug 1767271 - Add new permission for shutdown exceptions. r=pbz
Status: NEW → ASSIGNED
Attachment #9410204 - Attachment description: Bug 1767271 - Add new permission for shutdown exceptions. r=pbz → WIP: Bug 1767271 - Add new permission for shutdown exceptions. r=pbz
Attachment #9410204 - Attachment description: WIP: Bug 1767271 - Add new permission for shutdown exceptions. r=pbz → Bug 1767271 - Add new permission for shutdown exceptions. r=pbz
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: