Deprecate and remove thirdparty.*sessionOnly prefs
Categories
(Core :: Networking: Cookies, enhancement, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox129 | --- | fixed |
People
(Reporter: thorin, Assigned: baku)
References
(Blocks 1 open bug)
Details
(Whiteboard: [necko-triaged])
Attachments
(1 file)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Steps to reproduce:
similar to bug 1681493 Deprecate and remove network.cookie.lifetimePolicy
For most users, the concept of "session" cookies is very hard to understand ... [snip] ... Because this can already be done with sanitization preferences we effectively end up with two different ways in Firefox to clear cookies
In addition to usability concerns, having "in-memory-only" session cookie lifetime has meant adding ugly hacks
The twin prefs network.cookie.thirdparty.sessionOnly and network.cookie.thirdparty.nonsecureSessionOnly effective allow the end user to create yet another way, albeit only for third party, to clear cookies and site data
Lets remove them
|
Reporter | |
Updated•3 years ago
|
|
|
Reporter | |
Updated•3 years ago
|
|
|
Reporter | |
Comment 1•3 years ago
|
||
thoughts? third party with dFPI isn't really a third party any more, so maybe do this after the dFPI rollout?
|
||
Comment 2•3 years ago
|
||
(In reply to Simon Mainey from comment #1)
thoughts? third party with dFPI isn't really a third party any more, so maybe do this after the dFPI rollout?
I don't know anything about the dFPI rollout plans or schedule, but the network.cookie.thirdparty.sessionOnly and network.cookie.thirdparty.nonsecureSessionOnly code was a prototype that was never enabled. I don't think there's any reason to postpone removing the code.
|
||
Comment 3•3 years ago
|
||
(In reply to Simon Mainey from comment #1)
thoughts? third party with dFPI isn't really a third party any more, so maybe do this after the dFPI rollout?
Is this the dFPI which is part of "Strict" mode Tracking Protection, or something new/enhanced?
(In reply to Chris Peterson [:cpeterson] from comment #2)
... the
network.cookie.thirdparty.sessionOnlyandnetwork.cookie.thirdparty.nonsecureSessionOnlycode was a prototype that was never enabled.
Coincidentally, a Mozilla Connect post recently suggested making these preferences more visible. But if they don't work...
|
|
Reporter | |
Comment 4•3 years ago
|
||
(In reply to jscher2000 from comment #3)
Is this the dFPI which is part of "Strict" mode Tracking Protection, or something new/enhanced?
Bug 1731713 - Total Cookie Protection into standard mode is how I read it. Strict has extra features Standard doesn't
|
|
Reporter | |
Comment 5•3 years ago
|
||
(In reply to jscher2000 from comment #3)
Coincidentally, a Mozilla Connect post recently suggested making these preferences more visible. But if they don't work...
I think they work, they were just never flipped on - nonsecureSessionOnly was added in FF58 to give an idea of time. Removing them should simplify code, reduce any footguns and complexity, and present a unified message. Note: sites can still set session cookies, so IDK if that solves all of those "hacky" session workarounds
So the question really is, debunk the false dichotomy of that Mozilla Connect post (i.e it's not really third party anymore if it's partitioned) and remove. Or don't and start flipping them. Dead code is dead if it's never going to be used (by 99% of users)
|
||
Comment 6•3 years ago
|
||
I think there is an argument, beyond dFPI / TCP for making third-party cookies session bound. dFPI prevents third-parties from tracking you across different top-level sites, but it still allows for persistent storage. However, like with Bug 1681493 I suggest to use sanitize-on-shutdown instead.
If these prefs were at no point exposed via UI or enterprise policy / extension API it should be safe to remove them.
|
||
Updated•3 years ago
|
|
Assignee | |
Comment 7•5 months ago
|
||
|
||
Updated•5 months ago
|
|
||
Comment 9•5 months ago
|
||
| bugherder | ||
Description
•