Open Bug 1859715 Opened 1 year ago Updated 6 days ago

Support for Cookies with 'Partitioned' Attribute According to CHIPS Specification

Categories

(Core :: Privacy: Anti-Tracking, enhancement)

Product:
Core
Component:
Privacy: Anti-Tracking
Version:
Firefox 118
Type:
enhancement

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: jacek.swiergocki, Unassigned)

References

Details

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/118.0

Steps to reproduce:

I have noticed that Mozilla has acknowledged the CHIPS specification (https://github.com/mozilla/standards-positions/issues/678). I am eager to learn about the present plans regarding the implementation and deployment of this feature, specifically concerning the acceptance of cookies with the 'Partitioned' attribute for tracking domains listed on Disconnect.me.

CHIPS is a crucial component of the Google Privacy Sandbox initiative, designed to mitigate cross-site and cross-app tracking while ensuring the sustainability of free online content and services for all users.

The 'Partitioned' attribute has already been implemented in Microsoft Edge, functioning in such a way that if a tracking domain's cookies have this attribute set, the cookie is accepted with the respective Partition Key; otherwise, it is blocked. I am keen to understand if Firefox is planning to adopt a similar approach. If this isn't part of the current roadmap, I would appreciate an opportunity to discuss its potential integration.

Steps to reproduce:

  1. Open a webpage on any domain, for example, https://example.com, that loads an external resource from a tracking domain, e.g., https://tracking.com. Let's assume the domain is on Disconnect.me's tracking list.
  2. In example A), the cookie has the Partitioned attribute set.
  3. In example B), the cookie does not have the Partitioned attribute set.

A)
Set-Cookie: cookie=value; Domain=tracking.com; Path=/; SameSite=None; Secure; Partitioned; Expires=Wed, 17 Nov 2023 12:00:00 GMT

B)
Set-Cookie: cookie=value; Domain=tracking.com; Path=/; SameSite=None; Secure; Expires=Wed, 17 Nov 2023 12:00:00 GMT

Actual results:

The cookie is blocked in both cases.

Expected results:

In case A), the cookie should be set. In case B), the cookie should be blocked.

The Bugbug bot thinks this bug should belong to the 'Core::Privacy: Anti-Tracking' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Privacy: Anti-Tracking
Product: Firefox → Core
See Also: → chips

First of all, thank you for your work on implementing the CHIPS feature and for making it available in the upcoming Firefox 131 release.

After testing the Beta version of Firefox 131, we observed that partitioned cookies are functioning as expected for regular domains. However, for domains listed on Disconnect.me, partitioned cookies are still being blocked. This is different from the behavior observed in Microsoft Edge, where partitioned cookies are accepted even for tracking domains when the Partitioned attribute is set, as mentioned in our initial report.

Could you clarify whether there are plans to adjust this behavior for tracking domains, so that partitioned cookies will be accepted (similar to how it works in Edge), as outlined in our previous example with a tracking domain like tracking.com?

You need to log in before you can comment on or make changes to this bug.