Support partitioned cookie attribute for browser extensions
Categories
(Core :: Privacy: Anti-Tracking, task)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox132 | --- | fixed |
People
(Reporter: timhuang, Assigned: bvandersloot)
References
(Blocks 1 open bug)
Details
(Whiteboard: [wecg])
Attachments
(1 file)
|
Bug 1873418 - Support Partitioned cookie attribute for browser extensions - r=#anti-tracking!,robwu!
48 bytes,
text/x-phabricator-request
|
Details | Review |
https://github.com/privacycg/CHIPS#browser-extensions
Allow browser extensions to modify or set the partition key of the partitioned cookies.
|
||
Comment 1•9 months ago
|
||
Copying from my review at https://phabricator.services.mozilla.com/D198985?id=814938#inline-1108527
Whether the cookie partitioned is already implied by the existence of the partitionKey property (in the schema, see above). See also https://searchfox.org/mozilla-central/rev/3c72de9280ec57dc55c24886c6334d9e340500e8/toolkit/components/extensions/parent/ext-cookies.js#35-53
FYI: I have been involved with extension API design and CHIPS at a very early level (https://github.com/privacycg/CHIPS/issues/6), with the implementation currently being adopted by Chrome as well. I'm concerned if the current API design is not insufficient for the adoption of the partitioned concept.
I introduced the WebExtension API to support dynamic first-party isolation in bug 1669716, which is the underlying storage mechanism for partitioned cookies. Chrome has adopted Firefox's extension API implementation in https://chromium.googlesource.com/chromium/src/+/45052d18b0f8dd0eb1a7492dc92acb8ba96aff64
In my understanding, the Partitioned cookie attribute enables websites to opt in to dFPI regardless of whether dFPI is enabled. Is this true? If so, then there is no need to make any more changes to the cookies extension API, because the question "is the cookie partitioned" can be answered by "is the partitionKey property present"?
|
Assignee | |
Comment 2•9 months ago
|
||
I think you are right here. The presence or absence of the partition key will be sufficient to determine if the cookie was partitioned in the cookie API.
The only possible change that may be coming to the cookies extension API is the addition of another field to the partitionKey, specifically to support the "ancestor bit". CHIPS is currently aiming to unify their partition keying with other Storages (and the current definition of SameSite for cookies) by adding a "same-site ancestor chain" bit to the partition key. That way a Site A iframe embedded in a Site B iframe in Site A has access to a different partition than it would if embedded directly in Site A.
|
|
Assignee | |
Comment 3•9 months ago
|
||
In my understanding, the Partitioned cookie attribute enables websites to opt in to dFPI regardless of whether dFPI is enabled. Is this true?
Yes. This allows us to disable dFPI as well, effectively making partitioned cookies a server-opt-in rather than a user-pref-opt-out.
|
|
||
Comment 4•9 months ago
|
||
(In reply to Benjamin VanderSloot [:bvandersloot] from comment #2)
The only possible change that may be coming to the cookies extension API is the addition of another field to the
partitionKey, specifically to support the "ancestor bit". CHIPS is currently aiming to unify their partition keying with other Storages (and the current definition of SameSite for cookies) by adding a "same-site ancestor chain" bit to the partition key. That way a Site A iframe embedded in a Site B iframe in Site A has access to a different partition than it would if embedded directly in Site A.
Please ping me when the question of the extension API design becomes relevant. Then I will coordinate the API design with other browser vendors.
|
|
Assignee | |
Comment 5•9 months ago
|
||
Given that Chrome just committed to rekeying in the past month and we agree, now isn't a bad time. (https://github.com/privacycg/CHIPS/issues/40#issuecomment-1883726735)
Apple seems to agree, as much as they think CHIPS is worth doing.
|
|
||
Comment 7•3 months ago
|
||
One notable thing that I just discovered is that with the Partitioned key, it is possible for the top-level document to not only have unpartitioned cookies, but also partitioned cookies.
Before Partitioned was supported, only third-party frames could have partitioned cookies (which Firefox forced on when dFPI is enabled).
Internally, Firefox stores this in originAttributes.partitionKey. This currently works as expected in the extension API, but we should add unit tests for the Partitioned attribute, to verify that the roundtrip web page with Partitioned cookie -> extension API -> web page works as desired. Otherwise it could break without us noticing due to the lack of test coverage. The test can be added to https://searchfox.org/mozilla-central/rev/c4966e1c1e6a8cb38c15a27693e8ecd63082055e/toolkit/components/extensions/test/xpcshell/test_ext_cookies_partitionKey.js
|
|
Assignee | |
Comment 8•2 months ago
|
||
The part that is covered here is extending the partitionKey attribute, as in the proposal of aselya here:
https://github.com/w3c/webextensions/pull/581/files
Notably not included is adding "partitioned" to the Cookies.Cookie object and the new Cookies.GetPartitionKey function.
|
||
Updated•2 months ago
|
|
|
||
Updated•2 months ago
|
|
||
Comment 10•1 month ago
|
||
Backed out for causing failures at test_getPartitionKeyFromURL.js.
Backout link: https://hg.mozilla.org/integration/autoland/rev/1fa40becaaff5d9c2aba9eb6f691b24ee204a007
Failure log: https://treeherder.mozilla.org/logviewer?job_id=475833220&repo=autoland&lineNumber=2262
|
||
Comment 11•1 month ago
|
||
|
|
Assignee | |
Updated•1 month ago
|
|
||
Comment 12•1 month ago
|
||
| bugherder | ||
Description
•