privacy.firstparty.isolate.use_site does not work with RFP exempted domains
Categories
(Core :: Privacy: Anti-Tracking, defect, P5)
Tracking
()
People
(Reporter: tjr, Unassigned)
Details
In https://github.com/arkenfox/user.js/issues/1915 Thorin calls me out about how exemptedDomains isn't working correctly. I reproduced his findings in my normal browsing profile. I could not reproduce it in a debug build, or a clean profile.
I added logging to my profile and found the following:
[Parent 1473691: Main Thread]: D/nsResistFingerprinting URI "arkenfox.github.io" is in the exempt list "arkenfox.github.io"
[Parent 1473691: Main Thread]: D/nsResistFingerprinting Partition Key "(https,arkenfox.github.io)" is NOT in the exempt list "arkenfox.github.io"
I enabled FPI and got the following in the debug build:
[Parent 1770664: Main Thread]: D/nsResistFingerprinting URI "https://arkenfox.github.io^firstPartyDomain=arkenfox.github.io" is in the exempt list "arkenfox.github.io"
[Parent 1770664: Main Thread]: D/nsResistFingerprinting Partition Key "arkenfox.github.io" is in the exempt list "arkenfox.github.io"
And then I enabled the experimental pref privacy.firstparty.isolate.use_site
which I have been using, and this reproduced the issue for me. I am not sure if this is what Thorin was doing though...?
I did notice this discrepancy though:
When checking the URL we do this:
nsAutoCString list;
Preferences::GetCString(kExemptedDomainsPrefName, list);
ToLowerCase(list);
isExemptDomain = IsURIInList(aURI, list);
In PartionKeyIsAlsoExempted
we do this:
bool isExemptPartitionKey =
nsContentUtils::IsURIInPrefList(uri, kExemptedDomainsPrefName);
But it seems they do the same thing.
Comment 1•2 months ago
•
|
||
I am not sure if this is what Thorin was doing though
nope. As per my original quick test I just used my Nightly - no extensions, no particular pref changes - I mean I'm on ETP Strict and I sanitize everything on close, but other than that nothing stands out.
But as noted in the TB issue it did work, so I'm a little lost as to what/why
edit: tested in a brand new FF133 profile (windows) - can reproduce at will
edit: solved
arkenfox.github.io - Works
github.io - does not work
*.github.io - works
*.arkenfox.github.io - does not work
*arkenfox.github.io - does not work
Reporter | ||
Comment 2•2 months ago
|
||
I don't think I want to fix this bug, although I'll leave it around for now, Long-term we would like to eliminate FPI and move to a strict version of dFPI - it would work the same way as FPI, but the underlying infrastructure would be simpler and unified. In the short-term I'm probably the only person using .use_site
and trying to use custom RFP exemptions (and obviously I didn't notice them not working.)
Comment 3•2 months ago
|
||
I'm all for leaving it as it. FPI is Tor Browser only, and we even lock the exempted domains pref. And I agree long term we should move to dFPI with locked hardened knobs - no-one fully knows how FPI works anymore and it hasn't been touched in years ;)
Description
•