Open Bug 1936661 Opened 2 months ago Updated 2 months ago

privacy.firstparty.isolate.use_site does not work with RFP exempted domains

Categories

(Core :: Privacy: Anti-Tracking, defect, P5)

defect

Tracking

()

People

(Reporter: tjr, Unassigned)

Details

In https://github.com/arkenfox/user.js/issues/1915 Thorin calls me out about how exemptedDomains isn't working correctly. I reproduced his findings in my normal browsing profile. I could not reproduce it in a debug build, or a clean profile.

I added logging to my profile and found the following:

[Parent 1473691: Main Thread]: D/nsResistFingerprinting URI "arkenfox.github.io" is in the exempt list "arkenfox.github.io"
[Parent 1473691: Main Thread]: D/nsResistFingerprinting Partition Key "(https,arkenfox.github.io)" is NOT in the exempt list "arkenfox.github.io"

I enabled FPI and got the following in the debug build:

[Parent 1770664: Main Thread]: D/nsResistFingerprinting URI "https://arkenfox.github.io^firstPartyDomain=arkenfox.github.io" is in the exempt list "arkenfox.github.io"
[Parent 1770664: Main Thread]: D/nsResistFingerprinting Partition Key "arkenfox.github.io" is in the exempt list "arkenfox.github.io"

And then I enabled the experimental pref privacy.firstparty.isolate.use_site which I have been using, and this reproduced the issue for me. I am not sure if this is what Thorin was doing though...?

I did notice this discrepancy though:

When checking the URL we do this:

  nsAutoCString list;
  Preferences::GetCString(kExemptedDomainsPrefName, list);
  ToLowerCase(list);
  isExemptDomain = IsURIInList(aURI, list);

In PartionKeyIsAlsoExempted we do this:

bool isExemptPartitionKey =
        nsContentUtils::IsURIInPrefList(uri, kExemptedDomainsPrefName);

But it seems they do the same thing.

I am not sure if this is what Thorin was doing though

nope. As per my original quick test I just used my Nightly - no extensions, no particular pref changes - I mean I'm on ETP Strict and I sanitize everything on close, but other than that nothing stands out.

But as noted in the TB issue it did work, so I'm a little lost as to what/why

edit: tested in a brand new FF133 profile (windows) - can reproduce at will

edit: solved

    arkenfox.github.io - Works
    github.io - does not work
    *.github.io - works
    *.arkenfox.github.io - does not work
    *arkenfox.github.io - does not work

I don't think I want to fix this bug, although I'll leave it around for now, Long-term we would like to eliminate FPI and move to a strict version of dFPI - it would work the same way as FPI, but the underlying infrastructure would be simpler and unified. In the short-term I'm probably the only person using .use_site and trying to use custom RFP exemptions (and obviously I didn't notice them not working.)

Severity: -- → S4
Priority: -- → P5

I'm all for leaving it as it. FPI is Tor Browser only, and we even lock the exempted domains pref. And I agree long term we should move to dFPI with locked hardened knobs - no-one fully knows how FPI works anymore and it hasn't been touched in years ;)

You need to log in before you can comment on or make changes to this bug.