Closed Bug 417286 Opened 17 years ago Closed 17 years ago

Allow 3rd party cookies on a per-site basis

Categories

(Firefox :: Settings UI, enhancement)

Product:
Firefox
Component:
Settings UI
Platform:
x86
All
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED WORKSFORME

People

(Reporter: cww, Unassigned)

References

Details

Some sites still use third party cookies for logins.  Thus, the new flipped preference as per bug 324397 means we're getting a number of beta3 users who suddenly find some sites not accepting logins.  And when we launch, I'm sure we're going to get a whole lot more.  So allowing cookies on a per-site basis gives us an easy way to address this issue.  (I'd recommend allowing 3rd party cookies as a third option in the Exceptions box in Options>Privacy.)
Which sites break?  Don't they break in Safari and IE7 too?
Blocks: 324397
IE and Safari don't enable this pref by default afaik, we do. Only users with the pref flipped would see breakage in those browsers.
(In reply to comment #2)
> IE and Safari don't enable this pref by default afaik, we do.

That's not what bug 324397 comment 6, bug 324397 comment 7 and bug 324397 comment 39 say - are those all wrong? If so, seems like we should reconsider bug 324397...
Flags: blocking-firefox3?
IE has a per-site option (you can add site to your trusted zone.)  It may actually warn you, too.

The one I've gotten two complaints about is mytelusmobility.com a Canadian mobile phone service provider.  And there's this: http://www.frontierairlines.com/frontier/cookies.do Then there was someone a month back with 2.0.0.12 who was having login issues on a particular site that could only be fixed by moving to a new profile and moving files, which now seems like it could have been the same issue (but I'd forgotten about the pref at the time and the user didn't have time to troubleshoot.)

Now that I realize that sites still use 3rd party cookies, I'll be more aware of it when helping 2.0 users (a lot of them have flipped tnetwork.cookie.cookieBehavior) and I'll get the other LiveChat helpers to report more sites.  We do get a lot of "such and such site says I don't have cookies enabled" I just never connected the dots in my head.  To be honest, I had no clue that sites still did this, either.

The big issue is there's no UI to do it.  All the other browsers have a UI way to flip the switch temporarily.  Instead, sites just fail silently, sometimes with a "you don't have cookies enabled" message and sometimes with a "we can't log you in" and people can't even find an option to correct that since as far as they can see, they ARE allowing cookies.
A quick Google search turns up:

http://www.google.com/support/youtube/bin/answer.py?hl=en&answer=55755 which suggests even Youtube may need 3rd party cookies enabled for some functionality.

Also some advertisers use cookies for "opt out".  http://networkadvertising.org/managing/opt_out.asp and this functionality requires 3rd party cookies enabled.  (Although, I suppose with cookies disabled they wouldn't collect data in the first place...)

Facebook, of course, has a much publicized issue with their Beacon where they collect data from third parties like Amazon and also need them enabled for embedded iframes in Facebook apps to work.  http://en.wikipedia.org/wiki/Beacon_(Facebook) and http://gathadams.com/2007/06/25/how-to-set-third-party-cookies-with-iframe-facebook-applications/

Ok, enough reading material.
Since someone requested a list of legitimate uses for iframe cookies, here you go:

Many sites (like iGoogle, Pageflakes, Netvibes, etc) allow you to customize a personal home page with widgets.  Many of those widgets require authentication.  In order for that authentication to persist across page reloads, those iframes need to be able to set and read a third party cookie.  

Safari and Opera have a global on/off preference for third party cookies. IE6/7 has a whitelist of trusted sites that are allowed to set a third-party cookie. I am in favor of the IE6/7 way of doing it.
(In reply to comment #3)
> (In reply to comment #2)
> > IE and Safari don't enable this pref by default afaik, we do.

IE7 most certainly claims that it blocks all third-party cookies that do not have a compact privacy policy in the default "Medium" security zone. So either those sites actually use that privacy policy, or they're not being up-front with the way that setting behaves.

(In reply to comment #7)
> Since someone requested a list of legitimate uses for iframe cookies, here you
> go:

Someone requested a list of legitimate sites which use third-party cookies in the main content area. We're not actually blocking third-party cookies from iframes yet.

> Safari and Opera have a global on/off preference for third party cookies. IE6/7
> has a whitelist of trusted sites that are allowed to set a third-party cookie.
> I am in favor of the IE6/7 way of doing it.

I'm really not in favour of having yet another whitelist, as it's just another thing for users to manage, and chances are that they won't understand why they need to enable it for some sites and not others, and further, chances are that if they're presented with a dialog telling asking them if they want it for the site they're on, they'll almost always say "yes".
Flags: blocking-firefox3? → blocking-firefox3+
Just to be clear, I'm not advocating actually notifying users when they're getting 3rd party cookies blocked.  I'm just saying that if we put in an option in the Options dialog, users will be able to find it when they reach a support page that says "make sure third party cookies are enabled for this site in your browser settings."
(In reply to comment #8)
> (In reply to comment #3)
> We're not actually blocking third-party cookies from iframes yet.

From my tests, FF3b3 is indeed blocking third-party cookies from iframes. I have a reduced test-case that proves it: http://www.toodledo.com/test_cookie.php
Upon further consideration, this requires some new functionality (and another whitelist) and doesn't block, but remains an item of interest.

See bug 417800, which is now blocking.
Flags: wanted-firefox3+
Flags: blocking-firefox3-
Flags: blocking-firefox3+
This WFM -- put the site as "Allowed" in your cookie site exception list and it is allowed to set cookies, first and third party. It's even allowed if you uncheck the global "Accept cookies from sites" setting.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → WORKSFORME
verifying for great justice.
Status: RESOLVED → VERIFIED
(In reply to comment #10)
> From my tests, FF3b3 is indeed blocking third-party cookies from iframes. I
> have a reduced test-case that proves it:
> http://www.toodledo.com/test_cookie.php

thanks very much for this testcase - it does verify that we do, indeed, block cookies in iframes with third-party URLs. this means our third-party blocking is good, perhaps too good, as it already stands.

however, i tested IE6 at its default "medium" privacy setting, and couldn't get it to accept the cookie. lowering the setting to "accept all", or manually allowing third party cookies, allowed it to be set. i also verified that once it's set, returning the setting to "medium" or manually blocking third-party cookies still allowed the cookie to be read - thus their third-party blocking applies only to setting cookies. i haven't yet tested IE7.

any ideas on this discrepancy with your test results?

(a decision on what to do about this feature will take place in bug 417800, but i'd like to thrash out the above question here.)
with help from ispiked and dolske, results from IE7 and Safari are consistent with comment 14 also: that is, they reject the third-party cookie under default settings (in IE7, "medium" privacy; in safari, "Accept Cookies" is set to "Only from sites you navigate to"). they then allow the cookie under "accept all", and again when the pref is returned to default.

the Safari tested was Safari Version 3.0.4 (5523.15) [current version on OS X 10.5.2].

note that results on IE in particular will most likely be different if the iframe URL has a p3p policy - IE6 and IE7 should accept the cookie in that instance.
(In reply to comment #1)
> Which sites break?  Don't they break in Safari and IE7 too?
> 

Another slight site breakage:  If third-party cookies are not accepted, I do not see the "quick edit" links when logged into my own blog on Blogger/BlogSpot.  This is a handy feature that I've gotten used to, but I'd like not to have to accept third party cookies from everyone to be able to enjoy it.  So, I'd like to add my voice to those requesting a whitelist for third-party cookies.
You need to log in before you can comment on or make changes to this bug.