Last Comment Bug 570630 - Change default to allow third party session cookies
: Change default to allow third party session cookies
Status: RESOLVED FIXED
:
Product: Core
Classification: Components
Component: Networking: Cookies (show other bugs)
: unspecified
: All All
: -- normal (vote)
: ---
Assigned To: dwitte@gmail.com
:
:
Mentors:
Depends on: 565475
Blocks:
  Show dependency treegraph
 
Reported: 2010-06-07 17:10 PDT by dwitte@gmail.com
Modified: 2010-12-08 16:40 PST (History)
15 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
alpha5+


Attachments
flip it (1.90 KB, patch)
2010-06-08 08:46 PDT, dwitte@gmail.com
sdwilsh: review+
Details | Diff | Splinter Review

Description dwitte@gmail.com 2010-06-07 17:10:28 PDT
In bug 565475 I implemented the ability to downgrade third party cookies to session, and we made it default.

I'm not sure we need to go that far, if we're going to implement bug 565965; it might be a bad UX/privacy tradeoff. Bug 565965 will be much more effective at doing what we want than this change will.

More thought needs to be put into it. (This bug might end up WONTFIX.)
Comment 1 Benjamin Smedberg [:bsmedberg] 2010-06-07 17:26:23 PDT
A decision on this probably blocks the devpreview, so that we don't end up flip-flopping our policy too much.
Comment 2 Johnny Stenback (:jst, jst@mozilla.com) 2010-06-07 17:41:40 PDT
Who needs to make this decision?
Comment 3 Mike Shaver (:shaver -- probably not reading bugmail closely) 2010-06-07 17:44:18 PDT
This needs discussion more broadly than a bug, since it affects the behaviour of our web platform pretty significantly.  I *believe* that Jay, Beltzner and/or Damon are going to convene such a discussion.
Comment 4 dwitte@gmail.com 2010-06-07 18:09:08 PDT
Yes -- we have a discussion on Wed. I can roll a patch then, if necessary. Is that in line with the preview schedule?
Comment 5 Johnny Stenback (:jst, jst@mozilla.com) 2010-06-07 18:11:34 PDT
Per the look of things before I found out about this bug Wednesday's nightly build could have been our alpha 5 (WebM support should be landed by then), so a decision on Wednesday would push that out, which is fine if people agree that this is needed for the alpha, and the discussion can't happen earlier.
Comment 6 dwitte@gmail.com 2010-06-07 18:38:26 PDT
I'll have this ready to go for the Wed nightly.
Comment 7 Mike Beltzner [:beltzner, not reading bugmail] 2010-06-08 04:46:54 PDT
Am I right in saying that bug 565475 already changed the preference? If so, this bug should be re-summarized as "Change default to allow third party session cookies," for clarity.

We'll have a decision by Tuesday afternoon PT - Dan, can you put together a patch and attach it on this bug and get review so that if we do decide to flip the preference back, all that needs be done is the checkin?
Comment 8 dwitte@gmail.com 2010-06-08 08:38:57 PDT
(In reply to comment #7)
> Am I right in saying that bug 565475 already changed the preference? If so,
> this bug should be re-summarized as "Change default to allow third party
> session cookies," for clarity.

Fair 'nuf!

> We'll have a decision by Tuesday afternoon PT - Dan, can you put together a
> patch and attach it on this bug and get review so that if we do decide to flip
> the preference back, all that needs be done is the checkin?

Momentarily.
Comment 9 dwitte@gmail.com 2010-06-08 08:46:17 PDT
Created attachment 449876 [details] [diff] [review]
flip it

r=sdwilsh verbally from train!
Comment 10 Shawn Wilsher :sdwilsh 2010-06-08 09:30:51 PDT
Comment on attachment 449876 [details] [diff] [review]
flip it

r=sdwilsh from the office too!
Comment 11 dwitte@gmail.com 2010-06-08 16:46:47 PDT
http://hg.mozilla.org/mozilla-central/rev/76e9dd2d9322

Landed per discussion -- this provides no testing benefit in terms of gathering feedback, and doesn't accurately reflect where we want to end up either.
Comment 12 Steffen Wilberg 2010-12-08 06:47:00 PST
From a Slashdot top story today:
"Previously, Mozilla stopped working on a similar [Do Not Track] feature for Firefox after pressure from advertisers and other OSS projects as it would hurt their revenue sources from advertisers."
http://tech.slashdot.org/story/10/12/07/2216242/Microsoft-Adds-Do-Not-Track-Option-For-IE9

linking to
http://tech.slashdot.org/story/10/12/07/011229/Why-We-Shouldnt-Begrudge-Commercial-Open-Source-Companies

which links to
http://online.wsj.com/article/SB10001424052748704584804575645074178700984.html

which quotes Jay Sullivan and Mike Shaver like this:
"Mozilla, which is run by a nonprofit foundation that receives the majority of its revenue from Google, has also received pressure from advertisers about its efforts to limit tracking.

In May, Mozilla engineer Dan Witte proposed a mechanism that caused cookies to automatically expire when a user closed his or her Web browser. (By comparison, most tracking cookies last for years). It only affected tracking cookies—not cookies that websites use to remember users' passwords or shopping-cart information.

Mr. Witte's proposal was inserted into a developers' version of the Firefox browser on May 28. By early June, however, the news trickled out to advertising-industry executive Simeon Simeonov.

Mr. Simeonov is the co-founder of a company, Better Advertising, that provides technology to online-ad companies. When he heard about the change, Mr. Simeonov said he worried it "would have broad, unforeseen impact on the consumer experience and perhaps even on the Web ecosystem."

Mr. Simeonov reached out to the chief executive of Mozilla, who put him in touch with Jay Sullivan, vice president of products at Mozilla. The two spoke on June 9. Mr. Sullivan said Mr. Simeonov expressed concern that the change would prompt advertisers to "go underground" to conduct even more surreptitious forms of tracking. Mr. Sullivan said that Mr. Simeonov's comments "supported what we were already thinking."

Mr. Sullivan added that Mr. Simeonov was one of many people who expressed concerns about the change, including representatives from companies that use tracking tools to provide Web statistics and companies that host content on behalf of other companies. He said the tool would have slowed down or hampered the performance of those companies.

The software was removed from the Firefox prototype on June 10. Mr. Sullivan said it isn't unusual for proposed changes to be rejected. "We haven't precluded making all these changes but we didn't want to do it two weeks before the release" of a new test version of the browser, he said. The final version of the browser will be released early next year; it does not include any new tools to limit tracking.

Mr. Shaver rejected the notion that Mozilla's decisions may be influenced by the advertising industry. Rather, he said Mozilla is driven by the needs of Web users and its mission that the Internet must remain open and accessible.

In its most recent financial statements, Mozilla disclosed about $86 million of its $104 million in 2009 revenue came from an advertising agreement with Google.

"I wouldn't say we are under pressure from advertisers," said Mr. Shaver. "They are a big part of the economics of the Web. We want to understand what their needs are."
Comment 13 Shawn Wilsher :sdwilsh 2010-12-08 07:13:02 PST
(In reply to comment #12)
Please don't copy and paste news stories into bug comments.  It's not even clear what point you were trying to make in your comment.  In the future, before posting a comment, please consider whether or not your comment follows the bugzilla etiquette:
https://bugzilla.mozilla.org/page.cgi?id=etiquette.html
Comment 14 Steffen Wilberg 2010-12-08 09:01:40 PST
Ah crap, I didn't mean to submit that, but decided to send an email instead and then only wanted to cc myself here. Sorry for spamming.
Comment 15 Daniel Veditz [:dveditz] 2010-12-08 16:40:44 PST
> Mr. Simeonov reached out to the chief executive of Mozilla, who put him
> in touch with Jay Sullivan, vice president of products at Mozilla. The
> two spoke on June 9.

... and if you read the bug we'd already decided to revert the change and checked it in by the 8th (comment 11)--before he contacted us. Our decision was based on many things (e.g. add-on bustage in bug 565475 comment 15) but not "pressure from advertisers". It was an experiment that didn't work quite right.

Note You need to log in before you can comment on or make changes to this bug.