Update about:permissions to allow editing per site 3rd party cookie prefs

VERIFIED FIXED in Firefox 18

Status

()

Firefox
Preferences
--
enhancement
VERIFIED FIXED
5 years ago
5 years ago

People

(Reporter: ddahl, Assigned: mmc)

Tracking

(Depends on: 1 bug)

Trunk
Firefox 18
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment, 3 obsolete attachments)

(Reporter)

Description

5 years ago
In bug 770691, we are adding more plumbing to CookiePermission and CookieService that can block or allow blocking or allowing per-site 3rd party cookie operations. We need to surface this in the about:permissions UI
(Reporter)

Comment 1

5 years ago
See: https://wiki.mozilla.org/Privacy/Features/Per-Site_Third-Party_Cookie_Setting
Depends on: 770691
Assignee: nobody → mmc
Created attachment 662707 [details] [diff] [review]
Add "Allow first party only" to about:permissions.

Try in progress, mochitest passes: https://tbpl.mozilla.org/?tree=Try&rev=a037709c5a71
Attachment #662707 - Flags: review?(sstamm)

Comment 3

5 years ago
Is there a bug open to also add "Allow first party only" to View Page Info, "Permissions" section?
Hi Mardeg,

Not that I know of, though that's a good idea.

Thanks,
Monica
Note that Page Info > Permissions is the primary UI for this, for the time being. about:permissions is still a hidden feature.
OK -- in the meantime, I'd like to surface this in about:permissions first. Dao, would you mind giving a review?
Attachment #662707 - Flags: review?(sstamm) → review?(dao)
Comment on attachment 662707 [details] [diff] [review]
Add "Allow first party only" to about:permissions.

Gavin suggested Margaret would be a good reviewer.
Attachment #662707 - Flags: review?(dao) → review?(margaret.leibovic)

Comment 8

5 years ago
Comment on attachment 662707 [details] [diff] [review]
Add "Allow first party only" to about:permissions.

Review of attachment 662707 [details] [diff] [review]:
-----------------------------------------------------------------

This looks generally good, but I think you need to watch out for the "All Sites" case.

::: browser/components/preferences/aboutPermissions.xul
@@ +126,5 @@
>                        oncommand="AboutPermissions.onPermissionCommand(event);">
>                <menupopup>
>                  <menuitem id="cookie-1" value="1" label="&permission.allow;"/>
>                  <menuitem id="cookie-8" value="8" label="&permission.allowForSession;"/>
> +                <menuitem id="cookie-9" value="9" label="&permission.allowFirstPartyOnly;"/>

Do you want this option to be visible for "All Sites" to allow users to set a global preference? If so, you need to update the PermissionDefaults cookie code:
http://mxr.mozilla.org/mozilla-central/source/browser/components/preferences/aboutPermissions.js#269

If there is no global preference, you can add some code in updatePermission to hide it in the |!this._selectedSite| case, similarly to how we do for the _noGlobalAllow/_noGlobalDeny permission types:
http://mxr.mozilla.org/mozilla-central/source/browser/components/preferences/aboutPermissions.js#749

::: browser/components/preferences/tests/browser_permissions.js
@@ +16,5 @@
>  const PERM_UNKNOWN = 0;
>  const PERM_ALLOW = 1;
>  const PERM_DENY = 2;
> +// cookie specific permissions
> +const PERM_FIRST_PARTY_ONLY = 9;

At first I thought you accidentally deleted PERM_SESION, but I see it's not used, so that's fine. If you're going to get rid of it, you should also get rid of it in browser_chunk_permissions.js.
Attachment #662707 - Flags: review?(margaret.leibovic) → feedback+
Hi Margaret, thanks for the review. I asked on #security and the consensus was that there should not be a global setting for ALLOW_FIRST_PARTY_ONLY. This is equivalent to disallowing 3rd party cookies, which is already settable in Preferences > Privacy > Use custom settings for history, and adding another way to set the same preference, with different wording, would be confusing.

I added code to hide ALLOW_FIRST_PARTY_ONLY when no site selected, although it's pretty ugly. Also deleted PERM_SESION. Please have another look.

Thanks,
Monica
Created attachment 664231 [details] [diff] [review]
Changes to about:permissions to expose ALLOW_FIRST_PARTY_ONLY as a site specific cookie pref
Attachment #664231 - Flags: review?(margaret.leibovic)

Comment 11

5 years ago
(In reply to Monica Chew from comment #9)

> I added code to hide ALLOW_FIRST_PARTY_ONLY when no site selected, although
> it's pretty ugly. Also deleted PERM_SESION. Please have another look.

I don't see this in the new patch. Maybe the new changes didn't make it in?
My bad, forgot to qref before exporting. Fixing.
Created attachment 664238 [details] [diff] [review]
Changes to about:permissions to expose ALLOW_FIRST_PARTY_ONLY as a site specific cookie pref
Attachment #662707 - Attachment is obsolete: true
Attachment #664231 - Attachment is obsolete: true
Attachment #664231 - Flags: review?(margaret.leibovic)
Attachment #664238 - Flags: review?(margaret.leibovic)

Comment 14

5 years ago
Comment on attachment 664238 [details] [diff] [review]
Changes to about:permissions to expose ALLOW_FIRST_PARTY_ONLY as a site specific cookie pref

Review of attachment 664238 [details] [diff] [review]:
-----------------------------------------------------------------

r+ with my comment addressed.

::: browser/components/preferences/aboutPermissions.js
@@ +769,5 @@
>        if (aType == "plugins") {
>          document.getElementById("plugins-pref-item").hidden =
>            !Services.prefs.getBoolPref("plugins.click_to_play");
>          return;
> +      } else if (aType == "cookie")

You don't need an |else| here, since the if statement above returns. You can just put this if statement on its own on the line below.

::: browser/components/preferences/tests/browser_permissions.js
@@ +257,5 @@
> +
> +    // change a site-specific cookie permission, just for fun
> +    let cookieMenuList = getPermissionMenulist("cookie");
> +    let cookieItem = gBrowser.contentDocument.getElementById("cookie-" +
> +                                                             PERM_FIRST_PARTY_ONLY);

Nit: Just put this on the same line above. It's ok if the line is a little long :)
Attachment #664238 - Flags: review?(margaret.leibovic) → review+
Created attachment 664263 [details] [diff] [review]
Changes to about:permissions to expose ALLOW_FIRST_PARTY_ONLY as a site specific cookie pref

Thanks, Margaret! Comments fixed.
Attachment #664238 - Attachment is obsolete: true
Mochitests passed, try in progress: https://tbpl.mozilla.org/?tree=Try&rev=a55f464f7b36
(previous revision passed here: https://tbpl.mozilla.org/?tree=Try&rev=a037709c5a71)

r+ by margaret in comment 14
Keywords: checkin-needed
https://hg.mozilla.org/integration/mozilla-inbound/rev/c1984535f059
Flags: in-testsuite+
Keywords: checkin-needed

Comment 18

5 years ago
Filed bug 793948 per comment 4
https://hg.mozilla.org/mozilla-central/rev/c1984535f059
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 18

Updated

5 years ago
Depends on: 796113

Comment 20

5 years ago
Verified as fixed on Firefox 18 (20121119042013).
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.