Closed Bug 770705 Opened 8 years ago Closed 7 years ago

Update about:permissions to allow editing per site 3rd party cookie prefs


(Firefox :: Preferences, enhancement)

Not set



Firefox 18


(Reporter: ddahl, Assigned: mmc)


(Depends on 1 open bug)



(1 file, 3 obsolete files)

In bug 770691, we are adding more plumbing to CookiePermission and CookieService that can block or allow blocking or allowing per-site 3rd party cookie operations. We need to surface this in the about:permissions UI
Assignee: nobody → mmc
Is there a bug open to also add "Allow first party only" to View Page Info, "Permissions" section?
Hi Mardeg,

Not that I know of, though that's a good idea.

Note that Page Info > Permissions is the primary UI for this, for the time being. about:permissions is still a hidden feature.
OK -- in the meantime, I'd like to surface this in about:permissions first. Dao, would you mind giving a review?
Attachment #662707 - Flags: review?(sstamm) → review?(dao)
Comment on attachment 662707 [details] [diff] [review]
Add "Allow first party only" to about:permissions.

Gavin suggested Margaret would be a good reviewer.
Attachment #662707 - Flags: review?(dao) → review?(margaret.leibovic)
Comment on attachment 662707 [details] [diff] [review]
Add "Allow first party only" to about:permissions.

Review of attachment 662707 [details] [diff] [review]:

This looks generally good, but I think you need to watch out for the "All Sites" case.

::: browser/components/preferences/aboutPermissions.xul
@@ +126,5 @@
>                        oncommand="AboutPermissions.onPermissionCommand(event);">
>                <menupopup>
>                  <menuitem id="cookie-1" value="1" label="&permission.allow;"/>
>                  <menuitem id="cookie-8" value="8" label="&permission.allowForSession;"/>
> +                <menuitem id="cookie-9" value="9" label="&permission.allowFirstPartyOnly;"/>

Do you want this option to be visible for "All Sites" to allow users to set a global preference? If so, you need to update the PermissionDefaults cookie code:

If there is no global preference, you can add some code in updatePermission to hide it in the |!this._selectedSite| case, similarly to how we do for the _noGlobalAllow/_noGlobalDeny permission types:

::: browser/components/preferences/tests/browser_permissions.js
@@ +16,5 @@
>  const PERM_UNKNOWN = 0;
>  const PERM_ALLOW = 1;
>  const PERM_DENY = 2;
> +// cookie specific permissions

At first I thought you accidentally deleted PERM_SESION, but I see it's not used, so that's fine. If you're going to get rid of it, you should also get rid of it in browser_chunk_permissions.js.
Attachment #662707 - Flags: review?(margaret.leibovic) → feedback+
Hi Margaret, thanks for the review. I asked on #security and the consensus was that there should not be a global setting for ALLOW_FIRST_PARTY_ONLY. This is equivalent to disallowing 3rd party cookies, which is already settable in Preferences > Privacy > Use custom settings for history, and adding another way to set the same preference, with different wording, would be confusing.

I added code to hide ALLOW_FIRST_PARTY_ONLY when no site selected, although it's pretty ugly. Also deleted PERM_SESION. Please have another look.

(In reply to Monica Chew from comment #9)

> I added code to hide ALLOW_FIRST_PARTY_ONLY when no site selected, although
> it's pretty ugly. Also deleted PERM_SESION. Please have another look.

I don't see this in the new patch. Maybe the new changes didn't make it in?
My bad, forgot to qref before exporting. Fixing.
Attachment #662707 - Attachment is obsolete: true
Attachment #664231 - Attachment is obsolete: true
Attachment #664231 - Flags: review?(margaret.leibovic)
Attachment #664238 - Flags: review?(margaret.leibovic)
Comment on attachment 664238 [details] [diff] [review]
Changes to about:permissions to expose ALLOW_FIRST_PARTY_ONLY as a site specific cookie pref

Review of attachment 664238 [details] [diff] [review]:

r+ with my comment addressed.

::: browser/components/preferences/aboutPermissions.js
@@ +769,5 @@
>        if (aType == "plugins") {
>          document.getElementById("plugins-pref-item").hidden =
>            !Services.prefs.getBoolPref("plugins.click_to_play");
>          return;
> +      } else if (aType == "cookie")

You don't need an |else| here, since the if statement above returns. You can just put this if statement on its own on the line below.

::: browser/components/preferences/tests/browser_permissions.js
@@ +257,5 @@
> +
> +    // change a site-specific cookie permission, just for fun
> +    let cookieMenuList = getPermissionMenulist("cookie");
> +    let cookieItem = gBrowser.contentDocument.getElementById("cookie-" +
> +                                                             PERM_FIRST_PARTY_ONLY);

Nit: Just put this on the same line above. It's ok if the line is a little long :)
Attachment #664238 - Flags: review?(margaret.leibovic) → review+
Mochitests passed, try in progress:
(previous revision passed here:

r+ by margaret in comment 14
Keywords: checkin-needed
Filed bug 793948 per comment 4
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 18
Depends on: 796113
Verified as fixed on Firefox 18 (20121119042013).
You need to log in before you can comment on or make changes to this bug.