Open Bug 796113 Opened 9 years ago Updated 9 years ago

The meaning of "Allow First Party Only" is unclear

Categories

(Firefox :: Preferences, defect)

defect
Not set
normal

Tracking

()

People

(Reporter: rimas, Unassigned)

References

Details

I think there are two ways to interpret what the "Allow First Party Only" option could mean, both equally likely:

1. when visiting X, accept cookies from X only
2. accept cookies from X only when visiting site X

The difference here is what is being done with other cookies when site X is visited. If 1. is the correct description, then all cookies from other servers will not be accepted. If 2. is correct though, what happens to other cookies is not specified, and you'd have to look at other site settings or the default to set that.

I think the meaning of this label is unclear. Could we clarify it somehow?
1) is the current behavior if you set this option
IMHO, the UX challenge here is that 1st party cookie isn't really an established term as much as 3rd party cookie is.

I think this would be easier to digest for end-users, and also localizers, if the option was phrased in terms of "3rd party cookies".
Pike is right. 1st party term is not use in Czech at all. In the opposite, the 3rd party is. So, I used the translation of "Block 3rd party" which looks like the same as "Allow 1st party only" for me.
Hello Matti,

The behavior is actually 2), not 1). That is, if "Allow First Party Only" is set for facebook.com, visiting facebook.com may still set cookies on other sites, but cookies for facebook.com may only be set and read when visiting facebook.com.

I apologize for the confusing wording. "Block 3rd party" is accurate -- however, does it imply that first party cookies may still be set for the site?

Thank you,
Monica
I agree that "Block 3rd party" could be misleading.  We already have an option described in the options dialog in English as "Allow 3rd party cookies".  "Block 3rd party" would appear to be the opposite of that, but is actually completely different.

The setting we are talking about here does not block 3rd party cookies.  It prevents one specific site (host/domain) from setting cookies when it is not the site showing in the location bar.  It does not block 3rd party cookies when visiting that site.  I think using a different terminology, even one that isn't currently widely understood, is a good idea to help differentiate the two concepts.

You might argue that "Allow first party only" is also misleading in that it might give the impression that only first party cookies are now allowed when visiting that site, but at least it attempts to be different from the existing setting that does mean that.  Perhaps being even more different would help, but I can't think of a very succinct way to describe it.
What if we throw the word "as" in there?  "Allow as First Party only"?  Need some input from a wordperson...
Flags: needinfo?(Mnovak)
I think we need to find a way to reword this. Sounds like anything involving the phrase "first party" is going to be problematic for l10n. I unfortunately don't fully understand all the nuances of this, so can someone suggest a really plain, clear phrasing for what happens? I bet we can get to something good from there.
Flags: needinfo?(Mnovak)
Placing this exception type on a host:
- allows cookies to be set for that host and subdomains of that host, regardless of global cookie permissions, provided that the base domain matches the base domain of the loaded page (aka 1st party cookie);
- does not allow cookies to be set for that host (and subdomains) when the base domain does not match the base domain of the loaded page (aka 3rd party cookie), even if global cookie permissions would allow it.
I don't remember where this string appears, so I can't look at the context and check what wording would be best, but perhaps something like "Only when the domain is first party" would work?
A few more alternatives:
- Block when third party
- Block on third party websites
Any wording should communicate that the exception will *allow* cookies (from that host in first party situations) despite global settings to prevent them.  As such it will probably need to include a word such as "only" or perhaps "except" to make it clear that not all cookies from that host are allowed.

Really this permission type incorporates two different exceptions, either or both of which will separately override global settings:
1) 1st party cookies will be allowed for this dost even if global settings deny cookies;
2) 3rd party cookies (for this host) will be denied even if global settings would allow them.  *And* even if the 1st party portion of the exception does not apply because cookies are already allowed globally.

Rimas, this string can be seen on the about:permissions page, in the cookie dropdown.  You must select a host from the list on the left first.
That's helping me understand it better, but I still think it's the phrase "first party" that's the issue. Can we state that in more plain terms somehow. Maybe something like "only from this site," "host," etc?
The term "first party cookie" is in fairly widespread use amongst people who set or track cookies.  Google it and there are plenty of references.  Up until now there has been no real reason for anyone else to be aware of the term.

The term exists because it takes a fairly long sentence to describe it approximately, and a short paragraph to define it completely accurately.  I think you have the choice between accepting the existing term for this behaviour and getting people used to it, or inventing a new term and getting people used to that.

FWIW, I've seen it used in German simply as "First party cookie".  In my addon it has been translated as "Cookies von Erstanbietern", not quite so succinct.  And in Swedish as "kakor från första part".
You need to log in before you can comment on or make changes to this bug.