Hi everyone, tl;dr; If you block all third-party cookies in Nightly, you're going to experience a slight change in behavior; Firefox will automatically unblock some third-party storage access based on gecko’s internal heuristics [0] and requests to the Storage Access API [1].
Summary: In Firefox, we call the policies to accept or deny cookies and other storage APIs (indexedDB, localStorage, and so on) “cookie behaviors”. Firefox implements several cookie behaviors, detailed below [2]. Before Enhanced Tracking Protection (ETP), the default behavior was “0” (BEHAVIOR_ACCEPT) -- everything was allowed by default. With the launch of ETP last fall, the default cookie behavior became “4” (BEHAVIOR_REJECT_TRACKER) - we deny the use of cookies and storage APIs for any 3rd party contexts classified as trackers [3]. In order to prevent login and other flows from breaking, we added some exceptions to cookie and storage blocking. For example, if the website called the Storage Access API [1] to request storage access or if the user went through a flow that looked like a login, we would allow the third-party cookie and storage access [0]. We also have a stricter cookie behavior “1” (BEHAVIOR_REJECT_FOREIGN) that blocks all third-party cookies and storage, regardless of whether or not Disconnect has classified the third party as a tracker. We’ve seen this setting cause breakage in the past. We’d like to see if the heuristic exceptions we use in our tracking cookie blocking [0] will fix that breakage. We’ve added a new pref network.cookie.rejectForeignWithExceptions.enabled to enable the cookie blocking exceptions for cookie behavior “1” so that we can test the web compatibility effects of blocking all third-party cookies when there are exceptions. The pref will be enabled by default in Nightly only. This means that if you have all third party cookies blocked in Nightly, you may sometimes receive third-party cookies if you trigger Gecko’s internal heuristics or the Storage Access API is called by the website. Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1625568 Preference: network.cookie.rejectForeignWithExceptions.enabled enables the feature. It’s set to true on Nightly only. Other browsers: Safari implemented and just released a similar feature by default [4]. Safari blocks all third-party cookies and provides similar heuristic exceptions and storage access API support. Note that Safari double keys other storage mechanisms, so the implementations are different. -- [0] https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Privacy/Storage_access_policy#Storage_access_grants <https://slack-redir.net/link?url=https%3A%2F%2Fdeveloper.mozilla.org%2Fen-US%2Fdocs%2FMozilla%2FFirefox%2FPrivacy%2FStorage_access_policy%23Storage_access_grants&v=3> [1] https://developer.mozilla.org/en-US/docs/Web/API/Storage_Access_API [2] https://searchfox.org/mozilla-central/rev/4ccefc3181f9d237ef4ca8bd17b4e7c101ddf7b5/netwerk/cookie/nsICookieService.idl#71-82 - “0” (BEHAVIOR_ACCEPT) - accept all cookies - “1” (BEHAVIOR_REJECT_FOREIGN) - any 3rd party context doesn’t receive/send cookies and it’s unable to use storage APIs. - “2” (BEHAVIOR_REJECT) - cookies and storage APIs are disabled everywhere - “3” (BEHAVIOR_LIMIT_FOREIGN) - unknown 3rd party contexts do not receive/send cookies and they are unable to use storage APIs - "4” (BEHAVIOR_REJECT_TRACKER) - to simplify, we deny the use of cookies and storage APIs for any 3rd party contexts classified as trackers [3]. - “5” (BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN) - it’s ETP, plus, dFPI (dynamic first-party isolation) for third-party contexts. This cookie policy is not yet exposed and is under active development. [3] https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Privacy/Storage_access_policy [4] https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more/ _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
