Hi everyone,

tl;dr; If you block all third-party cookies in Nightly, you're going to
experience a slight change in behavior; Firefox will automatically unblock
some third-party storage access based on gecko’s internal heuristics [0]
and requests to the Storage Access API [1].

Summary: In Firefox, we call the policies to accept or deny cookies and
other storage APIs (indexedDB, localStorage, and so on) “cookie behaviors”.
Firefox implements several cookie behaviors, detailed below [2]. Before
Enhanced Tracking Protection (ETP), the default behavior was “0”
(BEHAVIOR_ACCEPT) -- everything was allowed by default. With the launch of
ETP last fall, the default cookie behavior became “4”
(BEHAVIOR_REJECT_TRACKER) - we deny the use of cookies and storage APIs for
any 3rd party contexts classified as trackers [3].

In order to prevent login and other flows from breaking, we added some
exceptions to cookie and storage blocking.  For example, if the website
called the Storage Access API [1] to request storage access or if the user
went through a flow that looked like a login, we would allow the
third-party cookie and storage access [0].

We also have a stricter cookie behavior “1” (BEHAVIOR_REJECT_FOREIGN) that
blocks all third-party cookies and storage, regardless of whether or not
Disconnect has classified the third party as a tracker.  We’ve seen this
setting cause breakage in the past. We’d like to see if the heuristic
exceptions we use in our tracking cookie blocking [0] will fix that
breakage.

We’ve added a new pref network.cookie.rejectForeignWithExceptions.enabled
to enable the cookie blocking exceptions for cookie behavior “1” so that we
can test the web compatibility effects of blocking all third-party cookies
when there are exceptions.  The pref will be enabled by default in Nightly
only. This means that if you have all third party cookies blocked in
Nightly, you may sometimes receive third-party cookies if you trigger
Gecko’s internal heuristics or the Storage Access API is called by the
website.

Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1625568

Preference: network.cookie.rejectForeignWithExceptions.enabled enables the
feature. It’s set to true on Nightly only.

Other browsers: Safari implemented and just released a similar feature by
default [4].  Safari blocks all third-party cookies and provides similar
heuristic exceptions and storage access API support.  Note that Safari
double keys other storage mechanisms, so the implementations are different.

--

[0]
https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Privacy/Storage_access_policy#Storage_access_grants
<https://slack-redir.net/link?url=https%3A%2F%2Fdeveloper.mozilla.org%2Fen-US%2Fdocs%2FMozilla%2FFirefox%2FPrivacy%2FStorage_access_policy%23Storage_access_grants&v=3>

[1] https://developer.mozilla.org/en-US/docs/Web/API/Storage_Access_API

[2]
https://searchfox.org/mozilla-central/rev/4ccefc3181f9d237ef4ca8bd17b4e7c101ddf7b5/netwerk/cookie/nsICookieService.idl#71-82

   - “0” (BEHAVIOR_ACCEPT) - accept all cookies
   - “1” (BEHAVIOR_REJECT_FOREIGN) - any 3rd party context doesn’t
   receive/send cookies and it’s unable to use storage APIs.
   - “2” (BEHAVIOR_REJECT) - cookies and storage APIs are disabled
   everywhere
   - “3” (BEHAVIOR_LIMIT_FOREIGN) - unknown 3rd party contexts do not
   receive/send cookies and they are unable to use storage APIs
   - "4” (BEHAVIOR_REJECT_TRACKER) - to simplify, we deny the use of
   cookies and storage APIs for any 3rd party contexts classified as trackers
   [3].
   - “5” (BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN) - it’s ETP, plus,
   dFPI (dynamic first-party isolation) for third-party contexts. This cookie
   policy is not yet exposed and is under active development.

[3]
https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Privacy/Storage_access_policy

[4] https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more/
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Reply via email to