بتاريخ الجمعة، 3 أبريل، 2020 9:28:29 ص UTC+2، كتب Andrea Marchesini: > Hi everyone, > > tl;dr; If you block all third-party cookies in Nightly, you're going to > experience a slight change in behavior; Firefox will automatically unblock > some third-party storage access based on gecko’s internal heuristics [0] > and requests to the Storage Access API [1]. > > Summary: In Firefox, we call the policies to accept or deny cookies and > other storage APIs (indexedDB, localStorage, and so on) “cookie behaviors”. > Firefox implements several cookie behaviors, detailed below [2]. Before > Enhanced Tracking Protection (ETP), the default behavior was “0” > (BEHAVIOR_ACCEPT) -- everything was allowed by default. With the launch of > ETP last fall, the default cookie behavior became “4” > (BEHAVIOR_REJECT_TRACKER) - we deny the use of cookies and storage APIs for > any 3rd party contexts classified as trackers [3]. > > In order to prevent login and other flows from breaking, we added some > exceptions to cookie and storage blocking. For example, if the website > called the Storage Access API [1] to request storage access or if the user > went through a flow that looked like a login, we would allow the > third-party cookie and storage access [0]. > > We also have a stricter cookie behavior “1” (BEHAVIOR_REJECT_FOREIGN) that > blocks all third-party cookies and storage, regardless of whether or not > Disconnect has classified the third party as a tracker. We’ve seen this > setting cause breakage in the past. We’d like to see if the heuristic > exceptions we use in our tracking cookie blocking [0] will fix that > breakage. > > We’ve added a new pref network.cookie.rejectForeignWithExceptions.enabled > to enable the cookie blocking exceptions for cookie behavior “1” so that we > can test the web compatibility effects of blocking all third-party cookies > when there are exceptions. The pref will be enabled by default in Nightly > only. This means that if you have all third party cookies blocked in > Nightly, you may sometimes receive third-party cookies if you trigger > Gecko’s internal heuristics or the Storage Access API is called by the > website. > > Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1625568 > > Preference: network.cookie.rejectForeignWithExceptions.enabled enables the > feature. It’s set to true on Nightly only. > > Other browsers: Safari implemented and just released a similar feature by > default [4]. Safari blocks all third-party cookies and provides similar > heuristic exceptions and storage access API support. Note that Safari > double keys other storage mechanisms, so the implementations are different. > > -- > > [0] > https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Privacy/Storage_access_policy#Storage_access_grants > <https://slack-redir.net/link?url=https%3A%2F%2Fdeveloper.mozilla.org%2Fen-US%2Fdocs%2FMozilla%2FFirefox%2FPrivacy%2FStorage_access_policy%23Storage_access_grants&v=3> > > [1] https://developer.mozilla.org/en-US/docs/Web/API/Storage_Access_API > > [2] > https://searchfox.org/mozilla-central/rev/4ccefc3181f9d237ef4ca8bd17b4e7c101ddf7b5/netwerk/cookie/nsICookieService.idl#71-82 > > - “0” (BEHAVIOR_ACCEPT) - accept all cookies > - “1” (BEHAVIOR_REJECT_FOREIGN) - any 3rd party context doesn’t > receive/send cookies and it’s unable to use storage APIs. > - “2” (BEHAVIOR_REJECT) - cookies and storage APIs are disabled > everywhere > - “3” (BEHAVIOR_LIMIT_FOREIGN) - unknown 3rd party contexts do not > receive/send cookies and they are unable to use storage APIs > - "4” (BEHAVIOR_REJECT_TRACKER) - to simplify, we deny the use of > cookies and storage APIs for any 3rd party contexts classified as trackers > [3]. > - “5” (BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN) - it’s ETP, plus, > dFPI (dynamic first-party isolation) for third-party contexts. This cookie > policy is not yet exposed and is under active development. > > [3] > https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Privacy/Storage_access_policy > > [4] https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more/
_______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
