(Re-sending this to fix the formatting) # Summary First-Party Isolation (FPI) is an Anti-Tracking feature that partitions most third-party state and communication channels by the top-level website. It uses the first-party eTLD+1 as part of the storage key and origin checks, such that third-party iframes embedded in different websites will have separate storage locations and are not considered same-origin. FPI has long been the Tor Browser’s default storage model.
FPI works well for most websites, but can break some types of embedded content. We’ve developed *dynamic* FPI [0] to mitigate this type of breakage. Dynamic FPI (dFPI) creates the same storage partitions as FPI, but has the ability to relax partitioning under certain conditions. dFPI supports the automated storage access compatibility heuristics [1] supported by our other cookie policies, as well as the Storage Access API. These heuristics can mitigate the types of breakage caused by standard FPI. # Storage locations and communication channels covered dFPI partitions all of the same storage and communication channels that are partitioned by originAttributes in FPI or containers. dFPI relies on the StoragePrincipal, introduced last April [2], to relax partitioning for a subset of these APIs. The full set of APIs covered by the StoragePrincipal are documented here [3]. Note that after storage access is granted dFPI will immediately relax partitioning for the APIs covered by the StoragePrincipal within an agent cluster. It will also relax all partitioning (including that not covered by the StoragePrincipal) for that third-party in future agent clusters. We’re tracking this in: https://bugzilla.mozilla.org/show_bug.cgi?id=1630687. We are also tracking stateful APIs that aren’t currently covered by first-party isolation in https://bugzilla.mozilla.org/show_bug.cgi?id=1590107. We welcome new reports! # Testing and Website breakage We’d like to enable dynamic FPI by default on the Nightly channel in the coming weeks. Before then, it would be great to get early feedback from you. If you’re willing to help, please enable dFPI using the following steps: In about:preferences#privacy select “Custom” under Enhanced Tracking Protection For Cookies, select: “Cross-site and social media trackers, and isolate remaining” Note: This will log you out of websites that use third party cookies for managing login state. This feature *fundamentally changes* how we approach cross-site state in Firefox, and it's incredibly important that we learn how web-compatible the dFPI model is. We are committed to fixing that breakage whenever possible, and expect to continue to iterate on dFPI’s design in Nightly. Please help us by reporting any breakage on bugzilla by blocking the meta bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1549587 The types of breakage you may experience are those that rely on cross-site log-in, payment, online banking, and other features that use third-party cookies frequently. Minor site data UI inconsistencies are currently also expected, they can be found in the meta bug as well. # Preference network.cookie.cookieBehavior=5 (BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN [4]) will be set on Nightly only. # Other browsers Safari has had partitioned storage (with the exception of cookies) for many years Chrome has documented their storage isolation project [5], which has a similar goal of isolating stateful APIs. # FAQ Q: Does dFPI disable tracking cookie blocking? A: No, both are enabled under network.cookie.cookieBehavior=5. Q: How will dFPI impact containers users? A: dFPI uses a different origin attribute than containers (including Facebook container), which use userContextId. dFPI should layer on top of these features, and thus not impact them. Q: How will dFPI impact FPI users? A: dFPI uses the same first-party domain origin attribute as FPI. This means that dFPI will re-use the same isolated cookie jars when layered over FPI. dFPI currently causes some storage locations to switch to a _different_ isolated storage jar; this issue is tracked in https://bugzilla.mozilla.org/show_bug.cgi?id=1630796. Note that storage access permissions will *not* apply to FPI’s isolated storage, so we do not weaken the isolation guarantees of FPI. Q: Will dFPI impact extension storage? A: No. Similar to FPI, extension storage is exempt from isolation. See: https://searchfox.org/mozilla-central/rev/567b68b8ff4b6d607ba34a6f1926873d21a7b4d7/caps/OriginAttributes.cpp#80-85 [0] https://bugzilla.mozilla.org/show_bug.cgi?id=1549587 [1] https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Privacy/Storage_access_policy#Storage_access_grants [2] https://groups.google.com/forum/#!topic/mozilla.dev.platform/b8A8LrQGOYs [3] https://searchfox.org/mozilla-central/rev/567b68b8ff4b6d607ba34a6f1926873d21a7b4d7/toolkit/components/antitracking/StoragePrincipalHelper.h#13 [4] https://searchfox.org/mozilla-central/rev/567b68b8ff4b6d607ba34a6f1926873d21a7b4d7/netwerk/cookie/nsICookieService.idl#71-82 [5] https://docs.google.com/document/d/1V8sFDCEYTXZmwKa_qWUfTVNAuBcPsu6FC0PhqMD6KKQ/edit On Mon, Apr 20, 2020 at 5:38 AM Gary Chen <xeonc...@mozilla.com> wrote: > > *# SummaryFirst-Party Isolation (FPI) is an Anti-Tracking feature that > partitions most third-party state and communication channels by the > top-level website. It uses the first-party eTLD+1 as part of the storage > key and origin checks, such that third-party iframes embedded in different > websites will have separate storage locations and are not considered > same-origin. FPI has long been the Tor Browser’s default storage model.FPI > works well for most websites, but can break some types of embedded content. > We’ve developed *dynamic* FPI [0] to mitigate this type of breakage. > Dynamic FPI (dFPI) creates the same storage partitions as FPI, but has the > ability to relax partitioning under certain conditions. dFPI supports the > automated storage access compatibility heuristics [1] supported by our > other cookie policies, as well as the Storage Access API. These heuristics > can mitigate the types of breakage caused by standard FPI.# Storage > locations and communication channels covereddFPI partitions all of the same > storage and communication channels that are partitioned by originAttributes > in FPI or containers. dFPI relies on the StoragePrincipal, introduced last > April [2], to relax partitioning for a subset of these APIs. The full set > of APIs covered by the StoragePrincipal are documented here [3].Note that > after storage access is granted dFPI will immediately relax partitioning > for the APIs covered by the StoragePrincipal within an agent cluster. It > will also relax all partitioning (including that not covered by the > StoragePrincipal) for that third-party in future agent clusters. We’re > tracking this in: https://bugzilla.mozilla.org/show_bug.cgi?id=1630687 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1630687>. We are also > tracking stateful APIs that aren’t currently covered by first-party > isolation in https://bugzilla.mozilla.org/show_bug.cgi?id=1590107 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1590107>. We welcome new > reports!# Testing and Website breakageWe’d like to enable dynamic FPI by > default on the Nightly channel in the coming weeks. Before then, it would > be great to get early feedback from you. If you’re willing to help, please > enable dFPI using the following steps: 1. In about:preferences#privacy > select “Custom” under Enhanced Tracking Protection2. For Cookies, select: > “Cross-site and social media trackers, and isolate remaining”Note: This > will log you out of websites that use third party cookies for managing > login state.This feature *fundamentally changes* how we approach cross-site > state in Firefox, and it's incredibly important that we learn how > web-compatible the dFPI model is. We are committed to fixing that breakage > whenever possible, and expect to continue to iterate on dFPI’s design in > Nightly.Please help us by reporting any breakage on bugzilla by blocking > the meta bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1549587 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1549587>The types of breakage > you may experience are those that rely on cross-site log-in, payment, > online banking, and other features that use third-party cookies > frequently.Minor site data UI inconsistencies are currently also expected, > they can be found in the meta bug as well.# > Preferencenetwork.cookie.cookieBehavior=5 > (BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN [4]) will be set on Nightly > only.# Other browsers - Safari has had partitioned storage (with the > exception of cookies) for many years- Chrome has documented their storage > isolation project [5], which has a similar goal of isolating stateful > APIs. # FAQQ: Does dFPI disable tracking cookie blocking?A: No, both are > enabled under network.cookie.cookieBehavior=5.Q: How will dFPI impact > containers users?A: dFPI uses a different origin attribute than containers > (including Facebook container), which use userContextId. dFPI should layer > on top of these features, and thus not impact them. Q: How will dFPI impact > FPI users?A: dFPI uses the same first-party domain origin attribute as FPI. > This means that dFPI will re-use the same isolated cookie jars when layered > over FPI. dFPI currently causes some storage locations to switch to a > _different_ isolated storage jar; this issue is tracked in > https://bugzilla.mozilla.org/show_bug.cgi?id=1630796 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1630796>. Note that storage > access permissions will *not* apply to FPI’s isolated storage, so we do not > weaken the isolation guarantees of FPI.Q: Will dFPI impact extension > storage?A: No. Similar to FPI, extension storage is exempt from isolation. > See: > https://searchfox.org/mozilla-central/rev/567b68b8ff4b6d607ba34a6f1926873d21a7b4d7/caps/OriginAttributes.cpp#80-85 > <https://searchfox.org/mozilla-central/rev/567b68b8ff4b6d607ba34a6f1926873d21a7b4d7/caps/OriginAttributes.cpp#80-85> > [0] > https://bugzilla.mozilla.org/show_bug.cgi?id=1549587 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1549587>[1] > https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Privacy/Storage_access_policy#Storage_access_grants > <https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Privacy/Storage_access_policy#Storage_access_grants> > [2] > https://groups.google.com/forum/#!topic/mozilla.dev.platform/b8A8LrQGOYs > <https://groups.google.com/forum/#!topic/mozilla.dev.platform/b8A8LrQGOYs> [3] > https://searchfox.org/mozilla-central/rev/567b68b8ff4b6d607ba34a6f1926873d21a7b4d7/toolkit/components/antitracking/StoragePrincipalHelper.h#13 > <https://searchfox.org/mozilla-central/rev/567b68b8ff4b6d607ba34a6f1926873d21a7b4d7/toolkit/components/antitracking/StoragePrincipalHelper.h#13>[4] > https://searchfox.org/mozilla-central/rev/567b68b8ff4b6d607ba34a6f1926873d21a7b4d7/netwerk/cookie/nsICookieService.idl#71-82 > <https://searchfox.org/mozilla-central/rev/567b68b8ff4b6d607ba34a6f1926873d21a7b4d7/netwerk/cookie/nsICookieService.idl#71-82>[5] > https://docs.google.com/document/d/1V8sFDCEYTXZmwKa_qWUfTVNAuBcPsu6FC0PhqMD6KKQ/edit > <https://docs.google.com/document/d/1V8sFDCEYTXZmwKa_qWUfTVNAuBcPsu6FC0PhqMD6KKQ/edit> > * > > Gary > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
