We intend to remove support for two legacy cookie behaviors in Firefox:
* cookieBehavior=3 (|BEHAVIOR_LIMIT_FOREIGN|): Allows third-party
cookies only if the eTLD+1 already has at least one cookie set in a
first-party context. Replacement: cookieBehavior=1
(|BEHAVIOR_REJECT_FOREIGN|), combined with setting cookie
permissions for sites that need third-party cookie access.
* cookieBehavior=4 (|BEHAVIOR_REJECT_TRACKER|): Blocks cookies from
domains classified as trackers. Replacement: cookieBehavior=5
(|BEHAVIOR_PARTITION_FOREIGN|) for most users (see FPI note below).
Modes 3 and 4 predate cookie partitioning and have two fundamental
weaknesses:
* Neither mode partitions cookies, enabling cross-site tracking.
* Mode 4 depends entirely on tracker classification lists.
Firefox's default cookieBehavior is 5 (|BEHAVIOR_PARTITION_FOREIGN|),
also known as Total Cookie Protection (TCP) or dynamic First-Party
Isolation (dFPI). Mode 5 directly supersedes mode 4.
*Prefs*: |network.cookie.cookieBehavior| and
|network.cookie.cookieBehavior.pbmode|
*Relation to FPI*: First-Party Isolation (unsupported in Firefox,
enabled via |privacy.firstparty.isolate|) is one current use case for
cookieBehavior=4. FPI is incompatible with dFPI (cookieBehavior=5). The
replacement for FPI users is cookieBehavior=1
(|BEHAVIOR_REJECT_FOREIGN|), which matches the behavior of Tor Browser,
or cookieBehavior=0 (|BEHAVIOR_ALLOW|) to match the current third-party
cookie behavior of mode 4 for non-tracker sites.
*Usage* (release channel): modes 3 and 4 together cover ~1.3% of users.
Mode 4 accounts for 1.229%, mode 3 for 0.070% while mode 5 accounts for
98.1%.
The unshipping plan has multiple stages:
* *Fx153*: Hide the deprecated cookie behaviors from settings if
currently not enabled (Bug 2040361 <https://bugzil.la/2040361>, Bug
2043563 <https://bugzil.la/2043563>).
* *Future* (Bug 2039953 <https://bugzil.la/2039953>), uncertain target
date, not before *Fx155* to allow concerns to be raised: Remove
cookieBehavior 3 and 4 from the code and migrate remaining users to
appropriate replacements. This will also affect the extensions API
(Bug 2040431 <https://bugzil.la/2040431>).
--
You received this message because you are subscribed to the Google Groups
"[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/59ca21d4-6a7d-4b0d-9b60-0c3f63c5ecc1%40mozilla.com.
