Privacy/Features/Per-Site Third-Party Cookie Setting
Status
Per-Site Third-Party Cookie Setting | |
Stage | Landed |
Status | Complete |
Release target | Firefox 18 |
Health | OK |
Status note | ` |
Team
Product manager | ` |
Directly Responsible Individual | Monica Chew |
Lead engineer | ` |
Security lead | Curtis Koenig |
Privacy lead | Sid Stamm |
Localization lead | ` |
Accessibility lead | ` |
QA lead | Ioana Budnar |
UX lead | ` |
Product marketing lead | ` |
Operations lead | ` |
Additional members | ` |
Open issues/risks
`
Stage 1: Definition
1. Feature overview
It would be nice to allow users to control third-party cookie sending on a per-site basis. This way users can more granularly manage trust for sites that cookie them.
2. Users & use cases
- I trust the entire web by default, but distrust evilTrackingCompany.com (who shows ads on sites). I want to disable sending them cookies in a third party context, but not lose that functionality on the entire web.
- I don't like the idea of third party cookies, but want facebook connect to provide context when I visit sites. I would like to allow third party cookie-sending for facebook.com, but not for other web sites.
3. Dependencies
`
4. Requirements
- Plumbing for per-site third-party cookie preference. Right now we have a global preference, but not a way to dictate third-party behavior per site.
- User interface tweak so that these settings are available in about:permissions
- This must interact predictably with the global third-party cookie preference; if a user stores a site-specific preference for third-party cookies, any global preference for this is overridden. (Users can specify a global "allow" or "deny" by default, and then per-site state exceptions to that rule.)
Non-goals
- This is not cookie double-keying.
- This does not dictate default behavior (e.g., changing the default to turn off all third party cookies.
Stage 2: Design
5. Functional specification
`
6. User experience design
- This project is focused on laying the foundation for per-site third party cookies and the ability to adjust settings in about:permissions.
- Some ideas on how to make these settings easier for users to manage are listed here: https://wiki.mozilla.org/Privacy/Features/Per-Site_Third-Party_Cookie_Setting/Brainstorm_UX
Stage 3: Planning
7. Implementation plan
- Add new consts to nsICookiePermission bug 770691
- nsICookiePermission::ALLOW_THIRD_PARTY, DENY_THIRD_PARTY
- Edit nsCookiePermission::CanSetCookie, CanAccess:
- http://mxr.mozilla.org/mozilla-central/source/extensions/cookie/nsCookiePermission.cpp#193
- Change the signature, add bool *aAllowThirdParty
- check for this result in switch stmt: http://mxr.mozilla.org/mozilla-central/source/extensions/cookie/nsCookiePermission.cpp#210
- check to see if aCookie.host != aURI.host - this will indicate that we have a 3rd party cookie
- if so and DENY_THIRD_PARTY is true, set aResult to false
- if so and ALLOW_THIRD_PARTY is true, set aResult to true
- CanAccess: http://mxr.mozilla.org/mozilla-central/source/extensions/cookie/nsCookiePermission.cpp#149
- Does CanAccess NEED to provide aChannel now? see comment: http://mxr.mozilla.org/mozilla-central/source/netwerk/cookie/nsCookieService.cpp#3082
- nsCookieService::SetCookieInternal will pick up the new functionality ( http://mxr.mozilla.org/mozilla-central/source/netwerk/cookie/nsCookieService.cpp#2496 )
- when it calls CanSetCookie: http://mxr.mozilla.org/mozilla-central/source/netwerk/cookie/nsCookieService.cpp#2575
- Edit nsCookieService::CheckPrefs
- We call CanAccess with nsnull for the aChannel: http://mxr.mozilla.org/mozilla-central/source/netwerk/cookie/nsCookieService.cpp#3084
- UI: bug 770705
- about:permissions, add 'Set 3rd Party Cookies' (o) Allow (o) Deny
- This consumes the nsCookiePermissions API to add or remove new domain flags
- Testing
- A thorough battery of tests will be required to prove the API changes are correct
- Additional Research
- Determine the UX for Firefox Mobile, B2G - there is no about:permissions on any mobile release target
8. Reviews
Security review
`
Privacy review
`
Localization review
`
Accessibility
`
Quality Assurance review
`
Operations review
`
Stage 4: Development
9. Implementation
This probably involves adding a constant to nsICookiePermission.idl to state whether or not third party cookies are allowed for the specified origin. Probably also involves tweaking nsCookieService.cpp to check for both the global and origin-specific third party cookie permissions (see line 3122 of that file).
Relevant: bug 564877 - allow cookies but do not transmit in third-party context. We could probably improve upon this to block setting in third-party context too (not deleting them, but just not modifying or reading from the origin's cookie jar in a third party context).
Cookie behavior
The 3rd party per-site rules should be checked for and applied as an override to any global settings
- 3rd Party Cookie Global DENY & foo.com 3rd party cookie ALLOW
- A page at baz.com gets/sets bar.com 3rd party cookie: DENY
- A page at baz.com gets/sets foo.com 3rd party cookie: ALLOW
- 3rd Party Cookie Global ALLOW & foo.com 3rd party cookie DENY
- A page at baz.com gets/sets foo.com 3rd party cookie: DENY
- A page at baz.com gets/sets bar.com 3rd party cookie: ALLOW
Stage 5: Release
10. Landing criteria
`
Feature details
Priority | P1 |
Rank | 3 |
Theme / Goal | Tracking Control |
Roadmap | Privacy |
Secondary roadmap | ` |
Feature list | Platform |
Project | ` |
Engineering team | Privacy |
Team status notes
status | notes | |||||||||
Products | ` | ` | ||||||||
Engineering | ` | ` | ||||||||
Security | sec-review-needed |
1 Total; 0 Open (0%); 1 Resolved (100%); 0 Verified (0%); |
||||||||
Privacy | ` | ` | ||||||||
Localization | ` | ` | ||||||||
Accessibility | ` | ` | ||||||||
Quality assurance | Signed off | Test Plan | ||||||||
User experience | ` | ` | ||||||||
Product marketing | ` | ` | ||||||||
Operations | ` | ` |
ID | Summary | Priority | Status |
---|---|---|---|
807469 | SecReview: atus Per-Site Third-Party Cookie Setting | -- | RESOLVED |
1 Total; 0 Open (0%); 1 Resolved (100%); 0 Verified (0%);
" contains strip markers and therefore it cannot be parsed sufficiently.