Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Doesn't work with Firefox's privacy.firstparty.isolate = true #75

Closed
nkestrel opened this Issue Jun 30, 2017 · 48 comments

Comments

Projects
None yet
@nkestrel
Copy link

nkestrel commented Jun 30, 2017

With privacy.firstparty.isolate = true the cookie count is always zero and cookies are not deleted despite notification claiming that they were.

Details about the setting:

https://bugzilla.mozilla.org/show_bug.cgi?id=565965

https://www.torproject.org/projects/torbrowser/design/#identifier-linkability

@mrdokenny

This comment has been minimized.

Copy link
Member

mrdokenny commented Jun 30, 2017

I used that setting before with C-AD months ago, so I'm pretty sure this is a browser bug and Mozilla has to fix it. I'll do some more testing before marking as wontfix/cantfix.

@mrdokenny

This comment has been minimized.

Copy link
Member

mrdokenny commented Jul 2, 2017

Yep, that setting sure breaks C-AD and this error might be related since its the only one that appears.

TypeError: parentDocShell.getDocShellEnumerator is not a function[Learn More] tab.js:62:23

So it seems to be a problem with the WebExtension Cookie API with that setting.

@nkestrel

This comment has been minimized.

Copy link
Author

nkestrel commented Jul 15, 2017

Upstream Bug 1381197.

@mrdokenny

This comment has been minimized.

Copy link
Member

mrdokenny commented Jul 15, 2017

@nkestrel Hmm isn't the problem (at least for C-AD primary functionally) is browser.cookies.remove() doesn't work?

Related code:
https://github.com/mrdokenny/Cookie-AutoDelete/blob/master/src/services/CleanupService.js#L59

@nkestrel

This comment has been minimized.

Copy link
Author

nkestrel commented Jul 16, 2017

I broadened the scope of the bug title, I just found cookies.getAll easier to categorize the failure.

@WagnerGMD

This comment has been minimized.

Copy link

WagnerGMD commented Aug 6, 2017

In fact, I was looking to replace these addons :

But (the addon) CAD (CookieAutoDelete_v 1.4.1) doesn't have these functions (at least not for the moment). And it doesn't seem to work fine...

pref("privacy.firstparty.isolate",true);
Because I had check a few times and no, it doesn't seem to be cause by this settings.
Despite the notification, no the cookies aren't really remove (by CAD). I'm still able to see them on the page about:preferences#privacy (via the button Show Cookies...) and another reason, it's because I'm able to remove them with CookieKeeper.

@mrdokenny

This comment has been minimized.

Copy link
Member

mrdokenny commented Aug 6, 2017

@WagnerGMD Try the troubleshooting steps I posted on the addon page, otherwise make another issue.

@Thorin-Oakenpants

This comment has been minimized.

Copy link

Thorin-Oakenpants commented Aug 8, 2017

@WagnerGMD Are you in Private Browsing Mode?

@WagnerGMD

This comment has been minimized.

Copy link

WagnerGMD commented Aug 8, 2017

On the moment, I didn't notice the troubleshooting.

pref("network.cookie.lifetimePolicy",2);
pref("network.cookie.cookieBehavior",1);
pref("network.cookie.prefsMigrated",false);

But no nothing has changed once I had reset these settings. And I don't think it cause by the profil (from scratch a few times and yes I had restart the browser).

No @Thorin-Oakenpants I don't use it often.

Just to confirm, yes Clear Console is able to remove them (the cookies). And thank you @bendover22 (for the discovery).

@bendover22

This comment has been minimized.

Copy link

bendover22 commented Aug 14, 2017

I can confirm in Fx 54.0.1 Linux, if pref("privacy.firstparty.isolate" = true), then C-AD's toolbar icon shows 0 cookies, when cookies are set. They also don't get deleted when C-AD says.
But when the newer privacy.firstparty.isolate.restrict_opener_access = true, C-AD seemed to work.

An odd thing, C-AD popup showing how many cookies / which domains were deleted, appeared every so often, even when no tabs had been closed recently. Is that expected?

@Thorin-Oakenpants

This comment has been minimized.

Copy link

Thorin-Oakenpants commented Aug 14, 2017

Can you double check that @bendover22 , because privacy.firstparty.isolate.restrict_opener_access at true is the harder restriction and false loosens it (for some of cross domain login issues) - see https://bugzilla.mozilla.org/show_bug.cgi?id=1319773#c22

@curiosity-seeker

This comment has been minimized.

Copy link

curiosity-seeker commented Aug 14, 2017

I've tried it for FF54 and FF57 Nightly with both privacy.firstparty.isolateand privacy.firstparty.isolate.restrict_opener_accessset to true. C-AD reports cookies as being deleted but they are not according to about:preferences#privacy.

EDIT: Setting privacy.firstparty.isolate.restrict_opener_access to false doesn't seem to make a difference.

@mrdokenny

This comment has been minimized.

Copy link
Member

mrdokenny commented Aug 14, 2017

Is SDC affected by privacy.firstparty.isolate as well?

@curiosity-seeker

This comment has been minimized.

Copy link

curiosity-seeker commented Aug 14, 2017

Just tried SDC, and it seems that it is affected, too. In other words this is not necessarily a webextension related problem.

@WagnerGMD

This comment has been minimized.

Copy link

WagnerGMD commented Aug 20, 2017

I didn't understand on the moment... So I just will add one reminder : SDC is aka (or the acronyme for) Self-Destructing Cookies. I had stop to use it a few months ago because it doesn't work anymore with the latest release of Firefox...

PS : There is a particular syntax (markdown) for acronyme on GitHub ? GitHub can improve the toolbar... That's why no I don't have a clue...

@bendover22

This comment has been minimized.

Copy link

bendover22 commented Aug 20, 2017

Can you double check that @bendover22 , because

Sorry, no. I had to remove C-AD because it allows all sites to set 1st party cookies.
But I checked the pref privacy.firstparty.isolate.restrict_opener_access:true - pretty well while C-AD was installed & "privacy.firstparty.isolate" was false.

FWIW, I understand they're different, legacy addons vs. C-AD, but in Fx 55 with both of these prefs - "privacy.firstparty..." ** set = true**, both Cookie Monster 1.3.4.8 & Clear Console 1.13 (by Rejah Rehim) delete cookies just fine. I haven't compared cookie handling methods between these 3 addons, Maybe it's just a problem w/ new Moz cookie APIs. But since Mozilla "based cookie API on Chrome's API," you'd think most bugs would be worked out. Or not.

If Kenny wants me to test out some C-AD changes later (in Fx, Fx ESR, or Tor Browser), I'll be happy to help. I'd probably create a clean profile for testing purposes.

It's possible some other addon gave me different results w/ "privacy.firstparty.isolate.restrict_opener_access" than Thorin, but it's kind of a moot point for me. At least until C-AD can immediately delete cookies (or block), WHEN no cookie exception is stored for a site. If that's not possible or "won't fix," like others are saying - when Fx 57 breaks all legacy addons, I'll probably use an Fx fork that supports them.

Possible that Mozilla poo-pooed in their nest, deciding NOT to allow existing legacy addons to work & just require new ones to use web ext. (when almost NO web ext. replacements are ready).

Since Netscape, millions of users never wanted 1st party cookies allowed by default. It's more of an issue today, because of sites sharing data w/ 3rd parties (not just cookies), and because many sites are owned by the same entity.

Re: https://bugzilla.mozilla.org/show_bug.cgi?id=1319773#c46 - says:

privacy.firstparty.isolate:true + privacy.firstparty.isolate.restrict_opener_access:true (Tor defaults)

Both prefs are not Tor Browser defaults [not recently].
In TBB 7.0.4, only "privacy.firstparty.isolate:true " is present & default = True (in Linux).

@mrdokenny

This comment has been minimized.

Copy link
Member

mrdokenny commented Aug 21, 2017

FWIW, I understand they're different, legacy addons vs. C-AD, but in Fx 55 with both of these prefs - "privacy.firstparty..." ** set = true**, both Cookie Monster 1.3.4.8 & Clear Console 1.13 (by Rejah Rehim) delete cookies just fine.

It's possible that Cookie Monster is going through the cookies.sqlite file and deleting the cookies using SQL, since legacy extensions do have access to file storage. The WebExtension APIs are just a way to standardize stuff so that people don't do their own way of "deleting" cookies

But since Mozilla "based cookie API on Chrome's API," you'd think most bugs would be worked out. Or not.

Chrome doesn't have first party isolation, so it's pretty much a new case for Mozilla.

@Thorin-Oakenpants

This comment has been minimized.

Copy link

Thorin-Oakenpants commented Sep 9, 2017

@mrdokenny <snip name dropping> about FPI locking extensions from handling persistent data (think cookies, dom storage, indexeddb etc) ... and we have some traction: see https://bugzilla.mozilla.org/show_bug.cgi?id=1362834#c30 (The FPI cookie ticket is 1381197 but 1362834 re internal google cookies is where they're talking overall permissions and whatnot). Feel free to chime in on the bugzillas and get what we need - maybe even access to PB Mode cookies (although in future PB mode is expected to use FPI)

@mrdokenny

This comment has been minimized.

Copy link
Member

mrdokenny commented Sep 9, 2017

@Thorin-Oakenpants Good to hear.

maybe even access to PB Mode cookies (although in future PB mode is expected to use FPI)

#139 (comment)

Seems like Chrome gives access to PB cookies

@gryzor2

This comment has been minimized.

Copy link

gryzor2 commented Sep 11, 2017

So, OK, this happens fundamentally because of a firefox bug.
Anyway, the result is very bad for the user. For months, I've received popups from cookie autodelete which were stating how many cookies it was deleting. In other words, because of this [firefox] bug, the extension was lying to me.

Is it possible to add a test routine, like picking a cookie before it is deleted, and checking after deletion whether it is still present? If the cookie is still present, the extension could warn the user that at least something is wrong (with some RTFM link) instead of poping up "cookies deleted", or at least after poping it out. This would give the user a chance to notice things are wrong. And it would help detect other future similar occurrences of the same problem.

The current state of things, with this firefox bug, is that the user believes to be safe, and isn't. Worst possible state.

My last sentence needs to be : thanks for this great extension.

@jingofett

This comment has been minimized.

Copy link

jingofett commented Nov 2, 2017

Should I just disable privacy.firstparty.isolate ?

mrdokenny added a commit that referenced this issue Jan 7, 2018

@mrdokenny

This comment has been minimized.

Copy link
Member

mrdokenny commented Jan 7, 2018

I added the fixes necessary for FPI to work in CAD 2.1.0b3 and the latest nightly 59+.

When flipping the FPI setting in about:config, please restart the browser (or just CAD).

The privacy API is requested in order to detect whether the user has enabled FPI.

https://developer.mozilla.org/en-US/Add-ons/WebExtensions/API/privacy/websites

Feedback is welcome as there is so many interactions between different browser settings and CAD settings that it's impossible to test for everything.

@overdodactyl

This comment has been minimized.

Copy link

overdodactyl commented Jan 7, 2018

Hi @mrdokenny, thank you for your quick work, it's really appreciated!

I'm running into a problem when trying to delete cookies in FPI. I've tried flipping the FPI flag on/off, restarting, uninstalling and reinstalling CAD.

When trying to delete a cookie, I get this message via the debugging console:

Error: First-Party Isolation is enabled, but the required 'firstPartyDomain' attribute was not set.

I seem to have this same problem in a new profile.

Browser Version: 59.0a1 (2018-01-06) (64-bit)
OS: macOS
CAD Version:2.1.0b3

Let me know if there's anything I can do to help diagnose the issue or if there's more info I can provide.

Thanks again

@mrdokenny

This comment has been minimized.

Copy link
Member

mrdokenny commented Jan 7, 2018

@overdodactyl

Error: First-Party Isolation is enabled, but the required 'firstPartyDomain' attribute was not set.

I forgot to add that for the Clear all cookies for this domain. But cookie cleanup should still work.

I'll look into it more.

Edit: Also sometimes the cookie manager in FF doesn't update right away. So are you still seeing notifications that it gets deleted?

@overdodactyl

This comment has been minimized.

Copy link

overdodactyl commented Jan 7, 2018

But cookie cleanup should still work.

Ah, perfect! That is working for me.

So are you still seeing notifications that it gets deleted?

I'm not seeing notifications in the first case where the error came up, however I do get them when using the cookie clean up

@bluegrover

This comment has been minimized.

Copy link

bluegrover commented Jan 23, 2018

OK, did a brief testing in FF59b3 and it seems to be working. When pfi = true is set then CAD does delete cookies (& notifies you) you eg. when closing a Tab

@prog-amateur

This comment has been minimized.

Copy link

prog-amateur commented Jan 24, 2018

I have received the same error message than @overdodactyl :
Error: First-Party Isolation is enabled, but the required 'firstPartyDomain' attribute was not set.
In https://www.privacytools.io/#about_config , they clearly insist to keep privacy.firstparty.isolate = true, arguing that this allows to prevent tracking across different domains. So I didn't switch the FPI into OFF.

My question is :
-> as the bug is solved in Firefox 59 (so we have to wait for it), can I meanwhile use the following countermeasure :

  • keep FPI set to true ?
  • install Temporary Containers web extension ?

Thank you very much for your kind reply.

@mrdokenny

This comment has been minimized.

Copy link
Member

mrdokenny commented Jan 24, 2018

@prog-amateur The point is that FPI=true will prevent any extension from cleaning cookies. So even with Temporary Containers, they won't get deleted based off this comment.

@mrdokenny

This comment has been minimized.

Copy link
Member

mrdokenny commented Jan 24, 2018

Also in the new version 2.1.1, CAD will show notifications telling you if you have FPI on only if you have FF 58 since the setting to access the value of FPI is in 58+.

@prog-amateur

This comment has been minimized.

Copy link

prog-amateur commented Jan 24, 2018

Thank you very much for your quick feedback, in that case, I have disabled FPI.
Does it means, after FF 58, I will be able to switch FPI on True AND use CAD ?
Thank you !

@mrdokenny

This comment has been minimized.

Copy link
Member

mrdokenny commented Jan 24, 2018

Does it means, after FF 58, I will be able to switch FPI on True AND use CAD ?

Yes.

@thiswillbeyourgithub

This comment has been minimized.

Copy link

thiswillbeyourgithub commented Jan 24, 2018

Sorry guys but to be clear, after 58 means 59 and not after 58 is out. Right ?

@deepsweet

This comment has been minimized.

Copy link

deepsweet commented Jan 26, 2018

Works just flawlessly for me with 59b3 without any containers and with privacy.firstparty.isolate = true.

@jmozmoz

This comment has been minimized.

Copy link

jmozmoz commented Jan 30, 2018

For me cookies are not deleted, if firstparty.isolate is true in Firefox 59.0beta4

@mrdokenny

This comment has been minimized.

Copy link
Member

mrdokenny commented Jan 31, 2018

@jmozmoz Try deleting your cookies and restarting your browser.

@jmozmoz

This comment has been minimized.

Copy link

jmozmoz commented Jan 31, 2018

Try deleting your cookies and restarting your browser.

Thank you, this worked.

@prog-amateur

This comment has been minimized.

Copy link

prog-amateur commented Mar 14, 2018

Hi I have the same issue with Android version 58.0.2, I have a notification to turn off FPI despite deletingcookiesand restart. Please, could you check ?
Thank you very mucj

@cherti

This comment has been minimized.

Copy link

cherti commented Mar 14, 2018

@prog-amateur
The relevant fix is included in Firefox 59 onwards. You will have to wait a bit until the 59-release propagated to Android.

@prog-amateur

This comment has been minimized.

Copy link

prog-amateur commented Mar 15, 2018

@cherti : OK I see, thank you very much for your feedback !

@mrdokenny

This comment has been minimized.

Copy link
Member

mrdokenny commented Mar 15, 2018

Closing as Firefox 59 is out.

@mrdokenny mrdokenny closed this Mar 15, 2018

anthologist added a commit to anthologist/user.js that referenced this issue Mar 15, 2018

Revert "Added notice for first-party isolation"
Firefox 59 is out and the issue is fixed. Removed the notification to reduce the clutter.
Cookie-AutoDelete/Cookie-AutoDelete#75
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.