Create a cookie exception list

[ryanbr]

Need to create/implement a cookie whitelist, for problematic sites where if we block 3rd-party cookies it causes issues.

Was reported here with udemy.com; #4496

Create a .json of any problematic sites where blocking 3rd party sites can be added, avoiding the need for notifying customers they need to allow all cookes for these specific sites. Similar to the https://github.com/brave/referrer-whitelist but for cookies.

(possibly create 3rd-party device recog list also?).

[ryanbr]

Example of a simple fix for udemy.com;

    {
        "https://www.udemy.com/": [
            "https://*.udemycdn-a.com/*"
        ]
    }

[ryanbr]

Could fix this issue also; #5289

[fmarier]

Looking at the more general problem, it would be nice if we had something like the Mozilla entity list (a lot smaller though) to group related domains together for the purpose of determining third-party'ness in cookie and referrer blocking.

That way, we could just treat udemy.com and udemycdn-a.com as the same thing in both places with a single exception.

[pes10k]

to make sure it doesn't get lost (re @jumde)

https://github.com/brave/brave-core/blob/75128da39b3c6990d1691ad82ec33844435e2d8b/components/content_settings/core/browser/brave_content_settings_pref_provider.cc#L213)

[tomlowenthal]

I just want to confirm that the aim here is to enumerate (small) sets of registerable domains which should be treated as the same for cookie (and perhaps other privacy/storage/shields?) purposes? The title sounds like a global allow-list of sites which should be able to set cookies wherever, but that's not the case, correct?

[pes10k]

There may be two similar-but-different goals here. The main goal is another tool for fine-grain-web-compat fixing, a way to unbreak a site w/o allowing "everything"

The other goal could be to do something like origin sets / disconnect entity-list.

I don't think anyone is suggesting a allow-list of sites which should be able to set cookies :)

[tomlowenthal]

I think this feature is complex enough that someone needs to specify out the details of what this specific issue is for. If needed, we can add another issue for the other thing (which should also be specified in detail).

[pes10k]

Okie, just to make sure we're all on the same page, the goal is to have something like the exception rules defined here https://github.com/brave/brave-core/blob/134798d731d3f0a5ee7e3b471c2f4ab843383a59/common/shield_exceptions.cc

But 1) for cookies, and 2) some place easier to change than C++.

If that sounds possibly-useful on your end, i'll update the issue desc now

[tomlowenthal]

The only things which I think should potentially be updated out-of-sequence in that file are the sites which get a different UA, and that's being resolved elsewhere. Is there a good example of where it makes sense to ignore the Shields cookie setting?

[tomlowenthal]

The ephemeral third-party storage work should fix most of this.

[antonok-edm]

Breakage on Microsoft Teams (#6046) could also be fixed with this.