Investigate Github logout bug (rethink cookie functionality)

[OliverWang13]

Currently, @Jocelyn0830 has experienced a bug where opting into sale logs you out of Github. I will look into it. I suspect it's an issue with how we delete cookies when opting back into a site. If not, I'll investigate other avenues.

[OliverWang13]

I tested this and it is exactly as I suspected. I can try and see whether we can only delete cookies that we have placed but I am not sure if this approach makes complete sense. For every site, our extension sets 1 or 2 cookies: a US privacy string cookie and potentially one of the cookies that gets set during the installation of the extension.

If we were to delete the US privacy string cookie, we also run the risk of deleting the site's own US privacy string cookie. Either way, the US privacy string is heading towards deprecation, so should we continue to place this cookie in the first place? If we choose this path, we could remove the US privacy string cookie functionality and keep our cookies on install.

Another possible approach would be to remove all of our cookie functionality overall (US privacy string cookie and the cookies placed on installation).

With whatever solution we choose, this bug is fairly simple to fix.

[SebastianZimmeck]

The issue may be related to the US Privacy String cookies and/or the DAA/IAB opt out cookies (per the Appendix of our paper), the latter of which we place upon the initial install of OptMeowt. Before changing anything US Privacy String-related, let's check the DAA/IAB cookies first.

Especially, @katehausladen may know, even if the US Privacy String cookies are deprecated, there may be GPP cookies (which include, among others, the new US Privacy String equivalent). So, it may not be possible to remove US Privacy String/GPP cookie functionality (completely).

[OliverWang13]

Sorry, perhaps I should explain in further detail. Currently, we have a function called deleteCookiesForGivenDomain that is triggered whenever a user opts-in to a site (uses the popup toggle to stop sending the GPC signal). This function deletes every cookie that is associated with the domain that is being toggled. When a user opts-in to sale on Github, it deletes all of the session cookies and logs the user out. The question here is how to change deleteCookiesForGivenDomain to keep this from occurring.

The first thought I had was to only delete the cookies that we were setting ourselves. Now that I have thought about it a little bit more, I am thinking that we could change the US privacy string value from 1NYN to 1NNN, which would effectively opt the user into sales. Then, if we are going to continue setting DAA/IAB cookies, we could check to see whether the domain is on the list and then remove that specific cookie. For that to work, we would also need to re-add that cookie when opting out on one of those sites again.

[SebastianZimmeck]

Thanks for the explanation!

The first thought I had was to only delete the cookies that we were setting ourselves. Now that I have thought about it a little bit more, I am thinking that we could change the US privacy string value from 1NYN to 1NNN

Yes, these two measures strike me as good ideas: (1) We should know which opt out cookies we set ourselves and, thus, should be also able to identify and remove it. (2) The US Privacy String cookie we can, indeed, just (re-)write. (We do not even need to know what its values was before or if the site has such string. We can just write it.)

[OliverWang13]

This should be resolved.