New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFC: Firefox tracking protection is explicitly deteriorated in cross-site request performed by userscript #1467
Comments
Can you describe the exact steps we should perform? P.S. |
I can totally understand requirement of exact steps to recreate issue. There is only so much time and attention, and there are other issues that are described in more concrete terms. I can also understand that this is not a common issue or, at least, it's an issue that practically nobody cares about. I want to help. However, I'm not using ViolentMonkey and also don't use any userscripts with cross-site requests. So I didn't observe reported behavior in everyday usage. It's not theoretical though. But creation of minimal publically accessible testbed for userscript requires controlling and populating of three public websites with three different I did observe documented effect of cookie isolation after enabling first-party isolation and with this knowledge I just wanted to report that bluntly using
Yeah, I knew that. Using But did you note that Firefox doesn't use It can't, because it expects information for conforming with enabled first-party isolation, and |
Sorry, I still have no idea what we should be doing here as I'm neither affected nor ever investigated this cookie thing. Personally, I've just been nuking all cookies automatically for the past 10+ years. You seem knowledgeable, which is why I'm asking for your help. Could we simply extract the url's domain and use it in firstPartyDomain? |
I'm not using Violentmonkey, so I'm not affected by this issue either. In using FireMonkey (another userscript manager), I've been hit by the same exception as reported in #746. I've reported an issue to FireMonkey and in investigating of solution a question had been asked: "Is there any other userscript manager or other addon that is implementing a similar feature?" (a feature of computing So I've checked Violentmonkey code and after discovering that Violentmonkey just passes
No, it's not so simple. There are no clearly documented guidelines and direct answers about how exactly extension should get values of According to point
But this instruction only partially covers the algorithm to compute I've scraped bits of information here and there (results are dumped in linked FireMonkey issue and in first post of this issue). Still, I don't know whether I've found and understood enough data to reason about this question and answer it without mistakes. But at this moment, my research is summarized in following thoughts. You need to ask user:
There is no API to get all these bits of information within WebExtension without explicitly asking user. When no first-party isolation is active, then don't pass nor If When [1] PopulateTopLevelInfoFromURI In that algorithm:
When Total cookie protection is active, don't pass I made an attempt to implement relevant parts of |
Since we can't ask this question each time a request is made, we can add a setting in the options, so the users can control the behavior, I guess. Another possibility would be to add |
Firefox 100+ / Win7, both x64 As far as I know Also, I've read that FPI enabled together with dFPI enabled may cause problems, hence I disable the latter given the former is enabled: My 2 cents only. I'd like to be able to reproduce what is described in this post but I would need links. |
Effect of
privacy.firstparty.isolate
/privacy.firstparty.isolate.use_site
settings (accessible fromabout:config
) is explicitly disabled in cross-site requests made by userscript (GM_xmlhttpRequest
/GM.xmlHttpRequest
) when ViolentMonkey callsbrowser.cookies.getAll
with argument{url: <url>, firstPartyDomain: null}
.With such call under the hood, userscripts inadvertently leak all (related to
<url>
) third-party cookies in cross-site requests, without respect to user-enabled isolation bounds computed by Firefox from hostname (scheme, hostname and port when<...>.use_site
is set) of URL in location bar of tab where userscript is executed.Therefore, cross-site requests from userscripts allow tracking by third-party and expected tracking protection is nullified.
Furthermore, Firefox 94 (2021-11-02) added
paritionKey
to argument ofbrowser.cookies.getAll
.paritionKey
is related to "Total cookie protection" (aka "state paritioning", "dynamic first-party isolation", "dFPI"). Total cookie protection is enabled whennetwork.cookie.cookieBehavior
(ornetwork.cookie.cookieBehavior.pbmode
which is used in Private browsing mode) is set to5
. It's set to5
when "Enhanced tracking protection" inabout:preferences#privacy
is switched to "Strict".When
paritionKey
is omitted, cookies are retrieved only from non-paritioned storage. It can allow tracking after switching from non-"Strict" to "Strict" Enhanced tracking protection. But it also completely misses stored third-party cookies when Total cookie protection is enabled.See also discussion in erosman/support#431 (FireMonkey support repository).
Relevant information:
The text was updated successfully, but these errors were encountered: