Privacy/Features/Per-Site Third-Party Cookie Setting
|Per-Site Third-Party Cookie Setting|
|Release target||Firefox 18|
|Directly Responsible Individual||Monica Chew|
|Security lead||Curtis Koenig|
|Privacy lead||Sid Stamm|
|QA lead||Ioana Budnar|
|Product marketing lead||`|
Stage 1: Definition
1. Feature overview
It would be nice to allow users to control third-party cookie sending on a per-site basis. This way users can more granularly manage trust for sites that cookie them.
2. Users & use cases
- I trust the entire web by default, but distrust evilTrackingCompany.com (who shows ads on sites). I want to disable sending them cookies in a third party context, but not lose that functionality on the entire web.
- I don't like the idea of third party cookies, but want facebook connect to provide context when I visit sites. I would like to allow third party cookie-sending for facebook.com, but not for other web sites.
- Plumbing for per-site third-party cookie preference. Right now we have a global preference, but not a way to dictate third-party behavior per site.
- User interface tweak so that these settings are available in about:permissions
- This must interact predictably with the global third-party cookie preference; if a user stores a site-specific preference for third-party cookies, any global preference for this is overridden. (Users can specify a global "allow" or "deny" by default, and then per-site state exceptions to that rule.)
- This is not cookie double-keying.
- This does not dictate default behavior (e.g., changing the default to turn off all third party cookies.
Stage 2: Design
5. Functional specification
6. User experience design
- This project is focused on laying the foundation for per-site third party cookies and the ability to adjust settings in about:permissions.
- Some ideas on how to make these settings easier for users to manage are listed here: https://wiki.mozilla.org/Privacy/Features/Per-Site_Third-Party_Cookie_Setting/Brainstorm_UX
Stage 3: Planning
7. Implementation plan
- Add new consts to nsICookiePermission bug 770691
- nsICookiePermission::ALLOW_THIRD_PARTY, DENY_THIRD_PARTY
- Edit nsCookiePermission::CanSetCookie, CanAccess:
- Change the signature, add bool *aAllowThirdParty
- check for this result in switch stmt: http://mxr.mozilla.org/mozilla-central/source/extensions/cookie/nsCookiePermission.cpp#210
- check to see if aCookie.host != aURI.host - this will indicate that we have a 3rd party cookie
- if so and DENY_THIRD_PARTY is true, set aResult to false
- if so and ALLOW_THIRD_PARTY is true, set aResult to true
- CanAccess: http://mxr.mozilla.org/mozilla-central/source/extensions/cookie/nsCookiePermission.cpp#149
- Does CanAccess NEED to provide aChannel now? see comment: http://mxr.mozilla.org/mozilla-central/source/netwerk/cookie/nsCookieService.cpp#3082
- nsCookieService::SetCookieInternal will pick up the new functionality ( http://mxr.mozilla.org/mozilla-central/source/netwerk/cookie/nsCookieService.cpp#2496 )
- when it calls CanSetCookie: http://mxr.mozilla.org/mozilla-central/source/netwerk/cookie/nsCookieService.cpp#2575
- Edit nsCookieService::CheckPrefs
- We call CanAccess with nsnull for the aChannel: http://mxr.mozilla.org/mozilla-central/source/netwerk/cookie/nsCookieService.cpp#3084
- UI: bug 770705
- about:permissions, add 'Set 3rd Party Cookies' (o) Allow (o) Deny
- This consumes the nsCookiePermissions API to add or remove new domain flags
- A thorough battery of tests will be required to prove the API changes are correct
- Additional Research
- Determine the UX for Firefox Mobile, B2G - there is no about:permissions on any mobile release target
Quality Assurance review
Stage 4: Development
This probably involves adding a constant to nsICookiePermission.idl to state whether or not third party cookies are allowed for the specified origin. Probably also involves tweaking nsCookieService.cpp to check for both the global and origin-specific third party cookie permissions (see line 3122 of that file).
Relevant: bug 564877 - allow cookies but do not transmit in third-party context. We could probably improve upon this to block setting in third-party context too (not deleting them, but just not modifying or reading from the origin's cookie jar in a third party context).
The 3rd party per-site rules should be checked for and applied as an override to any global settings
- 3rd Party Cookie Global DENY & foo.com 3rd party cookie ALLOW
- A page at baz.com gets/sets bar.com 3rd party cookie: DENY
- A page at baz.com gets/sets foo.com 3rd party cookie: ALLOW
- 3rd Party Cookie Global ALLOW & foo.com 3rd party cookie DENY
- A page at baz.com gets/sets foo.com 3rd party cookie: DENY
- A page at baz.com gets/sets bar.com 3rd party cookie: ALLOW
Stage 5: Release
10. Landing criteria
|Theme / Goal||Tracking Control|
Team status notes
1 Total; 0 Open (0%); 1 Resolved (100%); 0 Verified (0%);
|Quality assurance||Signed off||Test Plan|