-
Notifications
You must be signed in to change notification settings - Fork 524
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sanitizing and dFPI use the same site exception [1767271] #1448
Comments
not seeing it - give me actual links I can't see anything on FB because I don;t have an account, but I can load facebook.com and click all items in the footer and get a bunch of fb cookies. And I took a link from there to instagram. Not seeing anything - provide LINKs |
Are you allowing a site exception for facebook in clear cookies + site data? |
Yes to save log in - is there a way to do this without allowing automatic cross site tracking? |
I'll @wisniewskit just FYI, no need to do anything unless you want to confirm that i.e a case of 1767271 I bounced around FB a lot more, got to see a heap of groups and local and services and live feeds and videos and all sorts (nightly with no extensions, sanitized on previous close, no site exceptions for anything, not cookies, not ETP, nada) and got 5 fb cookies (see manage site data: the earlier attempt gave me six) then I took your link, and I'm not seeing anything See 1767271
I was thinking about this just this morning. We currently have The other thing is, one assumes you are using uBO - add some rules to block some of these on third party sites globally. Personally, I have uBO set to block ALL 3p by default, so I'm sweet for my 4 exceptions, of which only github would possible ever be used as third party (and only on SSO login pages) Also see |
hmm ... so is this two edged? If you allow a dFPI exception, does it then refuse to sanitize them? anyway, I'll try remember to add something to #1441 about being selective about dFPI and sanitizing exceptions, but I'm hoping mozilla fix that bug ASAP, so I don;t have to. Personally I think it should be top priority, because rolling out TCP for everyone might benefit the majority, but the UI actually makes this bug/hole very easy to replicate, and like I said elsewhere, imagine the most common dFPI exceptions = the biggest trackers on the internet, so well .. it won't look pretty as a bug AFTER the rollout |
|
A lot of this is whooshing way over my head. Yes I use UBO, no it's not in block and break everything mode. Manually clicking the X on "Allow" doesn't break functionality on the website linked from Facebook, I believe these are purely used for tracking your clicks and thats all - what I can't understand is why they are "allowed" by default with no prompt. I'll ask again: is there a way to save a login (FB or other) without also giving the go ahead to these cross site cookies? |
Oh - toggling this fixes it, mentioned in the other thread.
Cross site Facebook shit not auto allowed any more after clicking above link while logged in to Facebook with site exception to keep log in. |
it does not fix it, it removes the d part of dFPI, and fucks everyone's dFPI exceptions. The solution is the bugzilla |
With all due respect, the bugzilla you linked is 1 comment that doesn't offer any solution? (https://bugzilla.mozilla.org/show_bug.cgi?id=1767271) Do you mean when Mozilla get around to addressing and fixing it? |
with all due respect, it is a BUG and fixing that BUG solves the issue - that's what bug fixing means edit: the number of comments on a bug does not signify anything (severity, priority, type of issue, complexity, etc) - it's meaningless for all intents and purposes |
How do you guys currently recommend to proceed with this problem? I can only see 3 ways: -Renounce to keep cookies. -Cover the error with temporary-containers and multi-account-containers. Very tedious, but safe, right? -Renounce dFPI, use FPI. This has the advantage of being able to manage them with more user-friendly tools such as Cookie-AutoDelete. I find no mention of it having any other notable advantages or disadvantages, but I have misgivings. |
FPI is not supported except for Tor Browser - example, we are not in PB mode and we have service workers which FPI doesn't cover. And if you were using FPI, CAD is still pointless |
Until that bug is fixed perhaps disabling sanitize on shutdown (just the cookies?) is an appropriate workaround? |
And you would need to remove keep cookie + site data exceptions because the site exception is the issue Never sanitizing onShutdown cookies (and sitedata which hand in hand with retaining logins: depends on the login flow) means the 99.99% of sites users don't want to be remembered between sessions, they are Depends on your view of 1st party. dFPI protects from cross-party. Sanitizing per session protects from 1st party. But remember that 1st parties also have 3rd parties isolated to the 1st party. So not sanitizing means that 3rd party gets the 1st party info (IIUIC) The better solution is to be judicious and use containers, until the bug is fixed |
Ah yes forgot to mention that part.
I'm more concerned about cross party myself so I see this as a compromise and not a solution, hopefully the bug can be fixed soon (even though it's labeled as a feature on bugzilla). Thanks for verifying my understanding! |
for those not paying attention, it sounds like this is slated to be addressed Still confuses me how in settings when you open ETP>Exceptions it is blank (for me), but when you open Cookie+SiteData>Exceptions is is populated (for me with 5 entries) . Maybe ETP>Exceptions is something slightly different? |
Also, ETP>Exceptions is getting an |
after reading this documentation I get the impression that ETP exceptions only control the "block trackers" aspect of ETP. I tried to get a better understanding by looking at the source code but in all honesty I couldn't wrap my head around the permissions' code further than below notes:
so:
|
OK, I confused this with dFPI vs ETP ... which are different |
I understand that FPI is now deprecated, but until this is fixed, how would FPI and dFPI work together? |
Lines 1009 to 1012 in b117916
repeat .. enabling FPI disables all network partitioning and TCP |
https://bugzilla.mozilla.org/show_bug.cgi?id=1767271
🟥 https://github.com/arkenfox/user.js/wiki/5.2-Troubleshooting
maywill be closed as invalid🟪 REQUIRED INFO
The text was updated successfully, but these errors were encountered: