-
Notifications
You must be signed in to change notification settings - Fork 525
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cross-site cookies still allowed despite ETP #1449
Comments
Duplicate of #1448 |
Well spotted, @EdwardLangdon. So the conclusion is..... deny/revoke access manually until changes are made in FF102 (as per @Thorin-Oakenpants comments in #1441)? |
Lines 773 to 779 in ea139e3
|
I am still not yet clear about the Discussion, need to look later. Rusty snake, Can you explain ? |
Everything is working as intended. Webcompat is enabled by default because pants want this/less breakage for users/less unnecessary reports about broken sites. |
No sure I'm well versed enough. But what would it take for these cross-site permissions to be requested instead of just accepted (in the cases where they are accepted)? |
If you want an request dialog like for geolocation, you need to open an ticket in mozillas bugtracker. |
So far all of these websites are working as intended with this option off - begs the question what is it "fixing" by allowing cross site cookies by default? |
Not a duplicate if user hasn't added a site exception for ETP or sanitizing
My understanding was that nothing is allowed unless user initiated. And we allow compat because without it you can't use the d in dFPI or benefit from the shims
I did try, from memory to work out what automatic grants were, IDK, so much F shit for me to always answer and read ands learn about |
Indeed, no exceptions had been made for the websites where these cross-site cookies are found to be allowed. From a link in the discussion of #1448, I see the following (taken from FF Help website):
If I get this right, then this whole thing is not a bug, but just the very design of dFPI and there isn't much one can do, apart from ditching dFPI entirely. Is that right? I guess it just feels like the heuristics work in mysterious ways, as I remain quite unsure as to how/why Duckduckgo needs to connect to Apple support for an important functionality... |
for the record I couldn't reproduce this, even uBO shows no Apple script or anything. |
This thing even happens when I use starpage Anonymous view (sometimes) |
Just wanted to confirm this as well, it's happened to me, albeit with a different website. I have a cookie exception for DuckDuckGo for settings, but it still happens when I remove the exception, save changes, and restart. I confirmed that cookies were removed since the theme went from dark to light in DDG. I don't really know how to reproduce this reliably, but will try in another profile. |
so duplicate of #1448 |
FWIW I run into this issue even though I don't have a cookie exception for duckduckgo. The sites listed seem to be sites I have visited from search results and it doesn't happen consistently, I notice it randomly and have to clear the permissions everytime. |
I can not reproduce this yet with my config, but I did saw it on other devices. To remember you call, there is Opener Heuristics. If you click on the but if you click on the |
I don't have any overrides regarding cookies/storage/webcompat so no idea why some people can reproduce it and others can't.
Yes I linked to it here: #1448 (comment) The reason why it's confusing is because there's theoretically no reason why DDG would need those permissions, especially without exceptions.
This is good information. I can only reproduce it on DDG as far as I can tell, so I have no doubt that they are doing something weird. Their privacy policy does mention using local storage and tracking clicks for anonymous analytic purposes, so that may have something to do with it. It may be possible to confirm this by browsing their HTML version of the site for a while and seeing if the problem persists. |
How should Firefox know this? It uses a heuristic.
It does not understand what the code does or need, it just detects patterns which indicated that it might need this permissions.
I also saw it on other sites but can't remember which. However, if DDG is your primary search engine you use it a lot and open a lot third-party links from it, so it is expected to see it there more often. Also it may depend on the code of the site you open? IDK. |
Found some STR:
And in deed it's Opener Heuristics (turning it off breaks this STR). |
I was able to reproduce this every time using the steps by rusty-snake. Are there any downsides to disabling Opener Heuristics? |
Broken SSO-Login for some services and other potential cross site authentification problems. |
Hi,
I started using Arkenfox a while back with a new profile, so a clean slate in terms of permissions. I have made overrides, but nothing relating to cookies. Given this, I assume my browser's behaviour regarding cookies directly derives from the user.js.
As expected, Enhanced Tracking Protection is set to strict, which should block all cross-site cookies.
Despite this, I noticed that, on some websites, some cross-site cookies are actually approved -- with permissions that I clearly did not give. For instance, duckduckgo.com authorises cross-site cookies for support.apple.com (see attached image). In some cases, the "third party" website indicated in the permission window is the same as the website I'm on -- which means it should not be considered cross-site, and yet it is labelled as such.
Is this normal? Am I missing something?
Dan
🟪 REQUIRED INFO
The text was updated successfully, but these errors were encountered: