Hi everyone, This is a (belated) intent to implement, as well as an intent to ship, a new cookie jar policy to block storage access to tracking resources. This work has been under development for several months now and has been tracked in https://bugzilla.mozilla.org/show_bug.cgi?id=cookierestrictions.
As of Firefox 65, I intend to turn on our new cookie jar policy to block storage access from tracking resources by default on all desktop platforms (assuming our testing goes well). This feature has been developed behind the network.cookie.cookieBehavior preference (when set to 4). No other UA is shipping this feature, although Safari 12 ships a somewhat similar feature (https://webkit.org/blog/8311/intelligent-tracking-prevention-2-0/). Bug to turn on by default: https://bugzilla.mozilla.org/show_bug.cgi?id=1492549 Please note that this feature uses the Disconnect list in order to identify tracking resources, so it is not going to have any effect if you have Tracking Protection turned on, or if you have installed a privacy extension and/or an ad blocker (examples include Privacy Badger, uBlock Origin and Ghostery). If you are a Nightly tester using such a feature, it would be hugely helpful to us in the next few months if you would kindly consider disabling such features and just use the default configuration of Nightly, as this is what we are intending to ship to all our users soon. If you encounter any web page breakage as a result of testing this feature, please consider filing a bug and making it block https://bugzilla.mozilla.org/show_bug.cgi?id=1480137. Since this isn’t a typical web feature, the standard “intent to implement” template isn’t really helpful for it, but here is some of the information surfaced from that template that apply to this feature: Platform coverage: the Gecko part is cross-platform, but the UI for the feature has been developed on desktop for now, so we’re planning to enable it on desktop at the moment. Estimated or target release: Firefox 65. Please note that this feature is currently undergoing a Shield Study on Beta 63, and the estimated target release is assuming the successful outcome of that study and the continued ongoing testing of the feature. DevTools bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1462372 Is this feature restricted to secure contexts? No, it doesn’t distinguish secure vs. non-secure contexts. This isn’t a new web-facing API, rather it is intended to be a new privacy protection for our users. As such, we intend to impose the new restrictions for tracking resources on both secure and non-secure contexts. It should be noted that some non-secure tracking vectors, e.g. HTTP cookies, can also be used for pervasive tracking by passively monitoring the user’s connection, and while cracking down on passive tracking isn’t a direct goal of this feature, it is a good justification for not limiting these restrictions to secure contexts. Last but not least, in preparation for this intent to ship, we’ll be gradually exposing more users to the feature. The first part of this has already been done in the form of the Shield Study mentioned above. As the second part of this process, I intend to turn this feature on by default on all desktop platforms for Nightly only in https://bugzilla.mozilla.org/show_bug.cgi?id=1492563. Thanks, Ehsan _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform