Technical documentation for this is now available on MDN: https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Privacy/Storage_access_policy
On Wed, Sep 19, 2018 at 10:24 PM Ehsan Akhgari <ehsan.akhg...@gmail.com> wrote: > Hi everyone, > > This is a (belated) intent to implement, as well as an intent to ship, a > new cookie jar policy to block storage access to tracking resources. This > work has been under development for several months now and has been tracked > in https://bugzilla.mozilla.org/show_bug.cgi?id=cookierestrictions. > > As of Firefox 65, I intend to turn on our new cookie jar policy to block > storage access from tracking resources by default on all desktop platforms > (assuming our testing goes well). This feature has been developed behind > the network.cookie.cookieBehavior preference (when set to 4). No other UA > is shipping this feature, although Safari 12 ships a somewhat similar > feature (https://webkit.org/blog/8311/intelligent-tracking-prevention-2-0/ > ). > > Bug to turn on by default: > https://bugzilla.mozilla.org/show_bug.cgi?id=1492549 > > Please note that this feature uses the Disconnect list in order to identify > tracking resources, so it is not going to have any effect if you have > Tracking Protection turned on, or if you have installed a privacy extension > and/or an ad blocker (examples include Privacy Badger, uBlock Origin and > Ghostery). If you are a Nightly tester using such a feature, it would be > hugely helpful to us in the next few months if you would kindly consider > disabling such features and just use the default configuration of Nightly, > as this is what we are intending to ship to all our users soon. If you > encounter any web page breakage as a result of testing this feature, please > consider filing a bug and making it block > https://bugzilla.mozilla.org/show_bug.cgi?id=1480137. > > Since this isn’t a typical web feature, the standard “intent to implement” > template isn’t really helpful for it, but here is some of the information > surfaced from that template that apply to this feature: > > Platform coverage: the Gecko part is cross-platform, but the UI for the > feature has been developed on desktop for now, so we’re planning to enable > it on desktop at the moment. > > Estimated or target release: Firefox 65. Please note that this feature is > currently undergoing a Shield Study on Beta 63, and the estimated target > release is assuming the successful outcome of that study and the continued > ongoing testing of the feature. > > DevTools bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1462372 > > Is this feature restricted to secure contexts? No, it doesn’t distinguish > secure vs. non-secure contexts. This isn’t a new web-facing API, rather it > is intended to be a new privacy protection for our users. As such, we > intend to impose the new restrictions for tracking resources on both secure > and non-secure contexts. It should be noted that some non-secure tracking > vectors, e.g. HTTP cookies, can also be used for pervasive tracking by > passively monitoring the user’s connection, and while cracking down on > passive tracking isn’t a direct goal of this feature, it is a good > justification for not limiting these restrictions to secure contexts. > > Last but not least, in preparation for this intent to ship, we’ll be > gradually exposing more users to the feature. The first part of this has > already been done in the form of the Shield Study mentioned above. As the > second part of this process, I intend to turn this feature on by default on > all desktop platforms for Nightly only in > https://bugzilla.mozilla.org/show_bug.cgi?id=1492563. > > Thanks, > > Ehsan > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
