Re: Intent to implement and ship: New cookie jar policy to block storage access from tracking resources
Just a quick update: This new policy has now been made the new default in Nightly in https://bugzilla.mozilla.org/show_bug.cgi?id=1492563. On Fri, Sep 21, 2018 at 3:15 PM Steven Englehardt wrote: > Technical documentation for this is now available on MDN: > https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Privacy/Storage_access_policy > > On Wed, Sep 19, 2018 at 10:24 PM Ehsan Akhgari > wrote: > >> Hi everyone, >> >> This is a (belated) intent to implement, as well as an intent to ship, a >> new cookie jar policy to block storage access to tracking resources. This >> work has been under development for several months now and has been >> tracked >> in https://bugzilla.mozilla.org/show_bug.cgi?id=cookierestrictions. >> >> As of Firefox 65, I intend to turn on our new cookie jar policy to block >> storage access from tracking resources by default on all desktop platforms >> (assuming our testing goes well). This feature has been developed behind >> the network.cookie.cookieBehavior preference (when set to 4). No other UA >> is shipping this feature, although Safari 12 ships a somewhat similar >> feature ( >> https://webkit.org/blog/8311/intelligent-tracking-prevention-2-0/). >> >> Bug to turn on by default: >> https://bugzilla.mozilla.org/show_bug.cgi?id=1492549 >> >> Please note that this feature uses the Disconnect list in order to >> identify >> tracking resources, so it is not going to have any effect if you have >> Tracking Protection turned on, or if you have installed a privacy >> extension >> and/or an ad blocker (examples include Privacy Badger, uBlock Origin and >> Ghostery). If you are a Nightly tester using such a feature, it would be >> hugely helpful to us in the next few months if you would kindly consider >> disabling such features and just use the default configuration of Nightly, >> as this is what we are intending to ship to all our users soon. If you >> encounter any web page breakage as a result of testing this feature, >> please >> consider filing a bug and making it block >> https://bugzilla.mozilla.org/show_bug.cgi?id=1480137. >> >> Since this isn’t a typical web feature, the standard “intent to implement” >> template isn’t really helpful for it, but here is some of the information >> surfaced from that template that apply to this feature: >> >> Platform coverage: the Gecko part is cross-platform, but the UI for the >> feature has been developed on desktop for now, so we’re planning to enable >> it on desktop at the moment. >> >> Estimated or target release: Firefox 65. Please note that this feature is >> currently undergoing a Shield Study on Beta 63, and the estimated target >> release is assuming the successful outcome of that study and the continued >> ongoing testing of the feature. >> >> DevTools bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1462372 >> >> Is this feature restricted to secure contexts? No, it doesn’t distinguish >> secure vs. non-secure contexts. This isn’t a new web-facing API, rather >> it >> is intended to be a new privacy protection for our users. As such, we >> intend to impose the new restrictions for tracking resources on both >> secure >> and non-secure contexts. It should be noted that some non-secure tracking >> vectors, e.g. HTTP cookies, can also be used for pervasive tracking by >> passively monitoring the user’s connection, and while cracking down on >> passive tracking isn’t a direct goal of this feature, it is a good >> justification for not limiting these restrictions to secure contexts. >> >> Last but not least, in preparation for this intent to ship, we’ll be >> gradually exposing more users to the feature. The first part of this has >> already been done in the form of the Shield Study mentioned above. As the >> second part of this process, I intend to turn this feature on by default >> on >> all desktop platforms for Nightly only in >> https://bugzilla.mozilla.org/show_bug.cgi?id=1492563. >> >> Thanks, >> >> Ehsan >> ___ >> dev-platform mailing list >> dev-platform@lists.mozilla.org >> https://lists.mozilla.org/listinfo/dev-platform >> > -- Ehsan ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Intent to implement and ship: New cookie jar policy to block storage access from tracking resources
Technical documentation for this is now available on MDN: https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Privacy/Storage_access_policy On Wed, Sep 19, 2018 at 10:24 PM Ehsan Akhgari wrote: > Hi everyone, > > This is a (belated) intent to implement, as well as an intent to ship, a > new cookie jar policy to block storage access to tracking resources. This > work has been under development for several months now and has been tracked > in https://bugzilla.mozilla.org/show_bug.cgi?id=cookierestrictions. > > As of Firefox 65, I intend to turn on our new cookie jar policy to block > storage access from tracking resources by default on all desktop platforms > (assuming our testing goes well). This feature has been developed behind > the network.cookie.cookieBehavior preference (when set to 4). No other UA > is shipping this feature, although Safari 12 ships a somewhat similar > feature (https://webkit.org/blog/8311/intelligent-tracking-prevention-2-0/ > ). > > Bug to turn on by default: > https://bugzilla.mozilla.org/show_bug.cgi?id=1492549 > > Please note that this feature uses the Disconnect list in order to identify > tracking resources, so it is not going to have any effect if you have > Tracking Protection turned on, or if you have installed a privacy extension > and/or an ad blocker (examples include Privacy Badger, uBlock Origin and > Ghostery). If you are a Nightly tester using such a feature, it would be > hugely helpful to us in the next few months if you would kindly consider > disabling such features and just use the default configuration of Nightly, > as this is what we are intending to ship to all our users soon. If you > encounter any web page breakage as a result of testing this feature, please > consider filing a bug and making it block > https://bugzilla.mozilla.org/show_bug.cgi?id=1480137. > > Since this isn’t a typical web feature, the standard “intent to implement” > template isn’t really helpful for it, but here is some of the information > surfaced from that template that apply to this feature: > > Platform coverage: the Gecko part is cross-platform, but the UI for the > feature has been developed on desktop for now, so we’re planning to enable > it on desktop at the moment. > > Estimated or target release: Firefox 65. Please note that this feature is > currently undergoing a Shield Study on Beta 63, and the estimated target > release is assuming the successful outcome of that study and the continued > ongoing testing of the feature. > > DevTools bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1462372 > > Is this feature restricted to secure contexts? No, it doesn’t distinguish > secure vs. non-secure contexts. This isn’t a new web-facing API, rather it > is intended to be a new privacy protection for our users. As such, we > intend to impose the new restrictions for tracking resources on both secure > and non-secure contexts. It should be noted that some non-secure tracking > vectors, e.g. HTTP cookies, can also be used for pervasive tracking by > passively monitoring the user’s connection, and while cracking down on > passive tracking isn’t a direct goal of this feature, it is a good > justification for not limiting these restrictions to secure contexts. > > Last but not least, in preparation for this intent to ship, we’ll be > gradually exposing more users to the feature. The first part of this has > already been done in the form of the Shield Study mentioned above. As the > second part of this process, I intend to turn this feature on by default on > all desktop platforms for Nightly only in > https://bugzilla.mozilla.org/show_bug.cgi?id=1492563. > > Thanks, > > Ehsan > ___ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Intent to implement and ship: New cookie jar policy to block storage access from tracking resources
Hi everyone, This is a (belated) intent to implement, as well as an intent to ship, a new cookie jar policy to block storage access to tracking resources. This work has been under development for several months now and has been tracked in https://bugzilla.mozilla.org/show_bug.cgi?id=cookierestrictions. As of Firefox 65, I intend to turn on our new cookie jar policy to block storage access from tracking resources by default on all desktop platforms (assuming our testing goes well). This feature has been developed behind the network.cookie.cookieBehavior preference (when set to 4). No other UA is shipping this feature, although Safari 12 ships a somewhat similar feature (https://webkit.org/blog/8311/intelligent-tracking-prevention-2-0/). Bug to turn on by default: https://bugzilla.mozilla.org/show_bug.cgi?id=1492549 Please note that this feature uses the Disconnect list in order to identify tracking resources, so it is not going to have any effect if you have Tracking Protection turned on, or if you have installed a privacy extension and/or an ad blocker (examples include Privacy Badger, uBlock Origin and Ghostery). If you are a Nightly tester using such a feature, it would be hugely helpful to us in the next few months if you would kindly consider disabling such features and just use the default configuration of Nightly, as this is what we are intending to ship to all our users soon. If you encounter any web page breakage as a result of testing this feature, please consider filing a bug and making it block https://bugzilla.mozilla.org/show_bug.cgi?id=1480137. Since this isn’t a typical web feature, the standard “intent to implement” template isn’t really helpful for it, but here is some of the information surfaced from that template that apply to this feature: Platform coverage: the Gecko part is cross-platform, but the UI for the feature has been developed on desktop for now, so we’re planning to enable it on desktop at the moment. Estimated or target release: Firefox 65. Please note that this feature is currently undergoing a Shield Study on Beta 63, and the estimated target release is assuming the successful outcome of that study and the continued ongoing testing of the feature. DevTools bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1462372 Is this feature restricted to secure contexts? No, it doesn’t distinguish secure vs. non-secure contexts. This isn’t a new web-facing API, rather it is intended to be a new privacy protection for our users. As such, we intend to impose the new restrictions for tracking resources on both secure and non-secure contexts. It should be noted that some non-secure tracking vectors, e.g. HTTP cookies, can also be used for pervasive tracking by passively monitoring the user’s connection, and while cracking down on passive tracking isn’t a direct goal of this feature, it is a good justification for not limiting these restrictions to secure contexts. Last but not least, in preparation for this intent to ship, we’ll be gradually exposing more users to the feature. The first part of this has already been done in the form of the Shield Study mentioned above. As the second part of this process, I intend to turn this feature on by default on all desktop platforms for Nightly only in https://bugzilla.mozilla.org/show_bug.cgi?id=1492563. Thanks, Ehsan ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
