🌐 Website Issue | Firefox about:config network.cookie.cookieBehavior #1704

New Issue

2020-02-12T06:27:15Z

zer0byt commented

2020-02-12 06:27:15 +00:00

(Migrated from github.com)

Description

In the new versions of Firefox, there are five options to manage cookies. The website explains just three of them (number 0 to number 2).

The two other options are:

Cookies from unvisited websites (number 3).
Cross-site and social media trackers (number 4).

Screenshots

## Description In the new versions of Firefox, there are five options to manage cookies. The website explains just three of them (number 0 to number 2). The two other options are: - Cookies from unvisited websites (number 3). - Cross-site and social media trackers (number 4). ## Screenshots <img width="549" alt="Screen Shot 2020-02-12 at 9 53 26 AM" src="https://user-images.githubusercontent.com/60427375/74308589-83b38180-4d60-11ea-86ca-f274a1fb0202.png">

Mikaela commented

2020-02-12 13:09:32 +00:00

(Migrated from github.com)

Do you have a source for 3? It seems to be wrong according to Mozilla developer documentation;

0 = accept all cookies by default
1 = only accept from the originating site (block third party cookies)
2 = block all cookies by default
3 = use p3p settings (note: this is only applicable to older Mozilla Suite and Seamonkey versions.)
4 = Storage access policy: Block cookies from trackers

https://developer.mozilla.org/docs/Mozilla/Cookies_Preferences

~~I don't know what~~ p3p settings are apparently for protocol obsolete for around 18 years, but I understand it to not apply to Firefox and 4 seems experimental and possibly shouldn't be recommended yet?

CC: @Thorin-Oakenpants

Do you have a source for 3? It seems to be wrong according to Mozilla developer documentation; > 0 = accept all cookies by default > 1 = only accept from the originating site (block third party cookies) > 2 = block all cookies by default > 3 = use p3p settings (note: this is only applicable to older Mozilla Suite and Seamonkey versions.) > 4 = [Storage access policy: Block cookies from trackers](https://developer.mozilla.org/docs/Mozilla/Firefox/Privacy/Storage_access_policy) * https://developer.mozilla.org/docs/Mozilla/Cookies_Preferences ~~I don't know what~~ p3p settings are apparently for [protocol obsolete for around 18 years](https://en.wikipedia.org/wiki/P3P), but I understand it to not apply to Firefox and 4 seems experimental and possibly shouldn't be recommended yet? CC: @Thorin-Oakenpants

zer0byt commented

2020-02-12 13:56:55 +00:00

(Migrated from github.com)

Do you have a source for 3? It seems to be wrong according to Mozilla developer documentation;

In the browser's privacy preferences, there are four options. From the list, select "Cookies from unvisited websites" then go to network.cookie.cookieBehavior in the about:config and check the value. It's 3. (Checked on Firefox v73.0)
Screen Shot 2020-02-12 at 5 17 22 PM
Screen Shot 2020-02-12 at 5 25 01 PM

> Do you have a source for 3? It seems to be wrong according to Mozilla developer documentation; In the browser's privacy preferences, there are four options. From the list, select "Cookies from unvisited websites" then go to _network.cookie.cookieBehavior_ in the about:config and check the value. It's 3. (Checked on Firefox v73.0) <img width="656" alt="Screen Shot 2020-02-12 at 5 17 22 PM" src="https://user-images.githubusercontent.com/60427375/74341144-21c63c80-4d9f-11ea-89ff-3d2c1723bb52.png"> <img width="713" alt="Screen Shot 2020-02-12 at 5 25 01 PM" src="https://user-images.githubusercontent.com/60427375/74341258-4cb09080-4d9f-11ea-9f8d-ffa00d039a63.png">

Thorin-Oakenpants commented

2020-02-12 13:57:03 +00:00

(Migrated from github.com)

0=Accept cookies and site data
1=(Block) All third-party cookies
2=(Block) All cookies
3=(Block) Cookies from unvisited websites
4=(Block) Cross-site and social media trackers (FF63+) (default FF69+)

^^ these are the actual words used in the UI

I'm not (edit, left out the word not 🤦 ) sure how much you should trust that MDN page, even if it was last updated Feb 7th 2020. e.g

network.cookie.lifetimePolicy values have changed (see next point)
network.cookie.lifetime.days is deprecated here's the proof - hence (see above values have changed)

Up to you guys what you want to do: no-one is saying you have to list all the values, and value 3 is a waste of time IMO and will just confuse people. I wouldn't be surprised if it got removed and I can't see the point in such a setting TBH.

* 0=Accept cookies and site data * 1=(Block) All third-party cookies * 2=(Block) All cookies * 3=(Block) Cookies from unvisited websites * 4=(Block) Cross-site and social media trackers (FF63+) (default FF69+) ^^ these are the actual words used in the UI I'm **not** (edit, left out the word not :facepalm: ) sure how much you should trust that MDN page, even if it was last updated Feb 7th 2020. e.g - `network.cookie.lifetimePolicy` values have changed (see next point) - `network.cookie.lifetime.days` is deprecated [here's the proof](https://bugzilla.mozilla.org/show_bug.cgi?id=1457170) - hence (see above values have changed) Up to you guys what you want to do: no-one is saying you **have to** list **all** the values, and value 3 is a waste of time IMO and will just confuse people. I wouldn't be surprised if it got removed and I can't see the point in such a setting TBH.

Thorin-Oakenpants commented

2020-02-12 14:04:16 +00:00

(Migrated from github.com)

PS: this (cleaning up descriptions etc) is already slated as part of #1430 which is now been sitting waiting for some action for 3 and a half months - rather than ping me (edit: for things already on PTIO's webpage), how about getting #1430 under way .. just saying /sorry-for-being-grumpy :)

blacklight447 commented

2020-02-12 17:21:01 +00:00

(Migrated from github.com)

Hey there!
It true, the issue has been hanging around for a while, but its the next thing on my list to work on after im done writing our new COI and whistleblower policies :)!

Hey there! It true, the issue has been hanging around for a while, but its the next thing on my list to work on after im done writing our new COI and whistleblower policies :)!

👍 3

Thorin-Oakenpants commented

2020-02-12 17:26:32 +00:00

(Migrated from github.com)

and 4 seems experimental and possibly shouldn't be recommended yet

heh. it's the default :)

> and 4 seems experimental and possibly shouldn't be recommended yet heh. it's the default :)

😕 1 😆 2

Mikaela commented

2020-02-12 17:44:42 +00:00

(Migrated from github.com)

For future reference, what is a source for documentation about these flags that can be trusted? 😕

For future reference, what is a source for documentation about these flags that can be trusted? :confused:

Thorin-Oakenpants commented

2020-02-12 17:50:18 +00:00

(Migrated from github.com)

^^ the source code

😕 1

dngray commented

2020-10-07 10:28:15 +00:00

(Migrated from github.com)

and 4 seems experimental and possibly shouldn't be recommended yet

heh. it's the default :)

That's still the case in 81.0.1.

Up to you guys what you want to do: no-one is saying you have to list all the values, and value 3 is a waste of time IMO and will just confuse people. I wouldn't be surprised if it got removed and I can't see the point in such a setting TBH.

I think we might fix this by removing the recommendation. We could put a suggestion, there for option 1 (with a warning), but that's really going to be the only useful option, imho

> > and 4 seems experimental and possibly shouldn't be recommended yet > > heh. it's the default :) That's still the case in 81.0.1. > Up to you guys what you want to do: no-one is saying you have to list all the values, and value 3 is a waste of time IMO and will just confuse people. I wouldn't be surprised if it got removed and I can't see the point in such a setting TBH. I think we might fix this by removing the recommendation. We could put a suggestion, there for option 1 (with a warning), but that's really going to be the only useful option, imho

paulo-erichsen commented

2021-04-15 22:05:53 +00:00

(Migrated from github.com)

note that since firefox 86, we can also set network.cookie.cookieBehavior to 5

To disable dynamic storage partitioning for all sites you can use the network.cookie.cookieBehavior pref:
5 | Reject (known) trackers and partition third-party storage.
4 | Only reject trackers (Storage partitioning disabled).
0 | Allow all

it would be great if we could get some some direction on whether it is better to set this setting to 5 or 1

note that since firefox 86, we can also set `network.cookie.cookieBehavior` to `5` > To disable dynamic storage partitioning for all sites you can use the network.cookie.cookieBehavior pref: > 5 | Reject (known) trackers and partition third-party storage. > 4 | Only reject trackers (Storage partitioning disabled). > 0 | Allow all it would be great if we could get some some direction on whether it is better to set this setting to 5 or 1 - https://blog.mozilla.org/security/2021/02/23/total-cookie-protection/ - https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Privacy/State_Partitioning

rusty-snake commented

2021-04-16 06:03:20 +00:00

(Migrated from github.com)

If you have FPI enabled 1 is better (5 will be downgraded to 4 AFAIK).
If you don't use FPI 5 (TCP/dFPI) is better otherwise you would have no isolation.

If you have FPI enabled 1 is better (5 will be downgraded to 4 AFAIK). If you don't use FPI 5 (TCP/dFPI) is better otherwise you would have no isolation.

👍 1

This repo is archived. You cannot comment on issues.