move from FPI to dFPI

[Thorin-Oakenpants]

ToDo:

• sticky pinned issue forewarning of change from FPI to dFPI - slated for FF96 - see NOTICE: v96 CHANGE YOUR SITE PERMISSIONS [AF disables FPI for ETP Strict] #1281
  • i.e users will need to migrate any site permission exceptions from FPI syntax
• flip the switch - de28689
• confirm if ETP site exceptions disable dFPI for that site - see some dFPI questions #1337 & ac0820a
• privacy.antitracking.enableWebcompat - see some dFPI questions #1337 & ac0820a
• extensions.webcompat.enable_shims - c8c8626
• enable service workers - 8860c90
  • FF96+: 1731999 Enable partitioned service worker for third-party contexts in dFPI
  • FF95 and lower: 1730885 they are disabled in 3rd party contexts
• partition services workers - ec7cb6a
  • privacy.partition.serviceWorkers currently only true for Nightly

Cleanup/Tests

• remove strict mode in custom override recipe
• move DNT to don't bother - fe75baa
• move/add to don't bother - de28689
  • check first that setting strict via user.js changes them at startup - see move from FPI to dFPI #1051 (comment)
  • network.cookie.cookieBehavior
  • network.http.referer.disallowCrossSiteRelaxingDefault
  • privacy.partition.network_state.ocsp_cache
  • privacy.trackingprotection.enabled
  • privacy.trackingprotection.socialtracking.enabled
  • privacy.trackingprotection.cryptomining.enabled
  • privacy.trackingprotection.fingerprinting.enabled
• move FPI to don't touch - de28689
  • we want to make sure it is changed to false and enforced, otherwise it reverts ETP Strict
• remove the remainder of FPI section - f7bba92 - farewell FPI
• make sure user.js states we do not support custom mode or fucking around with all the other prefs that make up ETP
• edit wiki pages

---

dFPI bugzilla tree

• https://bugzilla.mozilla.org/showdependencytree.cgi?id=1549587&hide_resolved=1
• just remove &hide_resolved=1 to get the full list

---

original message

comment

Yes, DFPI and FPI use separate attributes and when FPI is enabled, the partitioning/isolation specific code isn't relevant because we're using the older FPI code.

There's no point enabling/adding the partition pref/info to section 4000

---

what we had for posterity

/* 4003: enable site partitioning (FF78+)
 * [1] https://bugzilla.mozilla.org/1590107 [META] */
user_pref("privacy.partition.network_state", true);

[Thorin-Oakenpants]

Intent to ship: Network Partitioning: https://groups.google.com/g/mozilla.dev.platform/c/uDYrtq1Ne3A

[Thorin-Oakenpants]

@gwarser

Pants, I will like to ask you something about containers in Firefox, your message just reminded me about it. Maybe you will know more about it and explain me whats going on. I think I have found some logic issue in containers handling.

I have google container, with google domain assigned to it, to open automatically. Also I have pref set to open all other domains outside this container (handy on gmail).

When I am on YT (not assigned to container), and I accidentally click on “sign in” (or when I forget about containers and want to sing in to another YT-related account), Firefox will redirect YT-no container to account.google.com google container, and back to YT-no container.

I’m pretty sure this should just fail, and I’m pretty sure this was failing before, but for some reason I’m now logged-in into my google account on YT. This is completely unexpected to me. Any page can just redirect me through other container to snoop for my data? WTH?!

Umm, can we chat in here, it's easier. And can we clarify some things?

• so bar.com = container
• YT = no container
• go to log into YT and it uses foo.bar.com -> container

So the container is not using eTLD+1? Do you gave FPI at all? Is this on nightly? I don't know much about containers (except that they're an OA just like FPI), and my impression is they're been ignored for a while now because priorities, and will get phased out like FPI (cuz partitioning, dFPI).

I'd be inclined to

• ask what the expected behavior is meant to be
• check the behavior changed ("’I'm pretty sure this was failing before,") and pinpoint what release
• create a new profile (or just create rules for som enew containers) and test a couple of sites with one.foo.bar and two.foo.bar and foo.bar without logging in - i.e make sure eTLD+1

Maybe you just need to group youtube and account.google.com in a container? or just accounts in it's own container?

I'm probably not much help, cuz I don't do any of the alphabet shit

[seonwoolee]

I'd just use Temporary Containers

[Thorin-Oakenpants]

https://bugzilla.mozilla.org/show_bug.cgi?id=1686296 dFPI rides the train

[Thorin-Oakenpants]

this is the one to watch, or at least read: about moving away from FPI (deprecate it) to dFPI .. there's just a few knobs missing right now - https://bugzilla.mozilla.org/show_bug.cgi?id=1649876

[Thorin-Oakenpants]

answering #1103

basically, FPI overrides

• privacy.partition.network_state - which is this stuff [1] ... FPI covers this stuff [2]
• dFPI - which is when network.cookie.cookieBehavior = 5

Just think of it as two sets: networking related stuff, and website storage stuff (cookies, service worker cache, IDB etc). FF85 turned on the network part, but the cookie behavior default is still 4.

note: network.partition (see lists below) and dFPI may cover something that FPI doesn't, but no-one is 100% sure (Tim and Tom from Mozilla both seem to think we're OK, and no-one is going to waste time backtracking on something that will ultimately be obsolete: see next paragraph). FPI has been stable now for a long time, so waiting until dFPI is ready is no big deal. But do see sysrqb's comment here - sysrqb is the lead developer at Tor Project

At some stage FPI will be deprecated and dFPI will be it. But dFPI is still being polished and is super not production ready (lots of exmaples but here is one: 1669716 - cookies extension API unaware of dFPI ).

Additionally, on top of that, there are some knobs and tweaks missing to gain some strictness parity with FPI (e.g. for Tor Browser standards)

• see https://bugzilla.mozilla.org/show_bug.cgi?id=1649876
• https://bugzilla.mozilla.org/show_bug.cgi?id=1683165 <-- knobs

some tickets

• https://bugzilla.mozilla.org/show_bug.cgi?id=1549587 - meta ticket
• https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40308
• https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40123

tl:dr: too early to flip to this

---

[1] https://groups.google.com/g/mozilla.dev.platform/c/uDYrtq1Ne3A

HTTP cache
Image cache
Favicon cache
Connection pooling
StyleSheet cache
DNS
HTTP authentication
Alt-Svc
Speculative connections
Font cache
HSTS
OCSP
Intermediate CA cache
TLS client certificates
TLS session identifiers
Prefetch
Preconnect
CORS-preflight cache

[2]
1278037 - indexedDB (FF51+) <- initial ticket which also covers cache, cookies etc
1277803 - favicons (FF52+)
1264562 - OCSP cache (FF52+)
1268726 - Shared Workers (FF52+)
1316283 - SSL session cache (FF52+)
1317927 - media cache (FF53+)
1323644 - HSTS and HPKP (FF54+)
1334690 - HTTP Alternative Services (FF54+)
1334693 - SPDY/HTTP2 (FF55+)
1337893 - DNS cache (FF55+)
1344170 - blob: URI (FF55+)
1300671 - data:, about: URLs (FF55+)
1473247 - IP addresses (FF63+)
1492607 - postMessage with targetOrigin "*" (requires 4002) (FF65+)
1542309 - top-level domain URLs when host is in the public suffix list (FF68+)
1506693 - pdfjs range-based requests (FF68+)
1330467 - site permissions (FF69+)
1534339 - IPv6 (FF73+)
and I believe it also covers font cache when they added that to network.partition

[Thorin-Oakenpants]

But dFPI is still being polished and is super not production ready

And yet it's riding the train for stable 86 (see comments higher up) [edit: for those using ETP strict mode, not everyone] - unless something happens quickly with outstanding issues, or they backtrack on that timetable - I expect breakage: extensions from above example, not to mention site permissions (since the key changed), etc

Just as well we set FPI and enforce a custom ETP setting with cookies. Because there is also a key change, everyone will have to update their site permissions - so I prefer than we (arkenfox users) control this when it is ready and forewarn everyone in advance

[rugabunda]

The recent update appears to have broken certain web functionality, such ass the hyvor comment sections, located at the bottom of the page
there, and the video player on trunews.com; [update: actually the latter doesn't seem to work in chromium either] can I get a confirmation? I still use privacy.firstparty.isolate; no settings changed.

If using FPI, should we disable these?

network partitioning
    privacy.partition.network_state (defaults to true in FF85)
dynamic FPI (dFPI)
    network.cookie.cookieBehavior = 5 (Cross-site and social-media trackers, and isolate remaining cookies)

update quote

The referenced page comes with a BIG disclaimer stating that using the older user_pref("privacy.firstparty.isolate", true); will result in using the older FPI codebase and NOT the new concepts mentioned above (translated from the original German text). Src

UPDATE disabling/enabling FPI again fixed it.

[Thorin-Oakenpants]

If using FPI, should we disable these?

2701: network.cookie.cookieBehavior is already controlled in the user.js

user_pref("network.cookie.cookieBehavior", 1);
user_pref("browser.contentblocking.category", "custom");

privacy.partition.network_state (defaults to true in FF85)

• see https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40308
• I am loathe to add this because its a bit messy (e.g. for those who disable FPI, they would also have to enable this one)

Hopefully by ESR91 we can move to dFPI with some optional hardening knobs

[Thorin-Oakenpants]

@gwarser for your amusement

[Thorin-Oakenpants]

here's a nice write up on STATE tracking:

• https://hacks.mozilla.org/2021/02/introducing-state-partitioning/

[curiosityseeker]

here's a nice write up on STATE tracking:

* https://hacks.mozilla.org/2021/02/introducing-state-partitioning/

I'm still not sure if I get it right. One of the comments on that site suggests that:

Total Cookie Protection = state partitioning = dynamic first-party isolation

I'm not sure if that's quite correct.

• If I select ETP Strict Mode in about:preferences#privacy, then network.cookie.cookieBehavior = 5. This seems to be equivalent to dFPI according to what you wrote above.
• If I set network.cookie.cookieBehavior = 4, ETP changes to Custom Mode.
• However, if I set network.cookie.cookieBehavior back to 5, ETP remains unchanged at Custom Mode.

Hence, while TCP is (in my understanding) equivalent to Network and Dynamic State Partitioning, dFPI seems to be only a subset. TCP (by enabling ETP Strict Mode) implicates more settings. According to about:preferences#privacy, Strict Mode also protects against "Social media trackers", i.e. privacy.trackingprotection.socialtracking.enabled = true. I'm not sure if that's the only difference, though.

Is this summing-up correct or mere BS?

[Thorin-Oakenpants]

Off the top of my head in general terms

• FPI covered everything (networking things, content, permissions, storage, persistent web storage etc) by assigning origin attributes
• FPI's replacement isolates by partyness into two distinct groups
  • in both groups the origin attributes are and can be hardened (double keyed, +scheme)
  • these two groups are not the same
  • total cookie protection (TCP) - basically persistent web storage and a few other related items
    • TCP is the one that can be changed by users (used in ETP strict mode which does extra things as well)
    • TCP is the one that where the partyness can be dynamic (see dFPI)
    • dFPI (the term has been misused in a few places including here in the early days) is so that the origin attributes can be relaxed e.g. via user actions e.g. click a login button that connects to google, it relaxes some things for google for that first party in that session
  • network partitioning - everything else: connections, requests, cache, favicons, dns, blah blah .. everything that can always be isolated by first party and doesn't break websites
    • network partitioning is on by default and doesn't change partyness AFAIK - there is nothing dynamic about this

That's my understanding.

Note: AFAICT .. the term dFPI is/was a bit misunderstood/misused as the overall FPI replacement name. dFPI is really only about one group (TCP), not the whole FPI replacement

---

However, if I set network.cookie.cookieBehavior back to 5, ETP remains unchanged at Custom Mode.

That might be a bug. Did you close and reload about:preferences#privacy ? Not everything is listening for changes. And we already know setting cookies from user.js doesn't pickup ETP being custom at runtime. It's also a little messy right now: 87 was missing the option 5 in the drop down (they forgot to flip the mvp ui pref) - not to mention that FPI interferes

ETP in strict mode sets a bunch of things, such as the tracker list level, cookie behavior, etc, and now tracking shims

• e.g. in 1686296 they used "browser.contentblocking.features.strict", "tp,tpPrivate,cookieBehavior5,cm,fp,stp,lvl2"
  • tp = tracking protection on? huh? what?
  • tpPrivate = pb mode windows on? huh? (options are all windows or pb only)
  • cookieBehavior = 5
  • fp = fingerprinters on
  • cm = cryptomining on
  • stp = social/standard/strict/ tracking protection?
  • lvl2 = level two boss fight, beat that bitch, get to level 3

Now you can maybe emulate "strict" in custom: you can use cookie behavior 5 in custom, and the other options are there: except I don't see how to change the level, or how you get the new shims. I don't think those are important right now - as the level is nothing compared to uBO, and uBO also has some shims

[Thorin-Oakenpants]

the UI inconsistencies is probably somewhere in here: https://bugzilla.mozilla.org/show_bug.cgi?id=1645898 . I actually remember reading a bugzilla very similar if not the same as you describe, but now I can't find it. From memory the STR were a certain order. There's probably a few quirks until it's polished - in 87 86 it wasn't shown in the UI (they forgot) and only used in strict mode. In 88 87+ it's now visible in options - give it some time for bugs to surface :)

edited: fixed up versions mentioned: for some reason I keep thinking stable is 88 right now when it's 87

[Thorin-Oakenpants]

However, if I set network.cookie.cookieBehavior back to 5, ETP remains unchanged at Custom Mode

Now that I've had some sleep ... that's to be expected. You were in custom mode to start with, and you changed an individual setting - you did not change to strict mode which is a different pref(s)

edit: this is the pref that changes between standard, strict and custom mode. When you change individual settings like cookie settings in about:config, then listeners will auto change you to custom (since the settings no longer fit the preset "standard" or "strict"). I'm pretty sure there is no reverse logic, to reset the category if all the conditions meet preset standard/strict

• e.g. user_pref("browser.contentblocking.category", "strict");

And honestly, I do not know what happens when you set everything via user.js/about:config and they conflict

• e.g. trying to set strict but them changing cookies to 1

[curiosityseeker]

Thanks a lot for your comprehensive replies! Have I told you before that you're truly beyond compare? 👍 👍 👍

In any case my view was definitively too simplistic, it seems :-(

e.g. in 1686296 they used "browser.contentblocking.features.strict", "tp,tpPrivate,cookieBehavior5,cm,fp,stp,lvl2"

tp = tracking protection on? huh? what?
tpPrivate = pb mode windows on? huh? (options are all windows or pb only)
cookieBehavior = 5
fp = fingerprinters on
cm = cryptomining on
stp = social/standard/strict/ tracking protection?
lvl2 = level two boss fight, beat that bitch, get to level 3

It seems that https://searchfox.org/mozilla-central/source/browser/components/preferences/tests/browser_contentblocking.js and https://searchfox.org/mozilla-central/source/browser/components/preferences/tests/browser_statePartitioning_strings.js contain the details but I haven't checked them yet.

EDIT: https://searchfox.org/mozilla-central/search?q=contentblocking&path=&case=false&regexp=false

However, if I set network.cookie.cookieBehavior back to 5, ETP remains unchanged at Custom Mode

Now that I've had some sleep ... that's to be expected. You were in custom mode to start with, and you changed an individual setting - you did not change to strict mode which is a different pref(s)

Yep, you're right. It's the same with the other modes, of course.

And honestly, I do not know what happens when you set everything via user.js/about:config and they conflict

So we have to wait until things clear up and more detailed documentation is available.

[Thorin-Oakenpants]

cool 👍 great link ❤️

const TP_PREF = "privacy.trackingprotection.enabled";
const TP_PBM_PREF = "privacy.trackingprotection.pbmode.enabled";
const NCB_PREF = "network.cookie.cookieBehavior";
const CAT_PREF = "browser.contentblocking.category";
const FP_PREF = "privacy.trackingprotection.fingerprinting.enabled";
const STP_PREF = "privacy.trackingprotection.socialtracking.enabled";
const CM_PREF = "privacy.trackingprotection.cryptomining.enabled";
const LEVEL2_PREF = "privacy.annotate_channels.strict_list.enabled";
const PREF_TEST_NOTIFICATIONS =
  "browser.safebrowsing.test-notifications.enabled";
const STRICT_PREF = "browser.contentblocking.features.strict";
const PRIVACY_PAGE = "about:preferences#privacy";
const ISOLATE_UI_PREF =
  "browser.contentblocking.reject-and-isolate-cookies.preferences.ui.enabled";
const FPI_PREF = "privacy.firstparty.isolate";

So in theory, we could manipulate strict mode 's default settings browser.contentblocking.features.strict and enable strict mode :) I don't see where the shims kick in (maybe it's built into lvl2?).

Until it's more refined, e.g. they add some extra knobs to harden TCP such as turning off the heuristics, we'll stick with FPI - most likely until at least FF94 (when ESR78.15 is obsolete)

• and at that point it may be as simple as using strict mode with a heuristics pref
• what I don't like about this, is that cookie 5 accepts all cookies by default (except tracking ones) - allowing cookies also opens up other persistent web storage. Yes, everything is isolated by 1st party, but blocking cookies is so much cleaner and help against repeat visits. Additionally, there is the issue of connections - it's better to block that making the connection in the first place (e.g. IP for starters) [1] - so I guess this makes uBO in medium/hard mode even more important

[1] https://spreadprivacy.com/browser-privacy-protection/

Therefore, to really stop a cross-site tracker, the kind that tries to track your activity from site to site, you have to prevent it from actually loading in your browser in the first place.

^ there's more: less requests, perf improvements etc

[curiosityseeker]

Additionally, there is the issue of connections - it's better to block that making the connection in the first place (e.g. IP for starters) [1] - so I guess this makes uBO in medium/hard mode even more important

[1] https://spreadprivacy.com/browser-privacy-protection/

Therefore, to really stop a cross-site tracker, the kind that tries to track your activity from site to site, you have to prevent it from actually loading in your browser in the first place.

^ there's more: less requests, perf improvements etc

True, that's why I use uBO in Hard Mode with Javascript blocked by default. On the other hand, most trackers/adservers/malware sites are already blocked by the default filter lists alone. (FWIW, I've also added this comprehensive list).

And that's why I don't miss the fine-grained control by uMatrix anymore as the remaining XHR's are usually legitimate. And everything will be deleted by Temporary Containers after a couple of minutes, anyhow.

[Thorin-Oakenpants]

I added two override recipes for the current master in #1080 - how to set ETP strict mode, and how to use TCP in custom mode

[Thorin-Oakenpants]

The shims are listed as SmartBlock in about:compat, and honestly, I don't see any reason why anyone would want to flip it to false. I could put it under don't touch (so it gets reset by prefsCleaner). The article you linked also uses SmartBlock to describe the heuristics

https://blog.mozilla.org/security/2021/03/23/introducing-smartblock/ is better, it only states that SmartBlock is shims and it is tied to tracing protection

SmartBlock will silently stand in for a number of common scripts classified as trackers on the Disconnect Tracking Protection List

IDK if smartblock is required true for heuristics to work, and IDCare, cuz we will enforce it as true :)

[ghost]

I think putting it under Don't Touch would be consistent with Arkenfox no longer supporting Custom Mode or messing with the prefs that make up ETP.

Edit: Actually, by that logic, setting ETP to Strict could/should go into Don't Touch as well.

[Thorin-Oakenpants]

Arkenfox no longer supporting Custom Mode or messing with the prefs that make up ETP

Totally not into testing and supporting any custom ETP configs

setting ETP to Strict could/should go into Don't Touch as well.

True. I'm trying to think of all the things Strict has that Standard doesn't (standard will get dFPI) and there's not much: TP is one, the referer thing. Strict will get font FP protection as some stage. Who knows what else they will add to strict/pb mode (I think strict pb mode are always identical)

So there's two sides to that: some people might find too much shit breaks in strict and prefer standard/custom - then what? But from AF's perspective you get the most protections, by default, as they're added

I think for now I would like to keep an ETP section, otherwise I'll end up with a single pref for heuristics on it;s own and that would look weird

[SkewedZeppelin]

fwiw I couldn't get pref("browser.contentblocking.category", "strict"); to work at all
on launch on 95 it'd revert to standard
if I set ETP on via enterprise policy, it'd revert to custom

was able to reproduce on a clean and existing profile
perhaps actual user.js gets loaded later

I had to jank strict on like so:
divestedcg/Brace@3ee294f
divestedcg/Brace@e2bce4d

[ghost]

Has there been any indication/statements that Standard will get Enhanced Cookie Clearing along with dFPI as well? (Can't exactly judge based on PB Mode since ECC doesn't matter there.)

some people might find too much shit breaks in strict and prefer standard/custom - then what?

The contrary part of me answers that with "that's what user-overrides.js is for." Arkenfox encourages users to override settings that make using Firefox uncomfortable for them (hence the suggestion to set an even bigger window size than 1600x900 with RFP if they want) on a case by case basis. I think it'd be best in the long run to just keep encouraging and relying on Arkenfox users reading the documentation and making conscientious overrides that best suit their own use-cases, and that includes what settings they choose for ETP if Strict is too unusable for them. Arkenfox's own user.js template can (and should, in my opinion) still set Strict as the default and encouraged setting, specifically because Strict gives the best protections, like RFP.

Maybe as a middle-ground, Arkenfox could set network.cookie.cookiebehavior = 5 in Don't Touch right under privacy.firstparty.isolate. FPI was put in Don't Touch as false specifically to enable dFPI+network partitioning, so explicitly enabling dFPI right underneath it would be apropos. Then setting ETP to Strict rolls that pref into the effective config anyway (no change in the default template), and if they decide they don't want Strict's extra features, Arkenfox could maybe just settle for recommending a "Standard+dFPI" override recipe as an alternative, like:

user_pref("network.cookie.cookieBehavior", 5);
user_pref("privacy.trackingprotection.enabled", false);
user_pref("privacy.trackingprotection.socialtracking.enabled", false);
user_pref("privacy.partition.network_state.ocsp_cache", true);

Obviously not as good as Strict, but functionally not actually different from going from the default Standard in a clean profile and just flipping the cookieBehavior and ocsp_cache prefs so they at least get dFPI out of it. A quick check of those settings together in a user.js along with browser.contentblocking.category=Strict just sets Firefox ETP into Custom anyway, so they could keep the category set to Strict in their user.js and the other settings would "do the right thing" in Firefox itself.

Obviously leaving users to "fend for themselves" with ETP isn't what we want, but I also think going with Strict in the template itself should be treated along the same lines as going with RFP and clearing cookies/sessions by default: override if it inconveniences you, but it's the default for a reason.

[Thorin-Oakenpants]

The contrary part of me answers that with "that's what user-overrides.js is for."

Lols. I didn't mean where to do it, I meant I don't want to deal with answering people's questions or fucking around with all the prefs: such as what goes in strict etc

Has there been any indication/statements

Well, you could enrol in the rollout - but strict is for pbmode which is too tight to land on everyone, and Arthur Edelstein (from Tor Project, then 3yrs at mozilla setting up ETP etc, but recently left) said something the other day to me that made me think dFPI rollout is not ETP Strict rollout (therefore it must be standard)

• https://github.com/arthuredelstein/privacytests.org/issues/70#issuecomment-982881242

fwiw I couldn't get pref("browser.contentblocking.category", "strict"); to work at all

I can move the cookie behavior pref to ETP and enforce it to make it works

Arkenfox could maybe just settle for

nope. AF is going strict: there is no point pissing around with custom IMO

[ghost]

I meant I don't want to deal with answering people's questions or fucking around with all the prefs: such as what goes in strict etc

Yeah, that's fair.

nope. AF is going strict: there is no point pissing around with custom IMO

I wasn't suggesting otherwise. Just that separately activating the cookie behavior pref within Don't Touch could both enforce dFPI (leave it on and don't touch) and still have a separate ETP section for turning on Strict itself, without any conflict.

[Thorin-Oakenpants]

Arkenfox could maybe just settle for recommending a "Standard+dFPI" override recipe as an alternative, like

trackingprotection is required for dFPI

edit: see, this is why I don't want to get into the nitty gritty of all this, and it's forever changing

edit2:

Just that separately activating the cookie behavior pref within Don't Touch could both enforce dFPI

no, it needs TP

edit3: see #1051 (comment)

[Thorin-Oakenpants]

Also, if anything breaks, you can use the Shield in the urlbar

[ghost]

trackingprotection is required for dFPI

That's me told then. I was under the impression that dFPI was just the cookiebehavior pref, not the broader tracking protection ones as well.

[Thorin-Oakenpants]

I could be wrong, fuck knows :) Arthurs statement suggests otherwise

There's much more in ETP Strict than just TCP! :) Most importantly: blocking tracking scripts

But the FF article says

SmartBlock will silently stand in for a number of common scripts classified as trackers on the Disconnect Tracking Protection List

Now that doesn't mean that TP must be on for the list to be used. It will be interesting to see what the rollout to TCP actually does

---

Once the rollout is done, and everyone is on TCP, then we can maybe look at supporting custom: but initially to keep it simple, I am only going to move forward with Strict Mode - just like in the past we only had one FPI

[SkewedZeppelin]

re: 8cdb30c

something somewhere appears to always set to standard on first launch, even on plain vanilla firefox
it doesn't impact arkenfox, because to install arkenfox the profile already exists, just prevents actually setting strict by defaults like I am.

to have strict persist seems all of these prefs must be default:
https://searchfox.org/mozilla-central/source/browser/components/BrowserGlue.jsm#4531

on topic:
I'm happy for this switch, just am concerned that it is more fragile.

also for documentation purposes:
dFPI isn't available on Fenix from what I can tell.
I'll be keeping FPI on in Mull, and switching to dFPI in my Brace (for its 0 users).

[Thorin-Oakenpants]

musical chairs .. i'm moving it back :)

[Thorin-Oakenpants]

I added

/* 6009: enforce SmartBlock shims [FF81+]
 * In FF96+ these are listed in about:compat
 * [1] https://blog.mozilla.org/security/2021/03/23/introducing-smartblock/ ***/
user_pref("extensions.webcompat.enable_shims", true); // [DEFAULT: true]

the link perfectly describes how it provides "local stand-ins for blocked third-party tracking scripts" and mentions nothing about the relaxing of dFPI for cross-domain logins. So I'm happy with that

---

but not sure how to word this though

/* 2702: disable SmartBlock heuristics [FF93+] <- need something better
 * heuristics something user-initiated something SSOs / cross-domain logins
 * relaxes state partitioning for that site
 * it is session only?
 * [SETUP-HARDEN] blah blah what do I say in here
 * [1] https://blog.mozilla.org/security/2021/07/13/smartblock-v2/ ***/
   // user_pref("privacy.antitracking.enableWebcompat", false);

• https://bugzilla.mozilla.org/show_bug.cgi?id=1683165
• https://phabricator.services.mozilla.com/D123614

  • Controls the anti-tracking webcompat features. This includes:

    • All URL-Classifier and state partitioning skip lists (prefs and remote settings)
    • Storage access heuristics (opener, redirect, etc.)
    • StorageAccessAPI automatic grants (skips the prompt)
    • Allowing specific tracking channels on user opt-in (e.g. facebook login shim).

[ghost]

Assuming I understand the pref correctly, maybe under SETUP-HARDEN you could say something like "Setting this to false ensures explicit user approval is required before Firefox relaxes its tracking protections for better site functionality?"

[Thorin-Oakenpants]

Assuming I understand the pref correctly, when false it stops the ability to relax 1st party isolation, not stick it behind user gestures (which is what it is behind by default)

[ghost]

I'm mostly just going off of this bit from the first comment in the Bugzilla link:

This is great for most users, but there are certainly powerusers that would prefer Firefox to never unblock tracking without their explicit approval. It would be great to give these users a checkbox

Looking at it again though, I'm starting to think I misunderstood it. (Why does this have to be so confusing?)

[Thorin-Oakenpants]

Why does this have to be so confusing

Until this week I have never bothered to dig into it, because we were on FPI and had plenty of time for it to mature etc. I don't think it's that confusing - we just need to read it. I shall DIG like a grave robber - but any help is welcome :)

My gut instinct when I first saw the issues, was that they don't want a full TCP off switch - there are already ways to do that - ETP custom, and privacy.antitracking.enableWebcompat - the webcompat part indicates at least to me that it's for loosening dFPI for SSOs (hence web compat) - but for all I know webcompat is the whole kit and caboodle

Here is a ticket

• OPEN: 1728110 Add a checkbox to ETP Custom that allows users to disable all automated webcompat heuristics
• it says

  • The pref changes landed in Bug 1683165. This bug is concerned with the UI portion, the checkbox in about:preferences.

• 1683165
  • gives us privacy.antitracking.enableWebcompat
  • Add a pref that allows users to disable all automated anti-tracking webcompat heuristics and skiplists

so both, to me, say webcompat, heuristics, and the last says "skiplists" - what exactly are skiplists?

There's also a ticket for dev tools

• OPEN 1742841 Add the ability to toggle 'privacy.antitracking.enableWebcompat' in the devtools

• which allows developers to toggle web compatibility features of ETP off

But I could be wrong. I guess it's a case of lots of reading and seeing what tests they have written

---

• https://bugzilla.mozilla.org/show_bug.cgi?id=1683165
• https://phabricator.services.mozilla.com/D123614

  • Controls the anti-tracking webcompat features. This includes:

    • All URL-Classifier and state partitioning skip lists (prefs and remote settings)
    • Storage access heuristics (opener, redirect, etc.)
    • StorageAccessAPI automatic grants (skips the prompt)
    • Allowing specific tracking channels on user opt-in (e.g. facebook login shim).

It's all a bit ambiguous - does it skip the item and allow it, or skip the item and block it. So fucked if I know at this point. I'm probably wrong - hardening would the least of their worries

[Thorin-Oakenpants]

https://phabricator.services.mozilla.com/D123663 - abandonned patch

etp-webcompat-info-description = To improve web compatibility, Enhanced Tracking Protection makes automated exceptions for certain websites and features. Disabling this option is not recommended, as it can cause websites to break.

that was the intent - to harden. which is what we want. There's a ticket somewhere about tightening up user-initiated stuff, and I suspect skiplists and automatic grants and storage etc are things allowed to unbreak websites - because they haven't added enough shims (e.g. login at FB).

So I read everything so far as being hardening. I mean the pref for disabling skiplists, which was marked as a duplicate for our webcompat pref, was for testing, but now I read that both ways

[reisig7]

Thank you for making Arkenfox. I have some comments:

(I think strict pb mode are always identical)

No, ETP custom settings are also applied in Private Browsing mode (FF95):
(The website says: must enable cookies to use it.)

---

trackingprotection is required for dFPI

That's me told then. I was under the impression that dFPI was just the cookiebehavior pref, not the broader tracking protection ones as well.

That is correct IMO, the setting: Blocking Cross-site cookies = Total Cookie Protection (TCP).
(ETP Standard and Strict seem to be only shortcuts to a specific configuration of ETP custom, to make tracking protection easier for beginners. But Mozilla communicates this unclearly.)

---

AF is going strict: there is no point pissing around with custom IMO

Ok, but this change (custom->strict) means a protection downgrade from AF95 (Blocking 3rd-party cookies) to AF96 (Allowing 3rd-party cookies with TCP).
To keep the same level of protection as AF95 in my understanding only this change would actually be necessary:

• user_pref("privacy.firstparty.isolate", false);
  (Because Network Partitioning is Enabled by default for all users since Firefox 85.)¹

• [SECTION 2700]: PERSISTENT STORAGE can stay similar to AF95. That way all 3rd-party cookies etc are blocked as before. And allowing 3rd-party cookies with Total Cookie Protection is optional if you need it.

IMO the AF95 defaults are better, because I never need 3rd-party cookies.

[Thorin-Oakenpants]

tl;dr

⭐ AF is not supporting FPI anymore: DON'T TOUCH

user.js/user.js

Lines 1101 to 1104 in 7016c20

	/* 6008: enforce no First Party Isolation [FF51+]
	* [WARNING] Replaced with network partitioning (FF85+) and TCP (2701),
	* and enabling FPI disables those. FPI is no longer maintained ***/
	user_pref("privacy.firstparty.isolate", false); // [DEFAULT: false]

⭐ AF is not supporting anything outside ETP Strict: DON'T BOTHER

user.js/user.js

Lines 1207 to 1215 in 7016c20

	/* 7016: customize ETP settings
	* [WHY] Arkenfox only supports strict (2701) which sets these at runtime ***/
	// user_pref("network.cookie.cookieBehavior", 5);
	// user_pref("network.http.referer.disallowCrossSiteRelaxingDefault", true);
	// user_pref("privacy.partition.network_state.ocsp_cache", true);
	// user_pref("privacy.trackingprotection.enabled", true);
	// user_pref("privacy.trackingprotection.socialtracking.enabled", true);
	// user_pref("privacy.trackingprotection.cryptomining.enabled", true); // [DEFAULT: true]
	// user_pref("privacy.trackingprotection.fingerprinting.enabled", true); // [DEFAULT: true]

---

ETP custom settings are also applied in Private Browsing mode

⭐ IDCare - AF is using Strict, and PB Mode by default uses Strict

notes

• these are the strict features: browser.contentblocking.features.strict
  • currently tp,tpPrivate,cookieBehavior5,cookieBehaviorPBM5,cm,fp,stp,lvl2,rp,ocsp
• and there are a bunch of prefs and pbmode prefs and note the pb specific parts of that string

its not 100% but normally a non-pbmode pref overrides but only when it makes it more strict

example

• user_pref("security.insecure_connection_icon.enabled", false);
• user_pref("security.insecure_connection_icon.pbmode.enabled", true);
• ^ here pbmode will show an insecure icon

example

• user_pref("security.insecure_connection_icon.enabled", true);
• user_pref("security.insecure_connection_icon.pbmode.enabled", false);
• ^ here pbmode will show an insecure icon

ETP is more complex, but I doubt they downgrade anything in PB Mode just because a user changes some UI settings

trackingprotection is required for dFPI

⭐ IDK and IDCare anymore: - AF is using Strict

notes

• I initially thought the dFPI rollout to mean users would be moved to "Strict", well standard but with a couple of changes, such as lvl blocking, referrer, etc = less breakage
• I thought the TP lists were required/used as part of dFPI but...
  • then Arthur (previously Tor Project and then 3 years at Mozilla working on this - but has recently left Mozilla) said:

  • There's much more in ETP Strict than just TCP! :) Most importantly: blocking tracking scripts

• so I guess not

To keep the same level of protection as AF95

⭐ Just don't! This is a false dicotomy

We could just as easily use FPI and allow all cookies as well. No difference. The creation of site data does not negate FPI/dFPI. Protection is still the same - isolation has not changed. Who cares about 3rd parties when they are isolated. So what if they create a 3rd party cookie - it's no worse than a first party cookie

notes

• you're advocating turning off both FPI and dFPI and relying on your habits/usage
  • yes, network partitioning is still enabled

  • because I never need 3rd-party cookies.

    • anecdotal

[gitthehubs]

@Thorin-Oakenpants

trackingprotection is required for dFPI

@Nallua

That's me told then. I was under the impression that dFPI was just the cookiebehavior pref, not the broader tracking protection ones as well.

What do you exactly mean Thorin? There is Enhanced Tracking Protection(ETP) and one of the options within ETP is 'Tracking content' which can be turned on or off in ETP. When you talk about tracking protection, do you mean ETP of just the 'Tracking content' option?

dFPI is a name for State Partitioning which is called Total Cookie Protection(TCP) in Firefox and because of this partitioning you get some tracking protection in general, but I don't read anything about the required 'trackingprotection' you mentioned?
Introducing State Partitioning
https://hacks.mozilla.org/2021/02/introducing-state-partitioning/
State Partitioning
https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning

Why is tracking protection required?

[Thorin-Oakenpants]

#1051 (comment)

trackingprotection is required for dFPI

⭐ IDK and IDCare anymore: - AF is using Strict

and subsequent notes about that

[gitthehubs]

@Thorin-Oakenpants

I'm just trying to figure it out, I understand you will not bother because you will use strict anyway. I prefer not to use the strict setting because of the 'Tracking content' option, I prefer to use and trust my own ad-blocker. And besides that, 'Tracking content' breaks things that are supposed to be fixed again with SmartBlock, which even insert new privacy friendly scripts. I have my doubts about this solution and besides this all I never had problems with uBlock Origin. So I prefer not to use the 'Tracking content' option in ETP and I have to chooce the custom ETP setting. But apparently ETP strict does more than just the 4 checkboxes you can select in custom mode.

I have seen your comments, for example:

these are the strict features: browser.contentblocking.features.strict
currently tp,tpPrivate,cookieBehavior5,cookieBehaviorPBM5,cm,fp,stp,lvl2,rp,ocsp

I searched on this pref for some explanation and maybe how to set them manually.

https://bugzilla.mozilla.org/show_bug.cgi?id=1529517

Where "tpPrivate" etc. are magic strings that we internally map to the pref names and some other meta data and UI info like strings.

Or: https://wiki.mozilla.org/Firefox/Meeting/9-Apr-2019#Privacy.2FSecurity
which links to https://searchfox.org/mozilla-central/rev/6db0a6a56653355fcbb25c4fa79c6e7ffc6f88e9/browser/app/profile/firefox.js#1573

// Possible values for browser.contentblocking.features.* prefs:
// Tracking Protection:
// "tp": tracking protection enabled
// "-tp": tracking protection disabled
// Tracking Protection in private windows:
// "tpPrivate": tracking protection in private windows enabled
// "-tpPrivate": tracking protection in private windows disabled
// Fingerprinting:
// "fp": fingerprinting blocking enabled
// "-fp": fingerprinting blocking disabled
// Cryptomining:
// "cm": cryptomining blocking enabled
// "-cm": cryptomining blocking disabled
// Cookie behavior:
// "cookieBehavior0": cookie behaviour BEHAVIOR_ACCEPT
// "cookieBehavior1": cookie behaviour BEHAVIOR_REJECT_FOREIGN
// "cookieBehavior2": cookie behaviour BEHAVIOR_REJECT
// "cookieBehavior3": cookie behaviour BEHAVIOR_LIMIT_FOREIGN
// "cookieBehavior4": cookie behaviour BEHAVIOR_REJECT_TRACKER
// One value from each section must be included in each browser.contentblocking.features.* pref.
pref("browser.contentblocking.features.strict", "tp,tpPrivate,cookieBehavior4,-cm,-fp");

Obviously some old code.. no idea where to find something newer, so I have to figure out wat stp,lvl2,rp,ocsp means and how to set them manually. :)

[Thorin-Oakenpants]

I understand you will not bother

No you don't understand because just asked me

I am not interested
I cannot be expected to know everything
I cannot be expected to have the time to investigate everything

Since it's practically just me (and E providing diffs), then I get to decide what the fuck I do. I will only support ETP Strict