-
Notifications
You must be signed in to change notification settings - Fork 523
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
discussion: switch to session cookies (lifetime pref) #1256
Comments
FWIW I used to override |
I don't follow ... uBO doesn't remove cookies, can you explain what you mean by |
By scriptlet which sets cookie expiration time to past date - https://github.com/gorhill/uBlock/wiki/Resources-Library#cookie-removerjs- |
OK, so what is the use case for |
IMHO we should leave |
@Thorin-Oakenpants can be used to remove "adblock_detected" cookies, for example. |
This, and I think some filter lists also use it to bypass article limit on some websites? But yeah the latter is probably partially mitigated by using containers. |
does |
It should work everywhere, because it works like page script. |
That might be so, but doesn't [edit: defintively] answer my question :-( |
Just thought I should note this, from memory: but my understanding of what mozilla plan to do is currently
mozilla plans
the issue
so in hindsight
I have no idea how long before Mozilla get around to this, meanwhile, users have the override recipe, and eventually mozilla will migrate them off it and arkenfox will update the info in the section header about cookies - could be a year for all I know Closing. Thanks for the insight on uBO too |
^ just to be clear, I want arkenfox to be as usable as possible, I want users to be able to retain some cookies, |
we are switching to cookie lifetime as session: sorry about your anecdotal |
There is an override recipe
🔻 overview
cookies + site data are not the problem, it is that they can be linked/re-used. cross-site linking is moot with FPI/dFPI (and network partitioning if using dFPI)
The issue is sites re-using their eTLD+1 site data: there are two types here
🔻 lifetime
Use cookie lifetime = 2 (which makes them session-cookies) and don't sanitize cookies on close. This is fine, even if lifetime is going to be deprecated, before Mozilla do that, they will still hook in some sort of ability to have a default keep-nothing with
allow
site data exceptions to be kept - but I do not know if that means keeping cookies as session by default, or storing them in a separate jar?🔻 sanitizing
Sanitizing on close is still critical. "Cookies & Site Data" doesn't clear "everything" - it's a bit problematic in how you define what is part of history/downloads vs site data vs other (cache/certs etc) vs internals (site exceptions etc)
arkenfox would
allow
mean users keep their loginsofflineApps
,cache
etcthis makes clearing "site data" robust AF
🔻 service workers
There is what I would call a bonus here, and that is that session-cookies blocks shared and service workers. We should also allow service workers
2302
by default (i.e just make it inactive).FWIW, this actually removes another point of difference in FPing, as the API state is easily detected (via navigator properties), but this is not why I suggest making it inactive. After the API check, whether or not shared or service workers actually work is not a stable FP metric IMO
So by default, shared and service workers are blocked (because cookies are default session-only), and if a site requires e.g. service workers, it's and easy fix to allow the cookie
My only concern here is if service workers are properly isolated under FPI (there are questions but no-one has had time to follow up given this is for Tor browser, which uses PB mode so not high priority), but given the default is they can't run, and allowed exceptions would be minimal, I do not see an issue. Plus we will be moving to dFPI eventually (maybe in three or four releases)
🔺 impact
I actually block all cookies by default: and
allow
four sites for logins, andallow for session
on another dozen so they work. This is not sustainable, as eventually when we move to dFPI, all cookies+sitedate (except known trackers) are allowed. Before anyone asks, cookie permissions are not a stable metric in fingerprints.we would flip the override recipe to "keep no cookies + site data on close"
overall, I see this as reducing breakage and maintenance
class, discuss!
The text was updated successfully, but these errors were encountered: