-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Limit JS set cookie lifetime to 7 days #3443
Comments
Should we start with 7 days or shorter (like 1 day)? |
2nd question - should this be tied to a shield state or be on all the time? |
For my two cents, i suggest
|
Set a limit on cookie expiration (fixes brave/brave-browser#3443)
@fmarier can you provide a test plan for manual QA? if manual QA is not needed, can you please label as |
I would suggest following the test plan on brave/brave-core#1905. Let me know if anything on there is unclear. |
I can set expiration for half a year with max-age. Is it only a visual bug in cookie expiration column or does it really persist for half a year? |
No, that looks like a regression. The "client-side cookies" portion of the test plan on brave/brave-core#1905 now fails. I filed #15048 to track this. |
well this 7 days expire thing destroys the youtube wide (theater mode) each week i need to manually add a cookie to get it working again |
Is there any way to override this behavior and have Brave work like any other browser? This things prevents me from using the browser as it is due to how annoying it gets to have a bunch of sites lose their settings every 7 days. |
yes its very bad to click all cookie banners on 100+ sites each week -.- also breaks some sites |
Theater mode in youtube is set via a session cookie (null expiry), cookie lifetime doesn't apply. |
Can you mention which cookie banners you're seeing? We should be blocking those anyway @ryanbr |
if i set theater mode it makes a cookie, when i restart brave its gone, on other browsers like chrome/edge it stays |
Screenshot of cookie message, and inspect item? |
it is maybe fixed, will come back if not |
Is this why Brave seems to always log me out of webpages, even if I click "remember me"? I've seen a number of posts about this issue around the web, but So far no one seems to be mentioning brave changing the cookie lifetime |
yes, but depends if the cookie is set to "auto reset 7 days" when you visit that page, i heard of |
A page can set a cookie to expire in 30 seconds, 2 hours, days, "never", or "when the browser closes". The developer decides based on what they think is best for the user. Now, cookies can be set in the HTTP response or by Javascript on the page. If I understand correctly, Brave is capping the expiration sent via Javascript to 7 days, regardless if the developer thought that a longer expiration date is safe and needed. Many sites use Javascript to set user preferences and other data. This explains why you may need to re-login or reset preferences after a week or so on those sites when using Brave. Apparently this expiration is to improve reliance against trackers which realized that they could circumvent cookie blockers by sending them via Javascript. The problem (IMHO) is that, by doing so, Brave is crossing a dangerous line, the one that separates security/privacy from deteriorated user experience, without giving people a way to opt-out. Notice that Brave is not doing anything wrong per se. As far as standards are concerned, a browser is free to expire cookies earlier that the indicated by the page as it sees fit, bearing in mind that this could affect user experiences. Lastly, there's #30634 which is a request to have a flag to turn off this behaviour. The request is over a year old with no response from the developers, so a change doesn't seem to be a high priority. |
This is so annoying. I have been a Brave user for YEARS and introducing this browsers to my friends, but i think this is the limit and I have to give up. |
Safari will start doing this soon, so that gives us some good webcompat cover
https://webkit.org/blog/8613/intelligent-tracking-prevention-2-1/
The text was updated successfully, but these errors were encountered: