Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NOTICE: v96 CHANGE YOUR SITE PERMISSIONS [AF disables FPI for ETP Strict] #1281

Closed
Thorin-Oakenpants opened this issue Nov 29, 2021 · 18 comments

Comments

@Thorin-Oakenpants
Copy link
Contributor

Thorin-Oakenpants commented Nov 29, 2021

In v96 arkenfox will be moving to Total Cookie Protection (also known as dFPI or dynamic FPI)

  • note: which is also the plan for ALL firefox users eventually - 1731713
  • By the end of the rollout program, TCP will be set as default to 100% of users

You can read more about it in #1051 , but essentially FPI is no longer maintained. Also read the next post on how to migrate your permissions etc

To clarify

  • FPI is "everything" (cache, cookies, dns .... etc)
  • the new lot was split into two
    • "network partitioning"
      • all this stuff e.g. DNS, caches, connections, certs, websockets (added later), etc
    • Total Cookie Protection (dFPI)
      • site data (cookies, IDB, QuotaManager items ... etc)

dFPI/network partitioning

  • is more robust
    • such as 3rd party Service Workers are disabled until they partition them
    • such as double keying and (options?) for scheme etc
  • most likely covers a few more things (no-one is sure and no-one cares anymore)
    • such as devtools, view page source, reader view?
    • definitely service workers (see earlier comment)
  • for those that want it, Smart Blocking and heuristics allow cross-domain logins, so it's better from a compat viewpoint
    • as well as the shims which unbreak pages
    • note: there is a pref for disabling this which we will add in v96 (inactive at this stage)
  • works better with Enhanced Cookie Clearing

network partitioning is already enabled by default (when FPI is not used), so this change is focused on Total Cookie Protection


There is already an override recipe for this: which I will repeat here, but it's not as simple as just changing prefs (see next post)

🔻 FF87+ : use ETP Strict mode

/* override recipe: FF87+ use ETP Strict mode ***/
user_pref("privacy.firstparty.isolate", false); // 4001
user_pref("network.cookie.cookieBehavior", 5); // 2701
user_pref("browser.contentblocking.category", "strict"); // 2701
  // user_pref("privacy.trackingprotection.enabled", true); // 2710 user.js default
  // user_pref("privacy.trackingprotection.socialtracking.enabled", true); // 2711 user.js default
@arkenfox arkenfox locked and limited conversation to collaborators Nov 29, 2021
@Thorin-Oakenpants Thorin-Oakenpants pinned this issue Nov 29, 2021
@Thorin-Oakenpants
Copy link
Contributor Author

Thorin-Oakenpants commented Nov 29, 2021

Migrating is not as simple as changing prefs. Permissions for FPI are keyed with OA's (origin attributes) and are incompatible, you can read more in Bugzilla 1649876. Cookies are also keyed.

Here are some screenshots

cookie + site data exceptions

FPI-permissions1

permission exceptions

  • there's also the HTTPS-Only Mode exceptions
  • NOTE: not sure if all permissions are available via the UI
    FPI-permissions2

sqlite permissions

sqlite-permissions

sqlite cookies

sqlite-cookies


Here's how I am migrating

  • I have so little exceptions, that I am going to make a note of them
  • Then sanitize all site preferences and cookies (ctrl-shift-del)
    • ⚠️ make sure you reset site preferences afterwards to unchecked as it is inactive in the user.js
  • Then close Firefox, add the override recipe, restart
  • Then visit my few sites to first add their exception (five for cookies, one for geo, one for https-only) and to login if required

That's it.

Permissions

  • if you want to, instead of wiping all your permissions, you could edit them in the sqlite, while FF is closed by removing the FPI syntax, e.g. https://github.com^firstPartyDomain=github.com becomes https://github.com

Cookies (and site data)

  • I think you are better off deleting them all and creating new ones. IDK if changing the syntax in the sqlite works or may have unforeseen consequences

@arkenfox arkenfox unlocked this conversation Nov 29, 2021
@Thorin-Oakenpants Thorin-Oakenpants changed the title NOTICE: AF will be moving from FPI to dFPI + network-partioning in v96 NOTICE: v96 CHANGE YOUR SITE PERMISSIONS [AF disables FPI for ETP Strict] Dec 11, 2021
@corobin
Copy link

corobin commented Jan 10, 2022

Hi, I have 2 questions relating to this change

1: just to clarify how best to convert from FPI to dFPI

a) what prefs should be removed/reset that was previously set for FPI? what should now be set instead?

b) what is the override recipe is meant to override, is it to make it emulate FPI's old behaviour (being more strict)?

2: firefox also has another "protection" feature, site isolation, that was introduced into stable relatively recently and can be enabled with fission.autostart (which also has its own site exceptions format e.g. https://github.com^firstPartyDomain=(https,github.com))

how does the change in FPI interact with site isolation? do you have any recommendations/comments about this?

thanks!

@Thorin-Oakenpants
Copy link
Contributor Author

what prefs should be removed/reset that was previously set for FPI? what should now be set instead

you update to arkenfox v96 and run prefsCleaner

what is the override recipe is meant to override

it will be obsolete: it was for those who want to flip from FPI to dFPI before updating to arkenfox v96.

it is not to emulate FPI, it is to change FROM fpi to dFPI

meh

you are mixing fission (site isolation = processes) up with state partitioning (network partitioning + Total Cookie Protection (also known as dFPI)

processes vs state

@Panja0
Copy link

Panja0 commented Jan 17, 2022

Is it recommended to use v95 on FF v96(.0.1) or is it better to wait for v96 Arkenfox?

@Thorin-Oakenpants
Copy link
Contributor Author

use the live master which is basically 96 final

@Panja0
Copy link

Panja0 commented Jan 17, 2022

Thanks for the fast answer!

@gwarser
Copy link

gwarser commented Jan 21, 2022

How to add per-container cookie exception?

@Thorin-Oakenpants
Copy link
Contributor Author

use Ctrl-I

@gwarser
Copy link

gwarser commented Jan 21, 2022

I have something set incorrectly or it does not work. Ctrl+i does not seem to be aware about container concept - config set inside container is visible outside. Trying to set exception manually (with ^userContextId=number) in settings is adding two entries:

http://https
https://https

@Thorin-Oakenpants
Copy link
Contributor Author

Ctrl+i does not seem to be aware about container concept

but have containers ever needed a contextid syntax before? I just opened a site in a container and added exceptions for cookies and location, and it just adds things like normal

are you saying that it's not respecting exceptions?

@Thorin-Oakenpants
Copy link
Contributor Author

I have to scoot for now (people to do and things to see) .. but assuming there is an issue, is it in here?

@gwarser
Copy link

gwarser commented Jan 21, 2022

I was using CAD to keep google cookies in "gmail" container and clean them everywhere else. You are recommending to ditch CAD in favor of browser native cleaning. I'm just trying to convert my setup.

@Thorin-Oakenpants
Copy link
Contributor Author

Thorin-Oakenpants commented Jan 21, 2022

OT: https://bugzilla.mozilla.org/show_bug.cgi?id=1681701#c1 - looks like lifetime cookie is close to being nixed

I'm just trying to convert my setup

Are you using MAC, because that can cause differences in testing - not saying that is the case here, but something to keep in mind. If it's a cross-domain login you probably need to add both domains AFAIK

This is a bit "messy": containers and a cross-domain login flow with dFPI. Can we start with something simple like github and some steps to reproduce

  • e.g. I have github set to keep cookies. So if I close this window and then open it in a container what happens
  • answer: i am logged out - because it is a difference Origin Attribute and I've never logged in on it before
    • ^^ SO I LOGGED IN

interesting: is there a bugzilla on this?

restarted

  • normal tab: github logged in auto on existing cookie
  • container tab: github logged in auto on existing cookie

I still only have the one https://github.com entry in exceptions

Here's my cookies: two sets
worksforme

@Thorin-Oakenpants
Copy link
Contributor Author

so contextID syntax is not needed - I think your problem is you need to add both domains: gmail and google

@gwarser
Copy link

gwarser commented Jan 21, 2022

So what if I want keep cookies for personal GitHub account in container and clear them for other/test accounts without container?

@Thorin-Oakenpants
Copy link
Contributor Author

How did you before? You couldn't - it was only because we used FPI which required syntax so it was not the same key. This is clearly a long standing limitation of containers and sanitizing. Must be a bugzilla floating around somewhere

In the meantime, if you're going to be doing that (multiple accounts/testing/other containers/no-container) where you want to keep one and delete all the rest, then you'll need to work around it, probably with an extension. IDK what's out there since I never use these, but I'm guessing you can still use delete cookies and site data on close (currently cookie behavior pref), add exceptions to keep (e.g. github) and then in TC or CAD just add rules for github to suit?

@Thorin-Oakenpants
Copy link
Contributor Author

Did you solve your issue with gmail?

@gwarser
Copy link

gwarser commented Jan 21, 2022

By reinstalling CAD.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

No branches or pull requests

5 participants
@gwarser @Panja0 @corobin @Thorin-Oakenpants and others