Duplicate of #1448

Well spotted, @EdwardLangdon. So the conclusion is..... deny/revoke access manually until changes are made in FF102 (as per @Thorin-Oakenpants comments in #1441)?

#1355

I am still not yet clear about the Discussion, need to look later. Rusty snake, Can you explain ?

Everything is working as intended.

Webcompat is enabled by default because pants want this/less breakage for users/less unnecessary reports about broken sites.

No sure I'm well versed enough. But what would it take for these cross-site permissions to be requested instead of just accepted (in the cases where they are accepted)?

If you want an request dialog like for geolocation, you need to open an ticket in mozillas bugtracker.

Everything is working as intended.

Webcompat is enabled by default because pants want this/less breakage for users/less unnecessary reports about broken sites.

So far all of these websites are working as intended with this option off - begs the question what is it "fixing" by allowing cross site cookies by default?

Duplicate of #1448

Not a duplicate if user hasn't added a site exception for ETP or sanitizing

deny/revoke access manually until changes are made in FF102

• what 102 change? If you mean when we move off lifetime cookie pref, that has nothing to do with this or 1448
• revoking manually means you're just undoing your exceptions (if you added one, e.g. 1448)

My understanding was that nothing is allowed unless user initiated. And we allow compat because without it you can't use the d in dFPI or benefit from the shims

includes skip lists, heuristics (SmartBlock) and automatic grants

I did try, from memory to work out what automatic grants were, IDK, so much F shit for me to always answer and read ands learn about

Indeed, no exceptions had been made for the websites where these cross-site cookies are found to be allowed.

From a link in the discussion of #1448, I see the following (taken from FF Help website):

While cross-site cookies from trackers are blocked in Firefox by default, a site may signal to the browser that it needs to use them for important functionality. In this case, Firefox will allow a third-party website to use cross-site cookies the first five times (or up to 1% of the number of unique sites you visit in a session, whichever is larger) without prompting you.

If I get this right, then this whole thing is not a bug, but just the very design of dFPI and there isn't much one can do, apart from ditching dFPI entirely. Is that right?

I guess it just feels like the heuristics work in mysterious ways, as I remain quite unsure as to how/why Duckduckgo needs to connect to Apple support for an important functionality...

how/why Duckduckgo needs to connect to Apple support for an important functionality...

for the record I couldn't reproduce this, even uBO shows no Apple script or anything.

This thing even happens when I use starpage Anonymous view (sometimes)

Just wanted to confirm this as well, it's happened to me, albeit with a different website. I have a cookie exception for DuckDuckGo for settings, but it still happens when I remove the exception, save changes, and restart. I confirmed that cookies were removed since the theme went from dark to light in DDG. I don't really know how to reproduce this reliably, but will try in another profile.

Before removing exception:

After removing exception:

I have a cookie exception for DuckDuckGo

so duplicate of #1448

Here's my FF with no cookie exception

FWIW I run into this issue even though I don't have a cookie exception for duckduckgo. The sites listed seem to be sites I have visited from search results and it doesn't happen consistently, I notice it randomly and have to clear the permissions everytime.

Here is an example after I visited a reddit domain. I don't have cookie exceptions for either.

I can not reproduce this yet with my config, but I did saw it on other devices.
Where does the "Learn more" link brings you? What does it talk about?

To remember you call, there is Opener Heuristics.

If you click on the a tag, it is a link

but if you click on the article tag the "link" is implemented via onclick possible using some API that triggers Opener Heuristics under some conditions (IDK which but FF sometimes shows a blocked pop-up banner on DDG when clicking on search results, maybe these are the same. Maybe timing?)

Here, it's documented: https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning#clear_third-party_storage-access

I can not reproduce this yet with my config, but I did saw it on other devices.

I don't have any overrides regarding cookies/storage/webcompat so no idea why some people can reproduce it and others can't.

Where does the "Learn more" link brings you? What does it talk about?

Yes I linked to it here: #1448 (comment) The reason why it's confusing is because there's theoretically no reason why DDG would need those permissions, especially without exceptions.

but if you click on the article tag the "link" is implemented via onclick possible using some API that triggers Opener Heuristics under some conditions (IDK which but FF sometimes shows a blocked pop-up banner on DDG when clicking on search results, maybe these are the same. Maybe timing?)

This is good information. I can only reproduce it on DDG as far as I can tell, so I have no doubt that they are doing something weird. Their privacy policy does mention using local storage and tracking clicks for anonymous analytic purposes, so that may have something to do with it. It may be possible to confirm this by browsing their HTML version of the site for a while and seeing if the problem persists.

The reason why it's confusing is because there's theoretically no reason why DDG would need those permissions, especially without exceptions.

How should Firefox know this? It uses a heuristic.

A heuristic … is any approach to problem solving … that employs a practical method that is not guaranteed to be optimal, perfect, or rational, but is nevertheless sufficient for reaching an immediate, short-term goal or approximation. Where finding an optimal solution is impossible or impractical, heuristic methods can be used to speed up the process of finding a satisfactory solution.

It does not understand what the code does or need, it just detects patterns which indicated that it might need this permissions.

I can only reproduce it on DDG as far as I can tell,

I also saw it on other sites but can't remember which. However, if DDG is your primary search engine you use it a lot and open a lot third-party links from it, so it is expected to see it there more often.

Also it may depend on the code of the site you open? IDK.
If someone wants to look in the implementation of the heuristic, go for it...

Found some STR:

• search for anything in DDG, e.g. arkenfox
• hold ctrl and primary click on the article (not a, see Cross-site cookies still allowed despite ETP #1449 (comment))

And in deed it's Opener Heuristics (turning it off breaks this STR).

I was able to reproduce this every time using the steps by rusty-snake. Are there any downsides to disabling Opener Heuristics?

Broken SSO-Login for some services and other potential cross site authentification problems.