How do I block all cross-site cookies and close the "first 5 times" vulnerability?
I was surprised today to visit a site and notice the "permissions" icon appear at the left of the address bar, showing me that cross-site cookies were allowed for this site. I have Enhanced Tracking Protection set to "Strict", so obviously this was a worrying thing to happen.
Looking into it a bit further, it seems Firefox provides a backdoor for cross-site cookies: https://support.mozilla.org/en-US/kb/third-party-trackers?as=u&utm_source=inproduct#w_managing-cross-site-cookies
- "While cross-site cookies from trackers are blocked in Firefox by default, a site may signal to the browser that it needs to use them for important functionality. In this case, Firefox will allow a third-party website to use cross-site cookies the first five times (or up to 1% of the number of unique sites you visit in a session, whichever is larger) without prompting you. After that, Firefox will prompt you to block these cookies. Without your consent, Firefox blocks these cookies from that point because a site requesting access that many times may be a tracker."
This is most definitely not what I want!
I want every cross-site cookie to be blocked by default, unless and until I explicitly approve it. Is there an about:config preference I can set to achieve this?
Modified by pg_78
Chosen solution
This is about the auto-grant feature that is aimed at preventing to show the user too many requests to grant permission to allow essential cross-site cookies. Auto-grant automatically allows 5 requests during the current session or for 24 hours. The auto-grant feature for ETP is part of some features controlled by the Webcompat pref. You can possibly set privacy.antitracking.enableWebcompat = false on the about:config page to disable auto-grant to see how this works out for you.
There is a bug on file to add controlling this feature to the ETP Custom settings, but this is currently on hold.
- 1728110 - Add a checkbox to ETP Custom that allows users to disable all automated webcompat heuristics
(please do not comment in bug reports
https://bugzilla.mozilla.org/page.cgi?id=etiquette.html)
All Replies (6)
Thanks for the links: I'm pretty aware of the details of how cookies work in general.
Dropa said
Cookies are all or none and blocking cookies will prevent sites from loading and stop sites from letting you access their site.
Respectfully, in my view cookies aren't exactly "all or none". I'm broadly OK with first-party cookies but I consider almost 100% of cross-site cookies to be an unacceptable violation of privacy.
So my question here is narrowly focused. Is it possible to require every cross-site cookie to be specifically authorised by me, and prevent sites from exploiting this "first five times" loophole?
Just above the part which you cited in the kb article - "Firefox’s Enhanced Tracking Protection block cookies from cross-site trackers and, in Strict Mode, isolate cookies from all other third parties. This helps prevent your browsing activity on one website from being visible to other websites."
There are other levels of ETP. I use the Custom level with all third party cookies blocked in all windows. The "Are Third-Party Cookies enabled?" test at WhatIsMyBrowser returns a very large NO
RobertJ said
There are other levels of ETP. I use the Custom level with all third party cookies blocked in all windows. The "Are Third-Party Cookies enabled?" test at WhatIsMyBrowser returns a very large NO
Thanks for your answer. Actually, I had tried out those custom settings, but it doesn't seem to close this loophole.
Steps to reproduce:
1. Set "Custom" level of ETP, and set the blocking level for "Cookies" to "All third-party cookies".
2. In a new Private Window, go to https://www.neeva.com
3. The "permission slider" appears in the address bar to the left of the URL. Mousing over it displays a tooltip "You have granted this web site additional permissions", and clicking on it shows that it's specifically cross-site cookies that have been enabled for this site.
Desired behaviour: at step 3, Firefox should not allow cross-site cookies without me creating an explicit exemption for that site.
I don't get a step 3. At all. Of course, I'm using a "test" Profile with nothing in it. Do you have any site information (cookies, etc...) for Neeva stored in your "normal" window before you switch to Private?
Chosen Solution
This is about the auto-grant feature that is aimed at preventing to show the user too many requests to grant permission to allow essential cross-site cookies. Auto-grant automatically allows 5 requests during the current session or for 24 hours. The auto-grant feature for ETP is part of some features controlled by the Webcompat pref. You can possibly set privacy.antitracking.enableWebcompat = false on the about:config page to disable auto-grant to see how this works out for you.
There is a bug on file to add controlling this feature to the ETP Custom settings, but this is currently on hold.
- 1728110 - Add a checkbox to ETP Custom that allows users to disable all automated webcompat heuristics
(please do not comment in bug reports
https://bugzilla.mozilla.org/page.cgi?id=etiquette.html)
Modified by cor-el
@RobertJ: something a bit odd is going on here. I also couldn't reproduce in a completely clean profile. When I went through a couple of iterations of clearing all data for that site in my "regular" profile and visited the site, I got inconsistent results: sometimes cross-site cookie permissions were automatically granted, sometimes they weren't. (I checked in the "Exceptions" to Enhanced Tracking Protection and neeva.com was not there: nor were any of its permissions changed away from the default.)
@cor-el: thanks for the helpful information, I'll cross my fingers tight and try that preference. The bug helps make the history clearer, even if it's not to my liking.
Modified by pg_78