Intent-To-Unship: cookieBehavior LIMIT_FOREIGN (3) and REJECT_TRACKER (4)

18 views
Skip to first unread message

Manuel Bucher

unread,
2:50 AM (7 hours ago) 2:50 AM
to firef...@mozilla.org, dev-pl...@mozilla.org, privac...@mozilla.org

We intend to remove support for two legacy cookie behaviors in Firefox:

  • cookieBehavior=3 (BEHAVIOR_LIMIT_FOREIGN): Allows third-party cookies only if the eTLD+1 already has at least one cookie set in a first-party context. Replacement: cookieBehavior=1 (BEHAVIOR_REJECT_FOREIGN), combined with setting cookie permissions for sites that need third-party cookie access.
  • cookieBehavior=4 (BEHAVIOR_REJECT_TRACKER): Blocks cookies from domains classified as trackers. Replacement: cookieBehavior=5 (BEHAVIOR_PARTITION_FOREIGN) for most users (see FPI note below).

Modes 3 and 4 predate cookie partitioning and have two fundamental weaknesses:

  • Neither mode partitions cookies, enabling cross-site tracking.
  • Mode 4 depends entirely on tracker classification lists.

Firefox's default cookieBehavior is 5 (BEHAVIOR_PARTITION_FOREIGN), also known as Total Cookie Protection (TCP) or dynamic First-Party Isolation (dFPI). Mode 5 directly supersedes mode 4.

Prefs: network.cookie.cookieBehavior and network.cookie.cookieBehavior.pbmode

Relation to FPI: First-Party Isolation (unsupported in Firefox, enabled via privacy.firstparty.isolate) is one current use case for cookieBehavior=4. FPI is incompatible with dFPI (cookieBehavior=5). The replacement for FPI users is cookieBehavior=1 (BEHAVIOR_REJECT_FOREIGN), which matches the behavior of Tor Browser, or cookieBehavior=0 (BEHAVIOR_ALLOW) to match the current third-party cookie behavior of mode 4 for non-tracker sites.

Usage (release channel): modes 3 and 4 together cover ~1.3% of users. Mode 4 accounts for 1.229%, mode 3 for 0.070% while mode 5 accounts for 98.1%.

The unshipping plan has multiple stages:

  • Fx153: Hide the deprecated cookie behaviors from settings if currently not enabled (Bug 2040361, Bug 2043563).
  • Future (Bug 2039953), uncertain target date, not before Fx155 to allow concerns to be raised: Remove cookieBehavior 3 and 4 from the code and migrate remaining users to appropriate replacements. This will also affect the extensions API (Bug 2040431).
Reply all
Reply to author
Forward
0 new messages