Intent to Ship: Blob URL Partitioning (Total Cookie Protection)
Abhishek Madan
Total Cookie Protection has been enabled by default in Firefox 103. Users now have storage partitioning which protects them from third-party tracking. However, Blob URLs remain unpartitioned and hence still put our users at risk because a Blob can be used as a tracking factor.
To close this loophole, we can partition Blob URLs by using the partitioning key (top-level domain). Entailing, the blob URL will be double-keyed, so blob URLs can only be resolved if the top-level domain is the same as the top-level domain where the blob URL was created.
Standard:https://github.com/w3c/FileAPI/issues/153
BugBug 1686111 - [meta] Blob URL partitioning
Platform coverageAll
Preferenceprivacy.partition.bloburl_per_partition_key
DevTools bugN/A
Other browsersNeither Safari or Chrome partition Blob URLs. Brave does partition Blob URLs.
Web-platform-tests
N/A
--
Abhishek Madan
Mozilla
Mike Taylor
Hi Abhishek,
SummaryTotal Cookie Protection has been enabled by default in Firefox 103. Users now have storage partitioning which protects them from third-party tracking. However, Blob URLs remain unpartitioned and hence still put our users at risk because a Blob can be used as a tracking factor.
To close this loophole, we can partition Blob URLs by using the partitioning key (top-level domain). Entailing, the blob URL will be double-keyed, so blob URLs can only be resolved if the top-level domain is the same as the top-level domain where the blob URL was created.
Standard:
This is just an issue, rather than a standard. Do you intend to
update the spec to match what you're shipping? (I didn't see any
relevant PRs, but I might have missed one.)
best,
Mike