Intent to prototype: Dynamic FPI

[Gary Chen]

*# SummaryFirst-Party Isolation (FPI) is an Anti-Tracking feature that
partitions most third-party state and communication channels by the
top-level website. It uses the first-party eTLD+1 as part of the storage
key and origin checks, such that third-party iframes embedded in different
websites will have separate storage locations and are not considered
same-origin. FPI has long been the Tor Browser’s default storage model.FPI
works well for most websites, but can break some types of embedded content.
We’ve developed *dynamic* FPI [0] to mitigate this type of breakage.
Dynamic FPI (dFPI) creates the same storage partitions as FPI, but has the
ability to relax partitioning under certain conditions. dFPI supports the
automated storage access compatibility heuristics [1] supported by our
other cookie policies, as well as the Storage Access API. These heuristics
can mitigate the types of breakage caused by standard FPI.# Storage
locations and communication channels covereddFPI partitions all of the same
storage and communication channels that are partitioned by originAttributes
in FPI or containers. dFPI relies on the StoragePrincipal, introduced last
April [2], to relax partitioning for a subset of these APIs. The full set
of APIs covered by the StoragePrincipal are documented here [3].Note that
after storage access is granted dFPI will immediately relax partitioning
for the APIs covered by the StoragePrincipal within an agent cluster. It
will also relax all partitioning (including that not covered by the
StoragePrincipal) for that third-party in future agent clusters. We’re
tracking this in: https://bugzilla.mozilla.org/show_bug.cgi?id=1630687
<https://bugzilla.mozilla.org/show_bug.cgi?id=1630687>. We are also
tracking stateful APIs that aren’t currently covered by first-party
isolation in https://bugzilla.mozilla.org/show_bug.cgi?id=1590107
<https://bugzilla.mozilla.org/show_bug.cgi?id=1590107>. We welcome new
reports!# Testing and Website breakageWe’d like to enable dynamic FPI by
default on the Nightly channel in the coming weeks. Before then, it would
be great to get early feedback from you. If you’re willing to help, please
enable dFPI using the following steps: 1. In about:preferences#privacy
select “Custom” under Enhanced Tracking Protection2. For Cookies, select:
“Cross-site and social media trackers, and isolate remaining”Note: This
will log you out of websites that use third party cookies for managing
login state.This feature *fundamentally changes* how we approach cross-site
state in Firefox, and it's incredibly important that we learn how
web-compatible the dFPI model is. We are committed to fixing that breakage
whenever possible, and expect to continue to iterate on dFPI’s design in
Nightly.Please help us by reporting any breakage on bugzilla by blocking
the meta bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1549587
<https://bugzilla.mozilla.org/show_bug.cgi?id=1549587>The types of breakage
you may experience are those that rely on cross-site log-in, payment,
online banking, and other features that use third-party cookies
frequently.Minor site data UI inconsistencies are currently also expected,
they can be found in the meta bug as well.#
Preferencenetwork.cookie.cookieBehavior=5
(BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN [4]) will be set on Nightly
only.# Other browsers - Safari has had partitioned storage (with the
exception of cookies) for many years- Chrome has documented their storage
isolation project [5], which has a similar goal of isolating stateful
APIs. # FAQQ: Does dFPI disable tracking cookie blocking?A: No, both are
enabled under network.cookie.cookieBehavior=5.Q: How will dFPI impact
containers users?A: dFPI uses a different origin attribute than containers
(including Facebook container), which use userContextId. dFPI should layer
on top of these features, and thus not impact them. Q: How will dFPI impact
FPI users?A: dFPI uses the same first-party domain origin attribute as FPI.
This means that dFPI will re-use the same isolated cookie jars when layered
over FPI. dFPI currently causes some storage locations to switch to a
_different_ isolated storage jar; this issue is tracked in
https://bugzilla.mozilla.org/show_bug.cgi?id=1630796
<https://bugzilla.mozilla.org/show_bug.cgi?id=1630796>. Note that storage
access permissions will *not* apply to FPI’s isolated storage, so we do not
weaken the isolation guarantees of FPI.Q: Will dFPI impact extension
storage?A: No. Similar to FPI, extension storage is exempt from isolation.
See:
https://searchfox.org/mozilla-central/rev/567b68b8ff4b6d607ba34a6f1926873d21a7b4d7/caps/OriginAttributes.cpp#80-85
<https://searchfox.org/mozilla-central/rev/567b68b8ff4b6d607ba34a6f1926873d21a7b4d7/caps/OriginAttributes.cpp#80-85>
[0]
https://bugzilla.mozilla.org/show_bug.cgi?id=1549587
<https://bugzilla.mozilla.org/show_bug.cgi?id=1549587>[1]
https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Privacy/Storage_access_policy#Storage_access_grants
<https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Privacy/Storage_access_policy#Storage_access_grants>
[2]
https://groups.google.com/forum/#!topic/mozilla.dev.platform/b8A8LrQGOYs
<https://groups.google.com/forum/#!topic/mozilla.dev.platform/b8A8LrQGOYs> [3]
https://searchfox.org/mozilla-central/rev/567b68b8ff4b6d607ba34a6f1926873d21a7b4d7/toolkit/components/antitracking/StoragePrincipalHelper.h#13
<https://searchfox.org/mozilla-central/rev/567b68b8ff4b6d607ba34a6f1926873d21a7b4d7/toolkit/components/antitracking/StoragePrincipalHelper.h#13>[4]
https://searchfox.org/mozilla-central/rev/567b68b8ff4b6d607ba34a6f1926873d21a7b4d7/netwerk/cookie/nsICookieService.idl#71-82
<https://searchfox.org/mozilla-central/rev/567b68b8ff4b6d607ba34a6f1926873d21a7b4d7/netwerk/cookie/nsICookieService.idl#71-82>[5]
https://docs.google.com/document/d/1V8sFDCEYTXZmwKa_qWUfTVNAuBcPsu6FC0PhqMD6KKQ/edit
<https://docs.google.com/document/d/1V8sFDCEYTXZmwKa_qWUfTVNAuBcPsu6FC0PhqMD6KKQ/edit>
*

Gary

[Steven Englehardt]

(Re-sending this to fix the formatting)

# Summary

https://bugzilla.mozilla.org/show_bug.cgi?id=1630687.

We are also tracking stateful APIs that aren’t currently covered by
first-party isolation in

https://bugzilla.mozilla.org/show_bug.cgi?id=1590107. We welcome new
reports!

# Testing and Website breakage

We’d like to enable dynamic FPI by default on the Nightly channel in
the coming weeks. Before then, it would be great to get early feedback
from you. If you’re willing to help, please enable dFPI using the
following steps:

In about:preferences#privacy select “Custom” under Enhanced Tracking Protection

For Cookies, select: “Cross-site and social media trackers, and
isolate remaining”

Note: This will log you out of websites that use third party cookies
for managing login state.

This feature *fundamentally changes* how we approach cross-site state
in Firefox, and it's incredibly important that we learn how
web-compatible the dFPI model is. We are committed to fixing that
breakage whenever possible, and expect to continue to iterate on
dFPI’s design in Nightly.

Please help us by reporting any breakage on bugzilla by blocking the
meta bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1549587

The types of breakage you may experience are those that rely on
cross-site log-in, payment, online banking, and other features that
use third-party cookies frequently.

Minor site data UI inconsistencies are currently also expected, they
can be found in the meta bug as well.

# Preference
network.cookie.cookieBehavior=5
(BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN [4]) will be set on
Nightly only.

# Other browsers

Safari has had partitioned storage (with the exception of cookies) for
many years

Chrome has documented their storage isolation project [5], which has a
similar goal of isolating stateful APIs.

# FAQ

Q: Does dFPI disable tracking cookie blocking?
A: No, both are enabled under network.cookie.cookieBehavior=5.

Q: How will dFPI impact containers users?

A: dFPI uses a different origin attribute than containers (including
Facebook container), which use userContextId. dFPI should layer on top
of these features, and thus not impact them.

Q: How will dFPI impact FPI users?
A: dFPI uses the same first-party domain origin attribute as FPI. This
means that dFPI will re-use the same isolated cookie jars when layered
over FPI. dFPI currently causes some storage locations to switch to a
_different_ isolated storage jar; this issue is tracked in

https://bugzilla.mozilla.org/show_bug.cgi?id=1630796. Note that

storage access permissions will *not* apply to FPI’s isolated storage,
so we do not weaken the isolation guarantees of FPI.

Q: Will dFPI impact extension storage?
A: No. Similar to FPI, extension storage is exempt from isolation.
See: https://searchfox.org/mozilla-central/rev/567b68b8ff4b6d607ba34a6f1926873d21a7b4d7/caps/OriginAttributes.cpp#80-85

[0] https://bugzilla.mozilla.org/show_bug.cgi?id=1549587

[1] https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Privacy/Storage_access_policy#Storage_access_grants

[2] https://groups.google.com/forum/#!topic/mozilla.dev.platform/b8A8LrQGOYs

[3] https://searchfox.org/mozilla-central/rev/567b68b8ff4b6d607ba34a6f1926873d21a7b4d7/toolkit/components/antitracking/StoragePrincipalHelper.h#13

[4] https://searchfox.org/mozilla-central/rev/567b68b8ff4b6d607ba34a6f1926873d21a7b4d7/netwerk/cookie/nsICookieService.idl#71-82

[5] https://docs.google.com/document/d/1V8sFDCEYTXZmwKa_qWUfTVNAuBcPsu6FC0PhqMD6KKQ/edit

> _______________________________________________
> dev-platform mailing list
> dev-pl...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform

[Gary Chen]

We plan to enable this in Nightly this week.
This is a pref-only patch (bug 1628486).

Gary

> Gary