Closed Bug 1631676 Opened 4 years ago Closed 4 years ago

Disable dfpi when privacy.firstparty.isolate=true

Categories

(Core :: Privacy: Anti-Tracking, enhancement, P1)

Product:
Core
Component:
Privacy: Anti-Tracking
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla78
Tracking Flags:
Tracking Status
firefox78 --- fixed

People

(Reporter: englehardt, Assigned: xeonchen)

References

(Blocks 2 open bugs)

Details

Attachments

(6 files, 1 obsolete file)

request.md
(deleted), text/plain
chutten
: data-review+
Details
Bug 1631676 - collect usage of pref privacy.firstparty.isolate;
(deleted), text/x-phabricator-request
Details
Bug 1631676 - Part 1: add cookie behavior pref getter;
(deleted), text/x-phabricator-request
Details
Bug 1631676 - Part 2: remember FPI state in CookieJarSettings;
(deleted), text/x-phabricator-request
Details
Bug 1631676 - disallow dFPI in extension when FPI is enabled;
(deleted), text/x-phabricator-request
Details
Bug 1631676 - Part 3: Use global cookie behavior getter;
(deleted), text/x-phabricator-request
Details

When testing how the two features layer together I found Bug 1630796, and I only tested four storage locations in that bug. Communication channels may also have some unexpected interactions, and we may introduce bugs in the future.

It seems safest to disable dfpi when fpi is enabled. We can revisit this decision if we end up providing further protections in dfpi than we offer in fpi, but as it stands fpi is a strictly stronger set of protections (since it never allows cross-site access).

Tom, Matthew: does this seem preferable to you?

Flags: needinfo?(tom)
Flags: needinfo?(sysrqb)

Because FPI should never allow relaxation of protections, I would expect DFPI to behave as if it were disabled when FPI is enabled.

Perhaps this bug is about the implementation details? e.g. instead of checking if FPI is enabled in the "should we relax protections" function that happens as part of DFPI, we should instead check in the "Is DFPI enabled?" function?

In which case.... sure. That seems like the more conservative choice and less prone to bugs that could subtly affect Tor.

Flags: needinfo?(tom)

When FPI is enabled, will document principal different from its storage principal?
If they are the same, what are the consequences if we don't disable dFPI?

@tjr: yes, that's my thought. It seems safest to completely avoid enabling dfpi when fpi is active.

@gary: consider Bug 1630796. That weirdness was partially introduced by Bug 1630763.

It's fine it we do this silently when we enable in Nightly, but we'll probably want to think through the implications for FPI users if we keep that policy when shipping to release.

Some issues:

  • Let's say this is the default in Strict or Standard ETP, then users with FPI enabled can't select those modes. They'll be forced into Custom
  • How will the "Cookies" dropdown work for FPI users? Will the DFPI selector be blocked our for them?

It might be worth adding Telemetry to figure out how many users currently have the firstparty.isolate pref set to true.

Blocks: 1628486
Priority: P3 → P1
Assignee: nobody → xeonchen
Attached file request.md (deleted) —
Attachment #9145819 - Flags: data-review?(chutten)

Depends on D74049

Keywords: leave-open
Comment on attachment 9145819 [details] request.md DATA COLLECTION REVIEW RESPONSE: Is there or will there be documentation that describes the schema for the ultimate data set available publicly, complete and accurate? Yes. This collection is Telemetry so is documented in its definitions file [Scalars.yaml](https://hg.mozilla.org/mozilla-central/file/tip/toolkit/components/telemetry/Scalars.yaml) and the [Probe Dictionary](https://telemetry.mozilla.org/probe-dictionary/). Is there a control mechanism that allows the user to turn the data collection on and off? Yes. This collection is Telemetry so can be controlled through Firefox's Preferences. If the request is for permanent data collection, is there someone who will monitor the data over time? Yes, Steven Englehardt is responsible. Using the category system of data types on the Mozilla wiki, what collection type of data do the requested measurements fall under? Category 2, Interaction. Is the data collection request for default-on or default-off? Default on for all channels. Does the instrumentation include the addition of any new identifiers? No. Is the data collection covered by the existing Firefox privacy notice? Yes. Does there need to be a check-in in the future to determine whether to renew the data? No. This collection is permanent. --- Result: datareview+
Attachment #9145819 - Flags: data-review?(chutten) → data-review+
Pushed by xeonchen@gmail.com: https://hg.mozilla.org/integration/autoland/rev/c1ee5647da8f collect usage of pref privacy.firstparty.isolate; r=chutten,nhnt11
Depends on: 1635984

Comment on attachment 9146303 [details]
Bug 1631676 - Part 3: use effective cookie behavior in preferences page;

Revision D74128 was moved to bug 1635984. Setting attachment 9146303 [details] to obsolete.

Attachment #9146303 - Attachment is obsolete: true
Attachment #9146434 - Attachment description: Bug 1631676 - Part 5: Use global cookie behavior getter; → Bug 1631676 - Part 3: Use global cookie behavior getter;
Attachment #9146425 - Attachment description: Bug 1631676 - Part 4: disallow dFPI when FPI is enabed in extension; → Bug 1631676 - disallow dFPI in extension when FPI is enabled;
Severity: -- → N/A

Comment on attachment 9145822 [details]
Bug 1631676 - collect usage of pref privacy.firstparty.isolate;

Beta/Release Uplift Approval Request

  • User impact if declined: This patch adds a telemetry probe to collect user preference setting, we need uplift to collect accurate user number.
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): It's telemetry only, and has been landed to nightly a few days.
  • String changes made/needed:
Attachment #9145822 - Flags: approval-mozilla-beta?

Comment on attachment 9145822 [details]
Bug 1631676 - collect usage of pref privacy.firstparty.isolate;

Low risk telemetry probe, uplift approved for 77 beta 8.

Attachment #9145822 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Attachment #9145822 - Flags: approval-mozilla-beta+
Pushed by xeonchen@gmail.com: https://hg.mozilla.org/integration/autoland/rev/fc0fe3b5516a Part 1: add cookie behavior pref getter; r=baku https://hg.mozilla.org/integration/autoland/rev/ab798364a53b Part 2: remember FPI state in CookieJarSettings; r=baku,timhuang https://hg.mozilla.org/integration/autoland/rev/a9d6489a6a67 Part 3: Use global cookie behavior getter; r=baku,johannh
Keywords: leave-open
Pushed by xeonchen@gmail.com: https://hg.mozilla.org/integration/autoland/rev/fdef23410b2e disallow dFPI in extension when FPI is enabled; r=rpl

https://hg.mozilla.org/mozilla-central/rev/fdef23410b2e

Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox78: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla78

(In reply to Steven Englehardt [:englehardt] from comment #5)

It's fine it we do this silently when we enable in Nightly, but we'll probably want to think through the implications for FPI users if we keep that policy when shipping to release.

Some issues:

  • Let's say this is the default in Strict or Standard ETP, then users with FPI enabled can't select those modes. They'll be forced into Custom
  • How will the "Cookies" dropdown work for FPI users? Will the DFPI selector be blocked our for them?

It might be worth adding Telemetry to figure out how many users currently have the firstparty.isolate pref set to true.

I did some tests

78-Dev, 79-Nightly

  • ETP: standard
  • set FPI on and cookieBehavior to 5 (done from about:config, not a user.js)
  • order of changing prefs doesn't matter
  • check options UI
  • ETP: custom: displays value 4
    • 78: there is no combo box item for value 5 normally anyway
    • 79: combo box item for value 5 is missing: it's normally there in nightly

In both cases, the cookieBehaviour pref stays at 5 in about:config. This is cosmetic right, just checking?

Cases:

  • dFPI is enabled by default, and user decides to turn on FPI
  • user is using FPI and default 4, FF update flips dFPI on by changing to 5
  • in both cases the displayed ETP information is out of sync with the value stored in prefs: how does the user know what is going on and which one to believe?

(In reply to Simon Mainey from comment #24)

I did some tests

78-Dev, 79-Nightly

  • ETP: standard
  • set FPI on and cookieBehavior to 5 (done from about:config, not a user.js)
  • order of changing prefs doesn't matter
  • check options UI
  • ETP: custom: displays value 4
    • 78: there is no combo box item for value 5 normally anyway
    • 79: combo box item for value 5 is missing: it's normally there in nightly

In both cases, the cookieBehaviour pref stays at 5 in about:config. This is cosmetic right, just checking?

We didn't touch the "real" value stored in about:config, we instead use the effective value of cookieBehavior, which is: fallback 5 to 4 when FPI is enabled.

Cases:

  • dFPI is enabled by default, and user decides to turn on FPI
  • user is using FPI and default 4, FF update flips dFPI on by changing to 5
  • in both cases the displayed ETP information is out of sync with the value stored in prefs: how does the user know what is going on and which one to believe?

We have bug 1637344 to add some notice, maybe it will make the UI clearer?

(In reply to Gary Chen [:xeonchen] from comment #25)

We have bug 1637344 to add some notice, maybe it will make the UI clearer?

OMG, how did I not find that? My bad :)

(sorry for the noise)

Flags: needinfo?(sysrqb)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: