I'd like to be able to mark particular sites as allowed to send and receive first-party cookies, but not allowed to receive third-party cookies. For instance, maybe I hate and despise Facebook Connect, but not quite enough to stop using Facebook altogether, so I want to allow session cookies for when I'm actually *visiting* facebook.com, but not when I'm visiting some other site. It appears to me that this is currently impossible. I can turn off all third-party cookies, and I can say "no cookies at all except for these sites", but if I have whitelisted a site, it gets third-party cookies if third-party cookies are allowed in general. (I might need third-party cookies for a few sites, e.g. my bank's outsourced bill payment screen breaks without them.)

While not exactly what you're proposing, bug 565965 should basically do what you want. If you agree, feel free to dupe it over.

I don't understand the proposal in bug 565965 well enough to decide whether it subsumes this one.

It means your 1st party Facebook cookies won't be sent in a 3rd party context, but your bank should still work if the cookies are set & read in the same 3rd party context.

zwol: I think the fix in bug 770691 solves your problem. Does it? That bug allows you to say "facebook.com can't set or get cookies when it's a third party". Please dupe this over to that if it does.

Yes, I think bug 770691 is what I want. I'll wait for that to hit release and then file a new bug if I find a use case that's not covered.

Bug 770691 has landed already in Firefox 18. The only native interface to it is through about:permissions, not through the options dialogs. Select a site from the about:permissions list and it is available on the cookie permissions dropdown. You can also try the Cookie Controller addon which includes support for this in v1.6, which should be approved in a few days time. Note that the only option is to allow 1st party cookies but not third party. The "allow 1st party" bit will override any global setting you have to only allow session cookies. There is no "allow 1st party session cookies, but not third party", so not quite what you described in your original message. This behaviour is deliberate, it was discussed and discarded because the possible permutations could get too large.