Subdomain cookies classified as 3rd party cookies?

[Joel889]

I noticed that the addon classifies subdomain cookies as 3rd party cookies. Even with 3rd party cookies disabled in FF 58.02, unless enabling "remove thirdparty cookies on creation" in your addon, subdomain cookies won't be deleted after closing the tab.

[Lusito]

Please make separate issues for different problems. I'm not sure I get your first issue right.. please verify: I'm guessing what you are experiencing is that Firefox handles subdomain cookies as firstparty cookies?

I've actually not researched how firefox flags cookies as thirdparty, but I will do so to make that compliant. To me, it seemed obvious, that cookies set for hello.com are thirdparty when compared to foo.hello.com, as foo.hello.com has no direct access to them. But if firefox flags it differently, I guess I should follow that.

[Joel889]

The way I understand is that 3rd party cookies are coming from a different domain. So *.hello.com is all considered first party even when visiting www.hello.com. If hello.com were to set cookies for goodbye.com that would be a 3rd party cookie and that's what Firefox prevents when disabling 3rd party cookies.

[Joel889]

Has the definition of the way 3rd party cookies are handled changed in version 1?

The help file provides the following:

Third party cookies

When a cookie is set without belonging to a domain which is open in a tab, it is considered a thirdparty cookie.
Research is being done to improve this method.

[Lusito]

I have indeed forgotten to update that bit of information. Sorry about that.

[Joel889]

So what is considered a 3rd party cookie in version 1?

[Lusito]

I'll try to explain, but it's really not a simple definition:

Domains have a first party domain. For mail.google.com that would be google.com. For prime.amazon.co.uk, it would be amazon.co.uk.

Getting that first party domain isn't as easy as it might seem, as there are so many exceptions, that a huge list has been created to maintain all the special cases: https://publicsuffix.org/list/public_suffix_list.dat

A third-party domain by the definition of Mozilla is any domain that does not belong to the first party domain of the tab which is causing the cookie to be set.

Here is the tricky part: If you don't have First Party Isolation enabled, then once the cookie is stored, there is no way of knowing where a cookie has been set.

There was a bugticket which addressed this issue, but mozilla closed the issue prematurely.

There is only one place where I can actually say 100% that a cookie is third-party: When the experimental feature for blocking third-party cookies is enabled, I intercept web-requests and parse the header of that request. For all cookies set in this way, I can see the tab they belong to and apply the above method to determine if it's a third-party cookie.

In all other cases, I do the following:

1. Get the First Party Domain of the cookie
2. Iterate over all tabs that belong to the same cookie store as the cookie in question and if any of the tabs first party domains (current domain and the one it might be changing to) is the same as the cookies first party domain, then it won't be treated as third-party cookie.

So, to some degree, it is still a bit like before, but less cookies are falsely treated as third-party, because now the first party domain is taken into account.

I could probably improve that method by remembering on cookie creation/update if a tab matching the first party domain existed and use that information later. I'm not sure how that would affect performance tho. Maybe make it an experimental feature that can be turned on.

I hope this clears it up for you.

[Joel889]

Ok great. Thank you