Open edk55 opened 5 years ago
We've been have issues with site not playing well with 3rd-party cookies enabled in #4770 .
Basically if you enable the same 3rd-party cookie blocks within Chrome, it'll work fine with these sites. But enabling 3rd party cookies blocking in Brave will make these sites not render correctly.
I guess we either re-use/make use of the cookie code in Chrome, or fix the brave cookie code?
@cezaraugusto is this one you can check out?
From the steps to reproduce... it sounds like the Web UI for shields is not reading the actual values. Perhaps it's just using whatever is in local storage instead of (when Web UI is initialized) reflecting the content settings
as mentioned in slack, 3p cookie blocking is tied to 3p referer spoofing so that's a likely cause of differences from chrome/safari with 3p cookie block enabled
also could be related to localStorage and other storage mechanisms; not sure if chrome blocks those as well
@bsclifton I think the point of this issue is site settings should have priority to the Brave shield cookies settings.
as @edk55 wrote.
If we want to display combined(site setting + shields) settings in shields popup, I think popup should have more complicated UX.
IMO, letting shields popup and site settings display its own setting seems fine.
cc @tomlowenthal
Description
I came to Brave from Chrome, were I used the strategy of managing my cookies this way: All the next processes are made on cookies section of site settings page (brave://settings/content/cookies). I block all cookies by default. If the site I visit needs auth for a long time (for example gmail.com), I add the site domain to "allow" section. If the visited site needs cookies for a while (some sites doesn't work without localStorage/cookies), I add the site domain to the "clear on exit" section. This way there are no garbage at "All cookies and site data" page (brave://settings/siteData). The Brave has shield which is nice but it ignores my site settings. The main idea is to use "clear on exit" functionality, which allows to keep cookies storage in clean state (on browser restart there will be only "allowed sites" cookies). I could use "Clear browsing data on exit", but it would also clear cookies of "allowed" sites.
Steps to Reproduce
Actual result:
Cookies for the site you visited were saved (if "block 3rd party cookies" option is selected in the shield), you can convinced of it here: brave://settings/siteData If the shield mode is "block all cookies", then cookies will not be saved at all, even if you add the site domain to "allow"/"clear on exit" section of the site settings page. It just ignores site settings.
Expected result:
If all the cookies are disabled (not only via Brave shield but also via site settings), then all the cookies except of "allowed"/"clear on exit" domains should be blocked despite the Brave shield settings. If the site domain is in list of "allowed" domains, then Brave shield shouldn't block that cookies. If the site domain is in list of "blocked" domains, Brave should block that cookies. Same works if all cookies are blocked and domain is not either in "allow" or "clear on exit" domain list. If the site domain is in list of "clear on exit" domains, Brave shouldn't block that cookies and should clear that cookies on exit.
In total: site settings should have priority to the Brave shield cookies settings. If the Brave shield mode is "block 3rd party cookies", then it still should block 3rd party cookies (despite the site settings). (In the ideal world there should be a list of allowed 3rd party domains).
Reproduces how often:
Easily reproduced
Brave version (brave://version info)
Other Additional Information:
I'm not sure if it's a bug or it's made by design, but it's a problem for users like me, who wants to control cookies storage. I'm sorry if the text of the issue is quite big. Thank you for your time and your work!