Closed davidschlachter closed 4 years ago
I have gone ahead and did some reading on the way FF handles cookies with First Party Isolation.
Just passing null as firstPartyDomain will include all cookies regardless of the FP-Domain they belong to. This can cause multiple cookies with the same Domain+Name combination to be written to the cookie file. The Netscape Cookie Format does not specify duplications and has no concept of FPI. As a result it is impossible to record this information without corrupting the file.
According to this MDN doc the cookies firstPartyDomain field will be set to an empty string if FPI is disabled. We can use this to filter out any FP-cookies if FPI is disabled.
Additionally #2 added the option to download all cookies regardless of the domain they belong to. To my understanding this is impossible to do with FPI enabled.
In summary:
I would be willing to write the necessary changes to make this work.
I don't have a FF profile with FPI enabled right now so at most I would only be able to test these changes with a temporary profile and some example websites. That should be fine but I won't object if anyone who uses FPI in their standard profile wants to help me test before I make a PR.
Thanks for looking into this, patches are definitely welcome!
While trying to implement support for FPI I have come across a small issue.
This MDN doc states
When first-party isolation is on, cookies are further qualified by the domain of the original page the user visited (essentially, the domain shown to the user in the URL bar, also known as the "first party domain").
However when examining the cookies set with FPI enabled it seems as though FF excludes subdomains when setting the First Party Domain of each cookie. This includes subdomains such as "www".
Some examples. "URL-Domain" is the domain shown in the address bar and should be the First Party Domain according to the MDN linked above. "Cookie-Domain" is the value set as firstPartyDomain in the actual cookies.
URL-Domain | Cookie-Domain |
---|---|
developer.mozilla.org | mozilla.org |
www.amazon.co.uk | amazon.co.uk |
youtube.com | youtube.com |
www.reddit.com | reddit.com |
It seems as though FF only uses the first domain after the TLD as First Party Domain. Unfortunately I have not found a convenient method in the FF API to extract the first domain of a URL. If anyone knows of something like that please let me know.
From my standpoint that leaves us with two options:
In order to use third party logins with this extension as it is right now one needs to extract cookies for all domains (added in #2) which is impossible with FPI anyway. As such I would recommend going with solution 2. While it isn't a perfect fix it at least restores functionality for most websites.
We could then either keep this issue open or close it and open a new one to track progress towards a "perfect" solution related to the First Party Domains. Additionally I would like to take a look at the handling of third party cookies without FPI enabled as the extension seems to ignore them completely, breaking some login systems. But this is probably outside the scope of this issue so I would go ahead and create a new one for that.
Edit: The most stable solution would be to file a report for FF and request a method to have the browser itself extract the First Party Domain of a URL and include that in the WebExtension API. That should be possible since the browser applies some transformation on the cookies anyway when setting their firstPartyDomain value. But such a fix could take a while so I would still say we use one of the solutions above now and can then still give it a proper fix when/if such a method is included in FF.
I agree with your analysis. I think (2) is a good option, and we could always improve it over time if needed. Indeed, reporting a feature request to Firefox would be the best course of action for long-term.
If First Party isolation is enabled (about:config -> privacy.firstparty.isolate to true, restart Firefox), the tool fails to export cookies.
To get the expected behaviour in this case, see the Mozilla docs and this commit from a similar extension. I'm currently not set up to test this, otherwise would submit a PR.