privacysandbox / privacy-sandbox-dev-support

Discuss your Privacy Sandbox developer questions with the Chrome team.
Apache License 2.0
190 stars 77 forks source link

Third party cookies being allowed on www.figma.com #252

Open wongbryan opened 8 months ago

wongbryan commented 8 months ago

I've disabled third party cookies by enabling the experiment flag and also via Setting > Tracking Protection > Block all third party cookies

If I go to www.figma.com and open the issue panel in Chrome, I see a message saying Figma is allowed to read third party cookies.

Screenshot 2024-02-08 at 2 26 26 PM

This does not happen on other websites, only on Figma. can anyone else repro?

wanderview commented 8 months ago

I cannot reproduce.

  1. Set "block all third-party cookies" on chrome://settings/trackingProtection
  2. Reload www.figma.com
  3. Observe no devtools issue with text "Third-party websites are allowed to read cookies on this page"
  4. Unset "block all third-party cookies" on chrome://settings/trackingProtection
  5. Reload www.figma.com
  6. Observe that there is a devtools issue with text "Third-party websites are allowed to read cookies on this page"

Can you please clarify what chrome://flags your are using? Have you changed any default devtools settings? (preserve log, etc)

wongbryan commented 8 months ago

Please see attached screen recording. I have enabled #test-third-party-cookie-phaseout in chrome://flags and also disabled all third party cookies in chrome://settings/trackingProtection. https://github.com/GoogleChromeLabs/privacy-sandbox-dev-support/assets/26299742/c7e4d32d-812b-416a-909c-992183a250d9

wanderview commented 8 months ago

The movie does not show the figma tab being reloaded after changing the cookie setting. Did you try that?

Also, can you please show your chrome://flags page?

wongbryan commented 8 months ago

I restarted chrome multiple times. Unable to send screenshot of chrome://flags atm, but I have enabled the third party cookies deprecation flag and that’s it

On Mon, Feb 12, 2024 at 3:09 PM Ben Kelly @.***> wrote:

The movie does not show the figma tab being reloaded after changing the cookie setting. Did you try that?

Also, can you please show your chrome://flags page?

— Reply to this email directly, view it on GitHub https://github.com/GoogleChromeLabs/privacy-sandbox-dev-support/issues/252#issuecomment-1939479841, or unsubscribe https://github.com/notifications/unsubscribe-auth/AGIU2XSWBMIW6NCOLSMLQ6LYTJZGFAVCNFSM6AAAAABDB63GRGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMZZGQ3TSOBUGE . You are receiving this because you authored the thread.Message ID: @.*** .com>

wongbryan commented 8 months ago

here is a SS of my chrome://flags page

image
wanderview commented 8 months ago

Have you added a cookie exception by clicking this icon in the omnibox?

image

You would then see something in chrome://settings/trackingProtection like this:

image

samdutton commented 8 months ago

[edited]

Just to double check: have you tried hard-refreshing figma.com after changing chrome://settings/trackingProtection to block all third-party cookies?

Not sure if it's relevant, but are you in a Chrome Enterprise environment?

wongbryan commented 8 months ago

@wanderview I have not added a cookie exception for Figma. See attached screenshot (the omnibox says third party cookies are blocked, but the issues panel disagrees):

image

@samdutton I have hard refreshed and the issues panel has the same message. I am in a chrome enterprise environment (on a work laptop)

wanderview commented 8 months ago

It seems possible your enterprise admin is applying a cookie exception via an enterprise policy.

wanderview commented 8 months ago

You can observe enterprise policies on chrome://policy. Look for an entry with the policy name "CookiesAllowedForUrls".

wongbryan commented 8 months ago

@wanderview There is no entry for "CookiesAllowedForUrls" and figma.com is not listed in any of the policy domains. I just found this page: https://github.com/amaliev/3pcd-exemption-heuristics/blob/main/explainer.md and though this is related, but I disabled the heuristics exceptions by disabling the Third-party Cookie Grants Heuristics Testing flag, Figma is still able to read third party cookies. I wonder though if there's some behavior in Figma's web editor that is causing 3PC exceptions. Again, can you verify that you are unable to repro this? Please note that this issue only occurs in Figma's web editor UI, but not on the Figma homepage. You can repro by visiting this link and opening the chrome issues console while on this page:

https://www.figma.com/file/rL9D4IbnGdiEZRhTkYRlE8/Untitled?type=design&mode=design&t=Gij6XOR8Avzzk5uY-1

amaliev commented 8 months ago

Hey @wongbryan , thanks for reporting this issue - it looks like the description in the Issues panel is poorly worded. This message is shown on sites that have 3PCD mitigations enabled, but doesn't respect the "Block all third-party cookies" setting, or other reasons why the cookie might actually be blocked. To clarify, the actual cookie behavior is correct and matches the Tracking Protection dialog in the omnibox - all third-party cookies are blocked when the "Block all third-party cookies" setting is enabled.

I am following up on the Issues panel fix in https://issues.chromium.org/u/4/issues/325310946.

wongbryan commented 8 months ago

I’m not sure if that is true. If third party cookies are truly being blocked on that page then the app I am loading should NOT be able to authenticate itself with our servers. However, the plugin runs as expected, so I suspect it is using a validated session cookie from our server (which would be a third party cookie since this is in figma page).

wanderview commented 8 months ago

I still can't reproduce this. Even with the editor link above the devtools warnings still go away when I block all 3P cookies and reload the figma tab. Instead I see this in devtools:

image

Note: I had to test in a profile that was not part of our corp enterprise policy.

wongbryan commented 8 months ago

@wanderview This is strange. I asked a coworker to block 3PC and opt into the 3PCD flag and test it. He is experiencing the same issue as I am where 3PC are allowed in Figma. Another coworker reported that 3PC are being blocked as they are supposed to be. I feel like this is probably a bug. Is there a way to investigate further?

wanderview commented 8 months ago

I think we would need to see your chrome://flags and chrome://settings/trackingProtection pages. There is probably a setting somewhere that is inconsistent.

wongbryan commented 8 months ago

chrome://flags

image

chrome://settings/trackingProtection

image
johannhof commented 8 months ago

Thanks @wongbryan, this seems to be an issue with the #test-third-party-cookies-phaseout flag. You can use #tracking-protection-3pcd to the same effect but it shouldn't result in that message when blocking all third party cookies is turned on.

I'll also note that we might have to revisit showing this message for same-site origins (figma.com / www.figma.com), as that seems confusing, obviously *.figma.com is allowed to set cookies on that site, no matter the setting (except if you block first-party cookies).

johannhof commented 8 months ago

Ah @amaliev I think you already fixed the same-site issue with crrev.com/c/5296183, right?

amaliev commented 8 months ago

Yes, with that change we only show the message if a cookie is allowed, because of 3PCD mitigations. It will prevent firing the message for same-site cookie access as well.

wongbryan commented 8 months ago

Disabling #test-third-party-cookies-phaseout and enabling #tracking-protection-3pcd works for me. thank you for the help! I think I should flag here that enabling #test-third-party-cookies-phaseout not only causes the message shown above, but also was mistakenly allowing 3PC on the webpage. I was able to access features that required reading 3PC when the message was shown, so I dont think the bug was purely cosmetic. not sure if this useful but fyi

amaliev commented 8 months ago

Thanks for confirming, Bryan! This is a separate, unrelated issue where the #test-third-party-cookies-phaseout flag doesn't handle the "Block all third-party cookies" setting properly. This does not affect production users.