🌐 Website Issue | Firefox about:config network.cookie.cookieBehavior

[zer0byt]

Description

In the new versions of Firefox, there are five options to manage cookies. The website explains just three of them (number 0 to number 2).

The two other options are:

• Cookies from unvisited websites (number 3).
• Cross-site and social media trackers (number 4).

Screenshots

[Mikaela]

Do you have a source for 3? It seems to be wrong according to Mozilla developer documentation;

0 = accept all cookies by default 1 = only accept from the originating site (block third party cookies) 2 = block all cookies by default 3 = use p3p settings (note: this is only applicable to older Mozilla Suite and Seamonkey versions.) 4 = Storage access policy: Block cookies from trackers

• https://developer.mozilla.org/docs/Mozilla/Cookies_Preferences

I don't know what p3p settings are apparently for protocol obsolete for around 18 years, but I understand it to not apply to Firefox and 4 seems experimental and possibly shouldn't be recommended yet?

CC: @Thorin-Oakenpants

[zer0byt]

Do you have a source for 3? It seems to be wrong according to Mozilla developer documentation;

In the browser's privacy preferences, there are four options. From the list, select "Cookies from unvisited websites" then go to network.cookie.cookieBehavior in the about:config and check the value. It's 3. (Checked on Firefox v73.0)

[Thorin-Oakenpants]

• 0=Accept cookies and site data
• 1=(Block) All third-party cookies
• 2=(Block) All cookies
• 3=(Block) Cookies from unvisited websites
• 4=(Block) Cross-site and social media trackers (FF63+) (default FF69+)

^^ these are the actual words used in the UI

I'm not (edit, left out the word not :facepalm: ) sure how much you should trust that MDN page, even if it was last updated Feb 7th 2020. e.g

• network.cookie.lifetimePolicy values have changed (see next point)
• network.cookie.lifetime.days is deprecated here's the proof - hence (see above values have changed)

Up to you guys what you want to do: no-one is saying you have to list all the values, and value 3 is a waste of time IMO and will just confuse people. I wouldn't be surprised if it got removed and I can't see the point in such a setting TBH.

[Thorin-Oakenpants]

PS: this (cleaning up descriptions etc) is already slated as part of #1430 which is now been sitting waiting for some action for 3 and a half months - rather than ping me (edit: for things already on PTIO's webpage), how about getting #1430 under way .. just saying /sorry-for-being-grumpy :)

[blacklight447]

Hey there! It true, the issue has been hanging around for a while, but its the next thing on my list to work on after im done writing our new COI and whistleblower policies :)!

[Thorin-Oakenpants]

and 4 seems experimental and possibly shouldn't be recommended yet

heh. it's the default :)

[Mikaela]

For future reference, what is a source for documentation about these flags that can be trusted? :confused:

[Thorin-Oakenpants]

^^ the source code

[dngray]

and 4 seems experimental and possibly shouldn't be recommended yet

heh. it's the default :)

That's still the case in 81.0.1.

Up to you guys what you want to do: no-one is saying you have to list all the values, and value 3 is a waste of time IMO and will just confuse people. I wouldn't be surprised if it got removed and I can't see the point in such a setting TBH.

I think we might fix this by removing the recommendation. We could put a suggestion, there for option 1 (with a warning), but that's really going to be the only useful option, imho

[paulo-erichsen]

note that since firefox 86, we can also set network.cookie.cookieBehavior to 5

To disable dynamic storage partitioning for all sites you can use the network.cookie.cookieBehavior pref: 5 | Reject (known) trackers and partition third-party storage. 4 | Only reject trackers (Storage partitioning disabled). 0 | Allow all

it would be great if we could get some some direction on whether it is better to set this setting to 5 or 1

• https://blog.mozilla.org/security/2021/02/23/total-cookie-protection/
• https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Privacy/State_Partitioning

[rusty-snake]

If you have FPI enabled 1 is better (5 will be downgraded to 4 AFAIK). If you don't use FPI 5 (TCP/dFPI) is better otherwise you would have no isolation.