[Firefox] Setting privacy.firstparty.isolate to true prevents cookie deletion

[cy7yz2rj]

Activating Firefox's first party isolation feature imported from Tor Browser breaks cookie deletion in uMatrix.

Steps for reproducing:

1. uMatrix dashboard > set Delete non-blocked session cookies 15 minutes after the last time they have been used.
2. about:config > set privacy.firstparty.isolate to true
3. open logger
4. sign in at https://github.com/gorhill/uMatrix
5. close github.com tab
6. wait 15 minutes and failed to delete cookie: https://github.com/... will be reported in logger
7. navigate to https://github.com/gorhill/uMatrix and confirm already logged in status

Firefox 58.0b10 (64-bit) / uMatrix 1.1.18

[Atavic]

Because FP isolation will break CSP (and other cookie controlling addons, and cache and storage access)

pyllyukko/user.js#245 (comment)

[gorhill]

wait 15 minutes and failed to delete cookie: https://github.com/... will be reported in logger

Nothing I can do. The message is merely uMatrix reporting the result of the webext API call.

[sebast889]

Is there no way to fix this in uMatrix? Recent update to Cookie Autodelete addon fixed the deletion of cookies even with privacy.firstparty.isolate=true so maybe it is possible

Cookie-AutoDelete/Cookie-AutoDelete#75 (comment)

[ArchangeGabriel]

Related: https://bugzilla.mozilla.org/show_bug.cgi?id=1381197

[gorhill]

Thanks for the link.

It says the issue was fixed for FF59, and @cy7yz2rj reports the issue for FF58.

So is there really an issue with uMatrix when using FF59+?

[ArchangeGabriel]

I don’t know, I don’t use this feature currently because I haven’t had the time to read enough about the implications.

[ArchangeGabriel]

That being said, I have a lot of things like:

22:06:33		failed to delete cookie: http://darkpatterns.org/{persistent-cookie:laravel-session}

in the log.

[ArchangeGabriel]

OK, I can now see that cookies that should be deleted by Delete blocked cookies don’t get deleted.

[gorhill]

For which version of Firefox?

[ArchangeGabriel]

60

[cy7yz2rj]

Cookies are not deleted in current Firefox 59 (aurora) and 60 (nightly), repro steps same as OP except for browser and uMatrix (1.2.1rc3) versions.

[ke-d]

Cookie extensions dealing with first party isolation have to add explicit support for it.

https://developer.mozilla.org/en-US/Add-ons/WebExtensions/API/cookies

In the cookies API, the first party domain is represented using the firstPartyDomain attribute. All cookies set while first-party isolation is on will have this attribute set to the domain of the original page. In the example above, this would be "bbc.com" for one cookie and "cnn.com" for the other. All cookies set while first-party isolation is off will have this property set to an empty string.

The cookies.get(), cookies.getAll(), cookies.set() and cookies.remove() APIs all accept a firstPartyDomain option. When first-party isolation is on, you must provide this option or the API calls will fail.

For get(), set(), and remove() you must pass a non-null value for firstPartyDomain. For getAll(), you may also pass null here, and this will get all cookies, whether or not they have a non-empty value for firstPartyDomain.

[earthlng]

you can use browser.privacy.websites.firstPartyIsolate.get({}) to detect if isolation is enabled.
see https://developer.mozilla.org/en-US/Add-ons/WebExtensions/API/privacy/websites