Add Third-Party Cookie Deprecation Heuristics to Web Compat #253
Conversation
There was a problem hiding this comment.
Hi @amaliev @miketaylr was there an issue opened for this?
Why is it opened in the first place on the webcompat spec?
- Could you open an issue
- Explain a bit more.
Thanks.
|
+1. It's unclear why Google believe this is the right venue for this. The Privacy CG, where most of Google's CHIPS proposal has been discussed, would be an obvious first port of call—other options include the Fetch Workstream (which does deal with integration with the Cookies spec today), or the HTTP WG. I realise many of these groups are unlikely to take on a pure description of Chromium's current implementation, which seems to be what you want to do here. After all, standards groups deal in normative requirements, not descriptions of varying implementations. But that's true of the Compat workstream too, and we should still be focused on normative requirements. So, two questions:
|
|
For context, this was discussed in the privacycg session at TPAC. Our original idea was it should go in html spec, but it was suggested somewhere else, like web compat spec, would be better to indicate its not intended to be a permanent feature of the web. We could investigate privacycg as well, but it's not clear where it would go in there either.
As browsers are moving to blocking 3P cookies by default it seems relevant to specify when cookies are permitted due to web site actions. This is definitely web observable in default modes in browsers that have already shipped blocking 3P cookies. Why would default web observable behavior not be specified? Both firefox and safari ship these heuristics or something very similar, so this is definitely not a chrome-only thing. We're happy to collaborate with other browser vendors on the appropriate place and shape of the spec, but just not specifying default web observable behavior does not seem like a good choice. |
|
I realize there was probably some confusion around the line:
This wasn't meant to imply this feature is Chrome-specific, but rather that each browser has a slightly different implementation. The explainer I added to the description goes into more detail, but similar heuristics have been shipped by Firefox (docs) and Safari (docs). We'll want to either establish a normative standard (we haven't had concrete discussions yet) or at least reflect the current differences in the spec (similarly to the UA section). |
|
@amaliev can you go ahead and open an issue in this repo for discussion? Personally I think it's fine to document these heuristics here, even if they get moved to another spec down the road (we've done this multiple times in the past). But I agree that we don't want to just document the Chromium implementation and should aim for a normative interoperable ideal (and if there are UA-specific differences, we should file bugs against them and possible add non-normative notes describing them in the spec). FWIW, the User-Agent section is unique in describing UA-specific differences. But the User-Agent string is unique (and terrible) in many ways. 🙈 |
|
SGTM. Sorry for the trouble, I will open an issue and move these changes into a separate repo for the time being. |
Thanks. An issue has been opened |
|
I don't think this necessarily had to be closed @amaliev. One thing I'd recommend is to always include the pull request template to avoid any misunderstandings. Perhaps you created this through CLI and therefore it got excluded. That's unfortunately a shortcoming of this process. |
| </dl> | ||
|
|
||
| </div> | ||
|
|
There was a problem hiding this comment.
Can you add a description of how this impacts the (admittedly underspecified) cookie computation in Fetch like in https://privacycg.github.io/nav-tracking-mitigations/#bounce-tracking-mitigations-network-cookie-write-monkey-patch
There was a problem hiding this comment.
Added a new section with a TODO for now. Will update soon.
compatibility.bs
Outdated
| 1. If |origin| is an [=opaque origin=] then abort these steps. | ||
| 1. Let |site| be the result of running [=obtain a site=] given |origin|. | ||
| 1. Let |host| be |site|'s [=host=]. | ||
| 1. [=Grant access for heuristics=] given: |
There was a problem hiding this comment.
Let's file an issue and add a XXX that links to that issue here about potentially restricting cross-site iframes from triggering this heuristic.
There was a problem hiding this comment.
Filed an issue in my personal repo, since it has the explainer: amaliev/3pcd-exemption-heuristics#3. Let me know if I should move it to the web compat repo.
There was a problem hiding this comment.
If this is to be merged in the actual Web Compat standard, then yeah this issue should probably move over to that repo. But maybe Mike can make the final call, since he's the editor here.
There was a problem hiding this comment.
I'm still not sure this should be in the compat spec.
compatibility.bs
Outdated
| 1. Let |bounceHost| be |bounceSite|'s [=host=]. | ||
| 1. If |bounceHost| [=host/equals=] |firstPartyHost|, [=iteration/continue=]. | ||
| <!-- TODO: check if |bounceUrl| has a transient activation. This will require patching bounce tracking record. --> | ||
| <!-- TODO: check A-B-A user flow. This will require traversing the navigable's history. --> |
There was a problem hiding this comment.
So the redirects aren't going to be stored in session history I believe (i.e., visit https://origin-a.glitch.me/redirect?location=https://example.com and note what happens when you click the back button). So you won't want the navigable's session history. You'll instead want to grab the navigation params's request's URL list, which is where redirect URLs are stored: https://fetch.spec.whatwg.org/#ref-for-concept-request-url-list%E2%91%A4
| for: browsing context | ||
| text: is popup | ||
| text: opener origin at creation | ||
| urlPrefix: https://privacycg.github.io/nav-tracking-mitigations/ |
There was a problem hiding this comment.
This might be a tough sell for a WHATWG standard to accept. If this doesn't fly then maybe we could move this PR to a more local spec? Curious what @miketaylr would think.
There was a problem hiding this comment.
The link targets here are an extra field on HTML's top-level traversable. Part of merging this PR might be to merge that field into HTML. (Merging it into Compat is also possible, but I believe the bounce tracking record is intended to be more permanent than the heuristics in this PR.)
This comment was marked as spam.
This comment was marked as spam.
Sorry, something went wrong.
compatibility.bs
Outdated
| 1. Let |firstPartySite| be the result of running [=obtain a site=] given |firstPartyOrigin|. | ||
| 1. Let |bounceTrackingRecord| be |navigable|'s [=navigable/top-level traversable=]'s | ||
| [=top-level traversable/bounce tracking record=]. | ||
| 1. [=list/For each=] |bounceUrl| in |bounceTrackingRecord|'s [=bounce tracking record/bounce set=]: |
There was a problem hiding this comment.
Does chrome's implementation follow this? If you use the bounce record, you are relying on the user going through the entire "auth" page in <10 seconds, since the records are purged after 10 seconds on one page.
There was a problem hiding this comment.
Ah, maybe I misunderstood. The extended navigation here is just the B->A to end it? and that last TODO is looking for the A->B in the same navigatable's history to complete the A->B->A?
There was a problem hiding this comment.
Yes, the second comment is correct. Generally the flow goes:
- User navigates from Site A to Site B
- User interacts with Site B to authenticate
- User is bounced (possibly through other sites) back to Site A
And we are running this algorithm after the final navigation concludes.
I realized that in this case per the nav tracking spec, Site B would be the bounce record's initial host rather than in the bounce set, so I updated the spec to consider the initial host as well.
There was a problem hiding this comment.
Okay, that makes more sense.
If that is the case, I don't think that Site B would be in the user activation.
I think when you were patching the bounce tracking proposal, you should have also added initialHost to the user activation set in the If navigable’s [bounce tracking record](https://privacycg.github.io/nav-tracking-mitigations/#top-level-traversable-bounce-tracking-record) is null: step (currently 6 in process navigation start for bounce tracking).
There was a problem hiding this comment.
Thanks for the catch. I've updated the nav tracking spec to add the initial host to the user activation set in both cases.
compatibility.bs
Outdated
|
|
||
| <h3 id="sa-heuristics-redirect">Redirect Heuristic</h3> | ||
|
|
||
| Insert the following steps in [[!HTML]]'s <a spec="html">load a document</a> algorithm, before the |
There was a problem hiding this comment.
This probably isn't what you want. Most documents (all text/html documents among them) don't reach this step.
There was a problem hiding this comment.
Thanks for the callout, I've updated this to point to the start of the "load a document" algorithm.
Generally we prefer to call any end-of-extended-navigation algorithms after the navigation "commits" (which is a standard term in Chrome and MDN but not in the HTML spec). This is to avoid spurious calls in case a navigation aborts, e.g. on loading an invalid resource. However, the structure of the "load a document" algorithm makes it difficult to patch a step at the end of all branches, after the load completes. Anyway, in this case the effect of allowing uncommitted navigations is minor (especially due to the A-B-A requirement below).
|
@amaliev: do you have any update on those questions? I'm looking at implementing this in Firefox and there are a few issues that keep this from working. |
There was a problem hiding this comment.
@bvandersloot-mozilla Sorry for the delay, we had shelved this PR for a while. Addressed the questions inline.
compatibility.bs
Outdated
| 1. Let |firstPartySite| be the result of running [=obtain a site=] given |firstPartyOrigin|. | ||
| 1. Let |bounceTrackingRecord| be |navigable|'s [=navigable/top-level traversable=]'s | ||
| [=top-level traversable/bounce tracking record=]. | ||
| 1. [=list/For each=] |bounceUrl| in |bounceTrackingRecord|'s [=bounce tracking record/bounce set=]: |
There was a problem hiding this comment.
Yes, the second comment is correct. Generally the flow goes:
- User navigates from Site A to Site B
- User interacts with Site B to authenticate
- User is bounced (possibly through other sites) back to Site A
And we are running this algorithm after the final navigation concludes.
I realized that in this case per the nav tracking spec, Site B would be the bounce record's initial host rather than in the bounce set, so I updated the spec to consider the initial host as well.
compatibility.bs
Outdated
|
|
||
| <h3 id="sa-heuristics-redirect">Redirect Heuristic</h3> | ||
|
|
||
| Insert the following steps in [[!HTML]]'s <a spec="html">load a document</a> algorithm, before the |
There was a problem hiding this comment.
Thanks for the callout, I've updated this to point to the start of the "load a document" algorithm.
Generally we prefer to call any end-of-extended-navigation algorithms after the navigation "commits" (which is a standard term in Chrome and MDN but not in the HTML spec). This is to avoid spurious calls in case a navigation aborts, e.g. on loading an invalid resource. However, the structure of the "load a document" algorithm makes it difficult to patch a step at the end of all branches, after the load completes. Anyway, in this case the effect of allowing uncommitted navigations is minor (especially due to the A-B-A requirement below).
Proposal to add third-party cookie deprecation heuristics to the web compat spec.
Explainer: https://github.com/amaliev/3pcd-exemption-heuristics/blob/main/explainer.md
Issue #254
Preview | Diff