-
Notifications
You must be signed in to change notification settings - Fork 32
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How do Partitioned
cookies interact with browser extensions?
#6
Comments
@johannhof since you have worked on state partitioning in Firefox, my understanding is that Firefox extensions have the background script specify which top-level partition it wants cookies for using the Does the extension need host permissions for both the cookies' site and the |
Partitioned
cookies interact with browser extensionsPartitioned
cookies interact with browser extensions?
Hi @DCtheTall, this is generally the approach that we're taking, yes. However note that what that documentation describes is the First-Party-Isolation (FPI) compatible API, which is different from our recent work on State Partitioning (internally also called dFPI). To give some more context, FPI is in use in e.g. Tor browser to isolate third parties, but for State Partitioning we had a few incompatible requirements that required us to use a different origin attribute, called The WebExtension API support for cc @Rob--W who is currently assigned to that bug. There's also an open bug for supporting the downloads API.
I would assume it's just the former, but I'll verify that again. |
@johannhof thanks for the response. I was wondering when you were working on your solution for making extension's cookies API compatible with partitioned cookies, did you all consider if extensions might try to join cookies across partitions? Is this something you think browser vendors need to be concerned about? Thanks! |
I'll answer since I'm working on this feature and was also involved in similar before (cookies API support for FPI). There are two ways to interpret your question:
1 was solved for FPI by requiring the 2 is intentional. Extensions with permissions to cookies and host permissions for a specific host can read/modify cookies for the given domain. Once a user has granted the extension access to do so, we permit extensions to freely use these permissions. This includes support for deliberately mixing cookies from partitions if an extension chooses to do so. A legitimate use case with this characteristic is to copy cookies from one partition to another to duplicate a session. |
Firefox 94 supports the I experimented with a string at first, but ended up shipping with an object value, because it enables a more intuitive extension API and it's also possible to support new values in the future. A notable characteristic is that partitioned cookies are not exposed through Here is a summary of the API design, examples and semantics: https://phabricator.services.mozilla.com/D123491#4106552 Please update the spec to match this format (basically For the future, I'm considering the addition of a new API, |
Hey @Rob--W, thanks for the update! Using a plain object for extensibility makes sense to me in case we want semantics other than top-level site to determine a cookie's partition key. One question I have is do you intend to return only partition keys when the Another question I have is regarding partitioning by First-Party Set. If a 3P, embed.com, sets a cookie on member.com which is in a member of a First-Party Set owned by owner.com, then do you intend to have extension API users query for that cookie using Another case to consider is when users enable/disable First-Party Sets. If a user has FPS disabled and embed.com sets a cookie on member.com, then I think that cookie should remain in a separate partition from the set's (keyed on member.com) since that cookie was set with the expectation of top-level site partitioning. In that case, would those cookies only be available to extensions that query |
Non-partitioned cookies are represented by
Partitioned cookies use This format is used in The
The idea behind this syntax is that the value of If one wants to retrieve "all cookies at
Note that First-Party Sets are not implemented in Firefox, and I have no specific implementation experience with it. I would share my opinion of what I would think though. In your example, there is a 3P in
An issue with FPS and generally site-based cookie partitioning is that the "primary key" is not necessarily fixed. A "site" is the eTLD+1 (effective TLD + name, where the effective TLD is derived from the Public Suffix List). In Firefox's implementation of If the generation of
The choice of partition of (existing) cookies upon toggling FPS is not a concern of the extension API. That's up to the implementation. IMO extensions need to be able to discern non-partitioned cookies, topLevelSite-partitioned cookies and firstPartySet-partitioned cookies. The choice of One note to consider: Previously I mentioned that |
Thanks for your detailed reply and explanations.
First-Party sets have an "owner" site, so we would make the partition key
I agree this API would probably be useful for extensions in the future.
Interesting. Is the idea that you would check each cookies' internal representation of their partition key when they're loaded from disk? |
While the intention may be that the "owner" is fixed (just like the intention that a public suffix is fixed), I expect that in practice the values may change (e.g. if an "owner" domain is decommissioned/renamed).
The internal representation is already used at some point. The cookie is stored with the canonical representation of the partition key (at the time of generation). The extension API is already an abstraction of the internal representation of site. |
Given the pending resolution of #40, perhaps we should revisit how we define the |
That sounds fine off-hand but I'd leave it to @DCtheTall to have an informed opinion on this. Given the increasing stabilization / adoption of CHIPS and hopefully eventual standardization I agree that it would be nice to make some progress on this. |
@bvandersloot-mozilla I agree that adding a boolean to the partitionKey struct is a good call. I was thinking something like I think we will probably not implement this until we have finished adding the ancestor chain bit to the cookie partition key in Chrome, which is an active work in progress :) |
Something like that sounds reasonable. It would be good to get some input from @Rob--W, and maybe inclusion in the explainer of how this extension API integration should work. |
Even before the ping I was already watching the comments here with interest. The request for the extra field came up before at https://bugzilla.mozilla.org/show_bug.cgi?id=1873418 (comment 2 onwards). Given the explicit request for my input, I will first give a short recap of the shape of the current partitionKey API, and then sketch a proposal of a change to support the cross-site/same-site ancestor bit in the cookies extension API. partitionKey in cookies APIThe partitionKey object in the extension API was explicitly designed to support future/different additions. Whenever a new property is added, we have to ask what the desired default behavior should be when it was not specified in the partitionKey passed to the following methods:
When partitionKey is omitted , the API operates on unpartitioned cookies only (equivalent to cross-site ancestor bit in partitionKeyNow, with that having said, the question is what the semantics of the new field should be. It looks like it is a boolean field, and the default seems to be false. Under these circumstances, I would propose the following API: The When the field is set: get/set/remove/getAll operates on cookies with a matching ancestor bit. When the field is not set:
|
Submitted a proposal covering the inclusion of hasCrossSiteAncestor in extensions. |
Add new optional bool hasCrossSiteAncestor to the CookiePartitionKey object in cookies.json and update implementations that use the CookiePartitionKey to take into account the new value. Add new cases to unit tests to provide coverage for the new value and update the existing unit tests to use a CookiePartitionKey object. More background information on why this change is being made can be found at the following github link: privacycg/CHIPS#6 Bug: 330778448, 361862746, 362480909 Change-Id: I78e87cf2db806792ba50d477a59b8c2ffcc58ae9 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5386307 Commit-Queue: Aaron Selya <[email protected]> Reviewed-by: Dylan Cutler <[email protected]> Reviewed-by: Devlin Cronin <[email protected]> Cr-Commit-Position: refs/heads/main@{#1352445}
Firefox 131 was recently released and broke my (manifest v2) extension:
CloudFlare-secured sites perform bot check and add Is there a way to force Just to clarify: I do not use any cookie API from my extension. All I do is performing |
@izogfif Please open a bug report at https://bugzilla.mozilla.org in the WebExtensions component, with a minimal test case. Does the issue also happen in a regular web page and/or a MV3 extension? If you cannot switch from MV2 to MV3, a work-around may be to use |
@Rob--W Thank you for the response. Here is what I found in Firefox 131:
Should I still open a WebExtension bug in Firefox or everything works just the way it should? Here is a minimal reproducible example for reference Testing:
Expected:
Actual result:
For what it's worth: my extension is built from the same code into both MV3 Chrome extension and MV2 Firefox extension. Only the manifest is different. For some reason, switching to MV3 in Firefox breaks lots of things that work just fine in Chrome, so for now Firefox extension is stuck with MV2. |
Status update: Proposal has been merged and the implementation has been completed in Chromium. |
Chrome and Firefox both give developers the ability to build extensions which have background scripts which can interact with a site's cookie jar if the extension has host permissions for that site (documentation of these APIs for Firefox, Chrome).
It is not clear to us how we can surface
Partitioned
cookies to these APIs.For example, an extension could have host permission for a site that is open in a top-level context in one browser tab and an embedded cross-site context in another tab. In this case, which partition should we surface to the background script cookies API?
One option is to only show the site's first-party cookies in this API, but this can potentially expose a cross-site tracking side channel. Consider an extension owned by
tracker.com
which has host permissions for that site. Every timetracker.com
is loaded in an embedded context and detects the extension on the user's machine, it could use a content script that queries the background script for its first-party cookies which it can use to join cross-site cookies across partitions. It seems this attack would still be possible if the Chrome extension's background script gets its own partition as well.One option is to block partitioned cookies to background scripts, but this is a severe route to take and also may be problematic if browsers end up partitioning their cookie jars by default.
Another option is to only show partitioned cookies to the extension for the top-level contexts the browser is opening. However there are several drawbacks to this approach: it seems difficult to implement correctly and it causes the background script cookies API to behave inconsistently based on the state of the browser, making it harder for developers to test.
The text was updated successfully, but these errors were encountered: