Security/Cookies

Existing functionality

• network.cookie.cookieBehavior
  • values
    • 0 = always accept third-party cookies
    • 1 = never accept third-party cookies
    • 2 = don't accept any cookies at all
    • 3 = only accept third-party cookies from visited sites
  • exposed in about:preferences but hard to find: Privacy | History | "Use custom settings for history"
  • option 3 was implemented in https://bugzilla.mozilla.org/show_bug.cgi?id=818340
    • the default was reverted back to 0 in https://bugzilla.mozilla.org/show_bug.cgi?id=851606
    • discussion to make the default 3 again happened in https://bugzilla.mozilla.org/show_bug.cgi?id=999170 but stalled
• network.cookie.lifetimePolicy
  • values
    • 0 = accept for the duration set by the site
    • 1 = no longer used (https://bugzilla.mozilla.org/show_bug.cgi?id=606655)
    • 2 = accept for this session only
    • 3 = accept for N days (see network.cookie.lifetime.days)
  • partially exposed: option 3 is not available
• network.cookie.lifetime.days
  • https://dxr.mozilla.org/mozilla-central/rev/85cf2e720a8405c43eabc9b34cce381b66d25ef9/extensions/cookie/nsCookiePermission.cpp#258-261
  • not exposed anywhere
  • related idea: https://bugzilla.mozilla.org/show_bug.cgi?id=844623
• network.cookie.thirdparty.sessionOnly
  • for those third-party cookies we accept, only accept them for this session
  • https://bugzilla.mozilla.org/show_bug.cgi?id=565475
  • https://dxr.mozilla.org/mozilla-central/rev/85cf2e720a8405c43eabc9b34cce381b66d25ef9/netwerk/cookie/nsCookieService.cpp#3794-3816
  • not exposed anywhere
• network.cookie.thirdparty.nonsecureSessionOnly
  • for those third-party cookies set over HTTP, only accept them for this session
  • https://bugzilla.mozilla.org/show_bug.cgi?id=1160368
• per-site third-party cookie blocking
  • https://wiki.mozilla.org/Privacy/Features/Per-Site_Third-Party_Cookie_Setting
  • supported internally (cookie DB): https://bugzilla.mozilla.org/show_bug.cgi?id=770691
  • UI for toggling it on/off: https://bugzilla.mozilla.org/show_bug.cgi?id=770705 (now removed)

Further work

• Blocking insecure third-party cookies
  • we should first add telemetry to see how common that is
    • https://dxr.mozilla.org/mozilla-central/rev/2bdd9ec79799eff3ceec0a318f5a0632d918a527/toolkit/components/telemetry/Histograms.json#7735
    • https://dxr.mozilla.org/mozilla-central/rev/2bdd9ec79799eff3ceec0a318f5a0632d918a527/netwerk/cookie/nsCookieService.cpp#3152
• Double-keying
  • https://bugzilla.mozilla.org/show_bug.cgi?id=565965 (stalled)
  • https://trac.torproject.org/projects/tor/ticket/3246
• Purging expired cookies
  • https://bugzilla.mozilla.org/show_bug.cgi?id=576347
  • https://bugzilla.mozilla.org/show_bug.cgi?id=597234#c6
• Expiring third-party cookies earlier
  • (v. network.cookie.thirdparty.sessionOnly)
  • https://bugzilla.mozilla.org/show_bug.cgi?id=844623

Specifications

• RFC6265bis: https://datatracker.ietf.org/doc/draft-ietf-httpbis-rfc6265bis/
  • https://lists.w3.org/Archives/Public/ietf-http-wg/2015OctDec/0165.html
• Cookie prefixes: https://tools.ietf.org/html/draft-ietf-httpbis-cookie-prefixes-00
• Cookie control in CSP: https://w3c.github.io/webappsec-csp/cookies/ (abandoned)
• Same-site cookies: https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00
  • First party cookies: https://tools.ietf.org/html/draft-west-first-party-cookies-02 (superseded)
  • Same-domain cookies: https://github.com/mozmark/SameDomain-cookies/blob/master/samedomain.txt (superseded)
• Restrict secure cookies to HTTPS: https://datatracker.ietf.org/doc/draft-ietf-httpbis-cookie-alone/
• [vaguely related] Clear site data: https://mikewest.github.io/webappsec/specs/clear-site-data/
• IE cookie "leashing": https://web.archive.org/web/20150101193222/https://msdn.microsoft.com/en-us/library/ms537343(v=vs.85).aspx
  • There is apparently support for this in Firefox: https://github.com/mozilla/persona/issues/4152#issuecomment-46283659

Work in progress

• Changes coming to Chrome: https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/2PK3q_VE1rg/discussion
  • leave-secure-cookies-alone:
    • https://bugzilla.mozilla.org/show_bug.cgi?id=976073
    • https://code.google.com/p/chromium/issues/detail?id=546820
    • https://groups.google.com/a/chromium.org/d/topic/blink-dev/g_igIzSue40/discussion
  • cookie-prefixes:
    • https://code.google.com/p/chromium/issues/detail?id=541511
    • https://groups.google.com/a/chromium.org/d/topic/blink-dev/ueCrrgFX8J4/discussion
  • same-site cookies: https://code.google.com/p/chromium/issues/detail?id=459154
• Prior work in Firefox: https://wiki.mozilla.org/SecurityEngineering/ThirdPartyCookies
  • expression of interest: https://groups.google.com/d/msg/mozilla.dev.platform/yEqC74IgnqQ/wIVQh4W2EAkJ
  • same-site cookies: https://bugzilla.mozilla.org/show_bug.cgi?id=795346
  • third-party cookie blocking:
    • original patch: http://webpolicy.org/2013/02/22/the-new-firefox-cookie-policy/
    • next steps: http://webpolicy.org/2013/05/21/next-steps-for-the-firefox-cookie-policy/
    • breakage bugs: https://bugzilla.mozilla.org/show_bug.cgi?id=1376049
• Improving the cookie preferences: https://docs.google.com/a/mozilla.com/document/d/1ff4iiOFPnJH1ednEWDkVQKWdieu5wO92-5dKnfTaZqc/edit
• Cookie prefixes: https://bugzilla.mozilla.org/show_bug.cgi?id=1283368
• Prevent HTTP sites from setting cookie with the secure flag: https://bugzilla.mozilla.org/show_bug.cgi?id=976073
• Treating non-HTTPS cookies as session cookies: https://bugzilla.mozilla.org/show_bug.cgi?id=1160368 (abandoned)

Research

• https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-zheng.pdf
• http://www.pewresearch.org/fact-tank/2016/01/20/the-state-of-privacy-in-america/ft_16-01-20_privacy_youngadults/ (a surprisingly large % of users clear their cookies)
• https://monica-at-mozilla.blogspot.ca/2013/10/cookie-counting.html