s83/user.js
1
0
Fork 0
mirror of https://github.com/arkenfox/user.js.git synced 2025-04-29 21:43:36 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

make 2803 inactive: thirdparty.sessionOnly

Browse source 
reasons why
- third party cookies are NOT are not real ... they are partitioned to the first party (with dFPI)
- at the very least nonsecure is redundant
   - no one in this day and age is going to want the config of keeping all secure but not insecure, it doesn't make any sense: especially since 85% (from memory) of traffic from telemetry is secure, and 70+% of the top 1M sites are secure ( https://scotthelme.co.uk/top-1-million-analysis-november-2021/ shows almost 72% of the sites in the Top 1 Million now actively **_redirecting_** traffic to use HTTPS) - in other words, the reasons for keeping secure cookies (like banks, logins) but ditching the rest in the old days are over as being secure is not a distinction, but the norm
- we previously blocked all third party cookies, so this was never really used
- we then moved to lifetime pref = 2 (which makes everything session only), so again, this isn't really adding anything
- we sanitize on close (always have)
- we will be moving off lifetime pref (because deprecation), but we still sanitize on close
- when we move off lifetime pref, I think these prefs could cause issues with dFPI / sanitizing (wouldn't surprise me: they are old and outdated as a concept), and I think we're better off making them inactive

We could also remove them. If that's not enough to convince you, then I have no more words
This commit is contained in:
Thorin-Oakenpants 2022-05-10 15:03:36 +00:00 committed by GitHub
parent 833ebf5bc2
commit 3207478033
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
user.js
View file

@ -799,8 +799,8 @@ user_pref("network.cookie.lifetimePolicy", 2);
* [NOTE] .sessionOnly overrides .nonsecureSessionOnly except when .sessionOnly=false and
* .nonsecureSessionOnly=true. This allows you to keep HTTPS cookies, but session-only HTTP ones
* [1] https://feeding.cloud.geek.nz/posts/tweaking-cookies-for-privacy-in-firefox/ ***/
user_pref("network.cookie.thirdparty.sessionOnly", true);
user_pref("network.cookie.thirdparty.nonsecureSessionOnly", true); // [FF58+]
// user_pref("network.cookie.thirdparty.sessionOnly", true);
// user_pref("network.cookie.thirdparty.nonsecureSessionOnly", true); // [FF58+]
/** SANITIZE ON SHUTDOWN : ALL OR NOTHING ***/
/* 2810: enable Firefox to clear items on shutdown (2811)