NOTICE: v96 CHANGE YOUR SITE PERMISSIONS [AF disables FPI for ETP Strict]

[Thorin-Oakenpants]

In v96 arkenfox will be moving to Total Cookie Protection (also known as dFPI or dynamic FPI)

• note: which is also the plan for ALL firefox users eventually - 1731713

• By the end of the rollout program, TCP will be set as default to 100% of users

You can read more about it in #1051 , but essentially FPI is no longer maintained. Also read the next post on how to migrate your permissions etc

To clarify

• FPI is "everything" (cache, cookies, dns .... etc)
  • all this stuff
• the new lot was split into two
  • "network partitioning"
    • all this stuff e.g. DNS, caches, connections, certs, websockets (added later), etc
  • Total Cookie Protection (dFPI)
    • site data (cookies, IDB, QuotaManager items ... etc)

dFPI/network partitioning

• is more robust
  • such as 3rd party Service Workers are disabled until they partition them
  • such as double keying and (options?) for scheme etc
• most likely covers a few more things (no-one is sure and no-one cares anymore)
  • such as devtools, view page source, reader view?
  • definitely service workers (see earlier comment)
• for those that want it, Smart Blocking and heuristics allow cross-domain logins, so it's better from a compat viewpoint
  • as well as the shims which unbreak pages
  • note: there is a pref for disabling this which we will add in v96 (inactive at this stage)
• works better with Enhanced Cookie Clearing

network partitioning is already enabled by default (when FPI is not used), so this change is focused on Total Cookie Protection

---

There is already an override recipe for this: which I will repeat here, but it's not as simple as just changing prefs (see next post)

🔻 FF87+ : use ETP Strict mode

• Strict mode includes Total Cookie Protection and Smart Block and a stricter list

/* override recipe: FF87+ use ETP Strict mode ***/
user_pref("privacy.firstparty.isolate", false); // 4001
user_pref("network.cookie.cookieBehavior", 5); // 2701
user_pref("browser.contentblocking.category", "strict"); // 2701
  // user_pref("privacy.trackingprotection.enabled", true); // 2710 user.js default
  // user_pref("privacy.trackingprotection.socialtracking.enabled", true); // 2711 user.js default

[Thorin-Oakenpants]

Migrating is not as simple as changing prefs. Permissions for FPI are keyed with OA's (origin attributes) and are incompatible, you can read more in Bugzilla 1649876. Cookies are also keyed.

Here are some screenshots

cookie + site data exceptions

permission exceptions

• there's also the HTTPS-Only Mode exceptions
• NOTE: not sure if all permissions are available via the UI
  

sqlite permissions

sqlite cookies

---

Here's how I am migrating

• I have so little exceptions, that I am going to make a note of them
• Then sanitize all site preferences and cookies (ctrl-shift-del)
  • ⚠️ make sure you reset site preferences afterwards to unchecked as it is inactive in the user.js
• Then close Firefox, add the override recipe, restart
• Then visit my few sites to first add their exception (five for cookies, one for geo, one for https-only) and to login if required

That's it.

Permissions

• if you want to, instead of wiping all your permissions, you could edit them in the sqlite, while FF is closed by removing the FPI syntax, e.g. https://github.com^firstPartyDomain=github.com becomes https://github.com

Cookies (and site data)

• I think you are better off deleting them all and creating new ones. IDK if changing the syntax in the sqlite works or may have unforeseen consequences

[corobin]

Hi, I have 2 questions relating to this change

1: just to clarify how best to convert from FPI to dFPI

a) what prefs should be removed/reset that was previously set for FPI? what should now be set instead?

b) what is the override recipe is meant to override, is it to make it emulate FPI's old behaviour (being more strict)?

2: firefox also has another "protection" feature, site isolation, that was introduced into stable relatively recently and can be enabled with fission.autostart (which also has its own site exceptions format e.g. https://github.com^firstPartyDomain=(https,github.com))

how does the change in FPI interact with site isolation? do you have any recommendations/comments about this?

thanks!

[Thorin-Oakenpants]

what prefs should be removed/reset that was previously set for FPI? what should now be set instead

you update to arkenfox v96 and run prefsCleaner

what is the override recipe is meant to override

it will be obsolete: it was for those who want to flip from FPI to dFPI before updating to arkenfox v96.

it is not to emulate FPI, it is to change FROM fpi to dFPI

meh

you are mixing fission (site isolation = processes) up with state partitioning (network partitioning + Total Cookie Protection (also known as dFPI)

processes vs state

[Panja0]

Is it recommended to use v95 on FF v96(.0.1) or is it better to wait for v96 Arkenfox?

[Thorin-Oakenpants]

use the live master which is basically 96 final

[Panja0]

Thanks for the fast answer!

[gwarser]

How to add per-container cookie exception?

[Thorin-Oakenpants]

use Ctrl-I

[gwarser]

I have something set incorrectly or it does not work. Ctrl+i does not seem to be aware about container concept - config set inside container is visible outside. Trying to set exception manually (with ^userContextId=number) in settings is adding two entries:

http://https
https://https

[Thorin-Oakenpants]

Ctrl+i does not seem to be aware about container concept

but have containers ever needed a contextid syntax before? I just opened a site in a container and added exceptions for cookies and location, and it just adds things like normal

are you saying that it's not respecting exceptions?

[Thorin-Oakenpants]

I have to scoot for now (people to do and things to see) .. but assuming there is an issue, is it in here?

[gwarser]

I was using CAD to keep google cookies in "gmail" container and clean them everywhere else. You are recommending to ditch CAD in favor of browser native cleaning. I'm just trying to convert my setup.

[Thorin-Oakenpants]

OT: https://bugzilla.mozilla.org/show_bug.cgi?id=1681701#c1 - looks like lifetime cookie is close to being nixed

I'm just trying to convert my setup

Are you using MAC, because that can cause differences in testing - not saying that is the case here, but something to keep in mind. If it's a cross-domain login you probably need to add both domains AFAIK

This is a bit "messy": containers and a cross-domain login flow with dFPI. Can we start with something simple like github and some steps to reproduce

• e.g. I have github set to keep cookies. So if I close this window and then open it in a container what happens
• answer: i am logged out - because it is a difference Origin Attribute and I've never logged in on it before
  • ^^ SO I LOGGED IN

interesting: is there a bugzilla on this?

restarted

• normal tab: github logged in auto on existing cookie
• container tab: github logged in auto on existing cookie

I still only have the one https://github.com entry in exceptions

Here's my cookies: two sets

[Thorin-Oakenpants]

so contextID syntax is not needed - I think your problem is you need to add both domains: gmail and google

[gwarser]

So what if I want keep cookies for personal GitHub account in container and clear them for other/test accounts without container?

[Thorin-Oakenpants]

How did you before? You couldn't - it was only because we used FPI which required syntax so it was not the same key. This is clearly a long standing limitation of containers and sanitizing. Must be a bugzilla floating around somewhere

In the meantime, if you're going to be doing that (multiple accounts/testing/other containers/no-container) where you want to keep one and delete all the rest, then you'll need to work around it, probably with an extension. IDK what's out there since I never use these, but I'm guessing you can still use delete cookies and site data on close (currently cookie behavior pref), add exceptions to keep (e.g. github) and then in TC or CAD just add rules for github to suit?

[Thorin-Oakenpants]

Did you solve your issue with gmail?

[gwarser]

By reinstalling CAD.