Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Limit JS set cookie lifetime to 7 days #3443

Closed
pes10k opened this issue Feb 21, 2019 · 20 comments · Fixed by brave/brave-core#1905
Closed

Limit JS set cookie lifetime to 7 days #3443

pes10k opened this issue Feb 21, 2019 · 20 comments · Fixed by brave/brave-core#1905
Assignees
Labels
priority/P2 A bad problem. We might uplift this to the next planned release. privacy/tracking Preventing sites from tracking users across the web privacy QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Yes release-notes/include

Comments

@pes10k
Copy link
Contributor

pes10k commented Feb 21, 2019

Safari will start doing this soon, so that gives us some good webcompat cover

https://webkit.org/blog/8613/intelligent-tracking-prevention-2-1/

@pes10k pes10k added privacy privacy/tracking Preventing sites from tracking users across the web labels Feb 21, 2019
@tildelowengrimm tildelowengrimm added the priority/P3 The next thing for us to work on. It'll ride the trains. label Feb 22, 2019
@diracdeltas
Copy link
Member

Should we start with 7 days or shorter (like 1 day)?

@diracdeltas
Copy link
Member

2nd question - should this be tied to a shield state or be on all the time?

@tildelowengrimm tildelowengrimm added priority/P2 A bad problem. We might uplift this to the next planned release. and removed priority/P3 The next thing for us to work on. It'll ride the trains. labels Feb 27, 2019
@pes10k
Copy link
Contributor Author

pes10k commented Feb 27, 2019

For my two cents, i suggest

  1. 7 days (so that we can fly under Safari's web compat issues)
  2. all the time (otherwise it'd get confusing, do we extend / decrease the life times of existing cookies, etc). Plus, Safari hides the toggle to the point of it basically not existing, so seems like they don't expect web compat issues with it

@fmarier fmarier self-assigned this Mar 5, 2019
@fmarier fmarier added this to the 0.64.x - Nightly milestone Mar 13, 2019
fmarier added a commit to brave/brave-core that referenced this issue Mar 14, 2019
@LaurenWags
Copy link
Member

@fmarier can you provide a test plan for manual QA? if manual QA is not needed, can you please label as QA/No?

@fmarier fmarier added the QA/Yes label Apr 25, 2019
@fmarier
Copy link
Member

fmarier commented Apr 25, 2019

I would suggest following the test plan on brave/brave-core#1905. Let me know if anything on there is unclear.

@ketys-from-meiro
Copy link

I can set expiration for half a year with max-age. Is it only a visual bug in cookie expiration column or does it really persist for half a year?

@fmarier
Copy link
Member

fmarier commented Mar 31, 2021

I can set expiration for half a year with max-age. Is it only a visual bug in cookie expiration column or does it really persist for half a year?

No, that looks like a regression. The "client-side cookies" portion of the test plan on brave/brave-core#1905 now fails.

I filed #15048 to track this.

@d4kir92
Copy link

d4kir92 commented May 24, 2023

well this 7 days expire thing destroys the youtube wide (theater mode)

each week i need to manually add a cookie to get it working again
#29591

@racofer
Copy link

racofer commented May 26, 2023

Is there any way to override this behavior and have Brave work like any other browser? This things prevents me from using the browser as it is due to how annoying it gets to have a bunch of sites lose their settings every 7 days.

@d4kir92
Copy link

d4kir92 commented May 26, 2023

yes its very bad to click all cookie banners on 100+ sites each week -.- also breaks some sites

@ShivanKaul
Copy link
Collaborator

well this 7 days expire thing destroys the youtube wide (theater mode)

Theater mode in youtube is set via a session cookie (null expiry), cookie lifetime doesn't apply.

@ShivanKaul
Copy link
Collaborator

yes its very bad to click all cookie banners on 100+ sites each week -.- also breaks some sites

Can you mention which cookie banners you're seeing? We should be blocking those anyway @ryanbr

@d4kir92
Copy link

d4kir92 commented Jul 6, 2023

well this 7 days expire thing destroys the youtube wide (theater mode)

Theater mode in youtube is set via a session cookie (null expiry), cookie lifetime doesn't apply.

if i set theater mode it makes a cookie, when i restart brave its gone, on other browsers like chrome/edge it stays

@ryanbr
Copy link

ryanbr commented Jul 6, 2023

Screenshot of cookie message, and inspect item?

@d4kir92
Copy link

d4kir92 commented Jul 24, 2023

it is maybe fixed, will come back if not

@AJolly
Copy link

AJolly commented Jun 9, 2024

Is this why Brave seems to always log me out of webpages, even if I click "remember me"?

I've seen a number of posts about this issue around the web, but So far no one seems to be mentioning brave changing the cookie lifetime

@d4kir92
Copy link

d4kir92 commented Jun 9, 2024

yes, but depends if the cookie is set to "auto reset 7 days" when you visit that page, i heard of

@flaviovs
Copy link

but depends if the cookie is set to "auto reset 7 days" when you visit that page, i heard of

A page can set a cookie to expire in 30 seconds, 2 hours, days, "never", or "when the browser closes". The developer decides based on what they think is best for the user.

Now, cookies can be set in the HTTP response or by Javascript on the page. If I understand correctly, Brave is capping the expiration sent via Javascript to 7 days, regardless if the developer thought that a longer expiration date is safe and needed.

Many sites use Javascript to set user preferences and other data. This explains why you may need to re-login or reset preferences after a week or so on those sites when using Brave.

Apparently this expiration is to improve reliance against trackers which realized that they could circumvent cookie blockers by sending them via Javascript.

The problem (IMHO) is that, by doing so, Brave is crossing a dangerous line, the one that separates security/privacy from deteriorated user experience, without giving people a way to opt-out.

Notice that Brave is not doing anything wrong per se. As far as standards are concerned, a browser is free to expire cookies earlier that the indicated by the page as it sees fit, bearing in mind that this could affect user experiences.

Lastly, there's #30634 which is a request to have a flag to turn off this behaviour. The request is over a year old with no response from the developers, so a change doesn't seem to be a high priority.

@minaby
Copy link

minaby commented Oct 17, 2024

This is so annoying. I have been a Brave user for YEARS and introducing this browsers to my friends, but i think this is the limit and I have to give up.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
priority/P2 A bad problem. We might uplift this to the next planned release. privacy/tracking Preventing sites from tracking users across the web privacy QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Yes release-notes/include
Projects
None yet
Development

Successfully merging a pull request may close this issue.