Expand first-party cookie expiry protection (#101)

We enforce our first-party cookie expiry policy to limit how long first-party cookies, created by third-party scripts, can persist. Let's improve the feature to: - Also enforce the cookie expiry policy for cookies created by first-party scripts. - Rename the policy to "firstPartyCookiePolicy" (from "firstPartyTrackerCookiePolicy") to better reflect the above. - Decrease the default maximum expiration to seven days (down from ten days).
duckduckgo · Jun 23, 2022 · 228c878 · 228c878
1 parent f509784
commit 228c878
Show file tree

Hide file tree

Showing 5 changed files with 29 additions and 77 deletions.
diff --git a/build/apple/contentScope.js b/build/apple/contentScope.js
diff --git a/build/chrome/inject.js b/build/chrome/inject.js
diff --git a/build/firefox/inject.js b/build/firefox/inject.js
diff --git a/build/integration/contentScope.js b/build/integration/contentScope.js
diff --git a/src/features/cookie.js b/src/features/cookie.js
@@ -25,10 +25,9 @@ let cookiePolicy = {
     shouldBlockTrackerCookie: true,
     shouldBlockNonTrackerCookie: true,
     isThirdParty: isThirdParty(),
-    tabRegisteredDomain: tabOrigin,
     policy: {
-        threshold: 864000, // 10 days
-        maxAge: 864000 // 10 days
+        threshold: 604800, // 7 days
+        maxAge: 604800 // 7 days
     }
 }
 
@@ -125,24 +124,13 @@ export function load (args) {
         try {
             // wait for config before doing same-site tests
             loadPolicyThen(() => {
-                const { shouldBlock, tabRegisteredDomain, policy, isTrackerFrame } = cookiePolicy
+                const { shouldBlock, policy } = cookiePolicy
 
-                if (!tabRegisteredDomain || !shouldBlock) {
-                    // no site domain for this site to test against, abort
+                if (!shouldBlock) {
                     debugHelper('ignore', 'disabled', setCookieContext)
                     return
                 }
-                const sameSiteScript = [...scriptOrigins].every((host) => matchHostname(host, tabRegisteredDomain))
-                if (sameSiteScript) {
-                    // cookies set by scripts loaded on the same site as the site are not modified
-                    debugHelper('ignore', '1p sameSite', setCookieContext)
-                    return
-                }
-                const trackerScript = [...scriptOrigins].some((host) => trackerHosts.has(host))
-                if (!trackerScript && !isTrackerFrame) {
-                    debugHelper('ignore', '1p non-tracker', setCookieContext)
-                    return
-                }
+
                 // extract cookie expiry from cookie string
                 const cookie = new Cookie(value)
                 // apply cookie policy
@@ -151,7 +139,7 @@ export function load (args) {
                     if (document.cookie.split(';').findIndex(kv => kv.trim().startsWith(cookie.parts[0].trim())) !== -1) {
                         cookie.maxAge = policy.maxAge
 
-                        debugHelper('restrict', 'tracker', scriptOrigins)
+                        debugHelper('restrict', 'expiry', scriptOrigins)
 
                         cookieSetter.apply(document, [cookie.toString()])
                     } else {
@@ -182,7 +170,7 @@ export function init (args) {
     const featureName = 'cookie'
     cookiePolicy.shouldBlockTrackerCookie = getFeatureSettingEnabled(featureName, args, 'trackerCookie')
     cookiePolicy.shouldBlockNonTrackerCookie = getFeatureSettingEnabled(featureName, args, 'nonTrackerCookie')
-    const policy = getFeatureSetting(featureName, args, 'firstPartyTrackerCookiePolicy')
+    const policy = getFeatureSetting(featureName, args, 'firstPartyCookiePolicy')
     if (policy) {
         cookiePolicy.policy = policy
     }