Make the tcp-feature Nimbus feature true by default

[cpeterso]

For the other MR feature flags, see #26865.

┆Issue is synchronized with this Jira Task

[sheikh-azharuddin]

Post installing latest version I don't think it's working in nightly

[Mugurell]

Post installing latest version I don't think it's working in nightly

In the latest Nightly - build #2015903023 there should be a new setting in "Enhanced Tracking Protection -> Custom": Isolate cross-site cookies that would allow to select this new protection level.

TCPInFenixNightly.mp4

[sheikh-azharuddin]

Thanks mugurell but in firefox desktop variant TCP is by default enabled even if etp set to standard.

So is it possible to enable in standard etp mode?

[sheikh-azharuddin]

Also even after setting the option isolate cross-site cookies, I dont see any popup in below site to enable cross site cookie..on clicking it simply shows storage access granted for 3 and 4

https://senglehardt.com/test/dfpi/storage_access_api.html

[sheikh-azharuddin]

2022-09-09-14-39-54.mp4

[cpeterso]

in firefox desktop variant TCP is by default enabled even if etp set to standard.

So is it possible to enable in standard etp mode?

Thanks for catching that! This sounds like a bug. We want to enable Android TCP by default, just like desktop. I filed #26910 to change the default setting.

Also even after setting the option isolate cross-site cookies, I dont see any popup in below site to enable cross site cookie..on clicking it simply shows storage access granted for 3 and 4

https://senglehardt.com/test/dfpi/storage_access_api.html

To see the storage access popup, you need to set the dom.storage_access.auto_grants pref to false in about:confg. TCP doesn't block all storage access. It partitions storage so Facebook trackers embedded on an example.com page see different Facebook cookies than on an example.net page.

[sheikh-azharuddin]

Thanks it worked..post setting the value I see the popup

But again if I have to set the setting manually then "cross site ask to allow" setting in site permission is not working 🤔

[cpeterso]

But again if I have to set the setting manually then "cross site ask to allow" setting in site permission is not working 🤔

@Mugurell, what is the expected behavior for the "cross site ask to allow" setting with TCP? Is @sheikh-azharuddin seeing the "Storage_access permission is not asked again if allowed once" bug 1746031 that you found? (That bug is scheduled to be fixed in v106 or v107.)

[sheikh-azharuddin]

Hello Chris,

I can see the popup again when requested ..no issue
My question was in the site permission list cross site cookies is set to allow..and this popup (same cross site logo and behaviour) is only showing when i set the dom.storage_access.auto_grants pref to false manually.. I mean if cross site cookies is set to ask to allow, so should not this preference set to false by default...else in my 3 years usage of fenix I never saw any popup for cross site cookie

In short, dom.storage_access.auto_grants pref to false should be by default set when "cross site cookies site permission is Set to allow"

[Mugurell]

The "Cross-Site cookies" permission from Settings -> Site permissions was added at the end of last year in #22852 in preparation for TCP.
TCP is only recently being enabled so users indeed wouldn't have seen that prompt until now.

To give a broad description of how TCP (and the permission / prompt) works in Fenix:

• The Storage Access API allows cross-origin content to check (through hasStorageAccess) and request (through requestStorageAccess) first-party storage access (access to cookies and other shared state).
• If an iframe requests the permission:
  • by default Firefox (desktop and mobile) will use it's own heuristics to decide if to automatically grant the permission or try to show the permission popup to the user
  • if dom.storage_access.auto_grants is false (different than the default) the Firefox (desktop and mobile) will always try to show the permisson popup to the user
• When trying to ask users about first-party storage access depending "Cross-Site cookies" permission from Settings -> Site permissions:
  • if the permission is set to "Ask to allow" the prompt will be shown.
  • if the permission is blocked the prompt will not be allowed and the request will automatically be denied.
    (there is also a dependency in https://bugzilla.mozilla.org/show_bug.cgi?id=1746031)

More details about the Storage Access API and the TCP feature can be found in:
https://hacks.mozilla.org/2021/02/introducing-state-partitioning/
https://privacycg.github.io/storage-access/

[Mugurell]

@Mugurell, what is the expected behavior for the "cross site ask to allow" setting with TCP? Is @sheikh-azharuddin seeing the "Storage_access permission is not asked again if allowed once" bug 1746031 that you found? (That bug is scheduled to be fixed in v106 or v107.)

Based on the above

• the "Cross-Site cookies" permission from Settings -> Site permissions only applies to after Gecko decides the prompt should be shown or not based on dom.storage_access.auto_grants.
• if after first granting the "Cross-Site cookie" permission user blocks it in Settings then indeed based on bug 1746031 the user is not asked again the next time the cross-origin content would check / ask for a previously granted storage access permission.
  This is because of the two permissions layers. One in the app and one in Gecko.

What I understand though is that @sheikh-azharuddin expected the "Cross-Site cookies" permission from Settings -> Site permissions to also control dom.storage_access.auto_grants and this indeed does not happen:

• dom.storage_access.auto_grants controls whether Gecko will always ask the user for storage access permission (instead of optionally granting this based on it's own heuristics)
• "Cross-Site cookies" permission from Settings -> Site permissions controls whether the user will see the prompt Gecko asks or automatically deny the permission.

[cpeterso]

Here are the rules that Gecko uses to do decide whether to auto-grant a storage access request or ask the user:

https://developer.mozilla.org/en-US/docs/Web/API/Document/requestStorageAccess#conditions_for_granting_storage_access

Fenix Nightly users that want more privacy at the cost of sites breaking can set the privacy.antitracking.enableWebcompat pref to false:

https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning#disable_web_compatibility_features

[sheikh-azharuddin]

Post enabling TCP in all ETP mode, I see that cookie popup even though storage auto grants is set to true 😀

[cpeterso]

Post enabling TCP in all ETP mode, I see that cookie popup even though storage auto grants is set to true 😀

Are you testing on https://senglehardt.com/test/dfpi/storage_access_api.html? Which columns' requestStorageAccess() buttons show the cookie popup for you?

I see the following same behavior in Firefox Android and desktop, which I think is correct:

• For columns 1 (senglehardt.com) and 2 (test.senglehardt.com), clicking the requestStorageAccess() button grants access without a cookie popup. This is because senglehardt.com and test.senglehardt.com are considered the same site (*.senglehardt.com).
• For columns 3 (englehardt-tracker.com) and 4 (known-tracker.englehardt-tracker.com), clicking the requestStorageAccess() button shows the cookie popup. This is because englehardt-tracker.com and known-tracker.englehardt-tracker.com are not the same site as the main page (senglehardt.com).

[sheikh-azharuddin]

For column 3 and 4,I see the popup now. Earlier it used to grant automatically without any pop up
Storage auto grants still set to true

[cpeterso]

I see the popup now. Earlier it used to grant automatically without any pop up

You might have been seeing https://bugzilla.mozilla.org/show_bug.cgi?id=1746031 ("Storage_access" permission is not asked again if allowed once). That bug will be fixed in Fenix 106 or 107. Hopefully we can fix it in 106, since that's when we will ship TCP to everyone.

[sheikh-azharuddin]

Thanks Chris and Mugurell

[cpeterso]

Thanks for your bug reporting! You found good bugs and I learned more about how Storage Access works. 😅