-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Brave not blocking third-party cookies #16310
Comments
This test gives incorrect results for multiple browsers. |
Ok. So why in my tests not only the test results from the site showed that third-party cookies were supported, but in the list of allowed cookies in Brave a third-party cookie from mindmup.github.io was allowed too? This isn't happening at Chromium. |
cc @ryanbr |
I tested here and indeed disabling this flag made Brave show the allowed and blocked cookies like in Chromium and passing the test. When this flag is enabled Brave behaves like Firefox's cross-site cookie tracking protection? I'm asking this because Firefox with this protection have the same results in this test as Brave with this flag enabled. |
I have no knowledge regarding the Firefox method of blocking cookies, but from previous methods of blocking of 3rd-party cookies in Brave caused issues on some sites. Ephemeral Storage improved web compatibility while still maintaining privacy. |
@Diego-BF just for a bit more information, Brave's approach to 3rd party DOM storage is more protective than Firefox's planned cross-site cookie tracking protection approach. Its more similar to Safari's approach, but also more restrictive / protective. All three approaches are similar in that they give 3p's frames different storage areas depending on which 1p they're hosted under. So, child.com as a third-party frame under parent1.com will see different storage than child.com under parent2.com. The difference is how long these partitioned storage areas last.
You can find more details about brave's approach here: https://brave.com/privacy-updates-7 I'm closing the because this isn't a bug, this is all functioning as expected. Third-party storage APIs appear to function as expected from the perspective of the site, but cross-site tracking is prevented because of storage partitioning, and cross-session tracking is prevented by minimizing the length of that partitioned storage exists for. Feel free to ask more questions below though if you'd like Or, TL;DR; Brave makes it look to sites like 3p cookies are enabled, but sites are prevented from doing the kinds of privacy harm that 3p cookies are infamously used for. |
Description
Brave configured to block cross-sites cookies isn't stopping third-party cookies in the test at https://www.doileak.com/classic.html.
Steps to Reproduce
Actual result:
Cookies from www.doileak.com and mindmup.github.io allowed in the browser, and the test results show that third-party cookies are supported.
Expected result:
Cookies from www.doileak.com allowed and from mindmup.github.io blocked in the browser, and the test results showing that third-party cookies are not supported.
Reproduces how often:
Easily reproduced
Brave version (brave://version info)
Other Additional Information:
The text was updated successfully, but these errors were encountered: