-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Brave not respecting 3rd party cookies blocked settings. (Serious issue!!) #33072
Comments
Brave doesn't block 3p cookies/other data. Anyway, if you go to |
@Emi-TheDhamphirInLoveUnderTheFrozenStar @rebron If I am disabling 3rd party cookies, 3rd parties cookies should get disabled. I as a user chose to disable 3p cookies, why should the browser override that? Also, if you visit chips-site-a.glitch.me , you can check that cross site tracking can happen, how's is it right?! That too when I as a user has disabled 3p cookies. What you are saying can be the case when 3p cookies aren't disabled, it shouldn't be with 3p cookies disabled!! |
Again, this is the intended behavior in Brave. You obviously barely read my comment, and instead of researching further to understand more the benefits of In fact, you issue has to be closed as this is an intended behavior: #16310 (comment) Especially, when I already explained basically what Ephemeral Storage does and why it is the DEFAULT behavior made by Brave to actually help with reducing tracking while not breaking websites that need 3p cookies. Also, I don't get the problem, when I also explained how to disable it, if you want to go back to the archaic block 3p cookies like any other Chromium browser, then do that and done. So why are you intentionally ignoring what I said in my comment? Only because the terms in Brave say 'block' which is the default for 3p data or 'clear on site close' for 1p, doesn't mean Brave has to follow that archaic method of dealing with data like Chromium and others do. Again, Data is being isolated in the Ephemeral Storage and that's a good thing. The problem I think is you have a wrong idea how tracking works, if you think writing data to a temporary storage that disappears and nobody has access to is a problem or will increase the tracking or something. Well, you might have to understand better how tracking works and why Brave developed this type of feature which even Firefox has it. Of course, I can give you a simple and basic example why isolating data in the Ephemeral Storage is better than basic and archaic blocking cookies only option. If you are blocking cookies and you go to a website X and X needs 3p cookies from Y to function properly... what do you do? well, you only have two choices, close the website and move on, or allow the Y cookies in How is that good? In the case of Ephemeral Storage, it will allow websites to generate X in the Persistent Storage (unless you change the behavior, of course) and Y will be isolated in the Ephemeral Storage, and only X has access to it. When you close X, Y data will disappear and done, nothing had to be allowed, and X never complained about Y data being blocked. If you go to Y site, Y will never have access to what X generated as 3p, since it is long gone or Y can't see it since it didn't came from Y. Or another example, where Ephemeral Storage not only helps with tracking but also to make sites functional and work better if a site needs 3p data to function as it was made.
If you disable Ephemeral Storage, well, it will start from zero. I hope you understand it better, the benefits of it. Of course, you can keep researching and reading more about it, but it is an intended behavior and it is a good one, in fact, It's Brave's default behavior for almost 3 years, way before Firefox released their Total Cookie Protection feature. Of course there are some cases where you have to allow cookies with or without Ephemeral Storage. For example, like logging in to |
@Emi-TheDhamphirInLoveUnderTheFrozenStar (that account is deleted/shadow banned, so tagging you @rebron cause you liked their first comment) So I request you to either change the title of the option, or add option for user to select, based upon your preferences. |
+1 for @TontyTon; users shall be saved from going through such long-reads as this to realise theirs expectations are actually wrong b/c of something. Brave's devs said 3rd parties cookies blocked but they weren't. That's a huge blunder. Very big one. |
Firefox also says that they block cross-site cookies in their Privacy & Security section in Standard/default mode (though with a pointer to TCP below), and they behave identically on the test website posted here. I'm happy to hear ideas about how we can better explain ephemeral partitioned state to users in brave://settings, but let's have that conversation on #36363 where we're discussing how to improve our Privacy & Security settings sections. |
Description
Even with 3rd party cookies blocked, 3rd party websites are able to set cookies.
Steps to Reproduce
Actual result:
Both partitioned and unpartitioned cookies are visible (that is accessible to site B), and 'yes' on 2nd website.
Expected result:
According to CHIPS only partitioned cookies should be accessible to site B.
In Brave, a privacy focussed browser, no cookies should be set by 3rd party, with 3rd party cookies blocked.
Reproduces how often:
Always.
Brave version (brave://version info)
Version 1.58.127 Chromium: 117.0.5938.88 (Official Build) (64-bit)
Windows 10 Version 22H2 (Build 19045.3448)
Version/Channel Information:
Other Additional Information:
Miscellaneous Information:
This is serious, cross-site tracking is serious. Brave should have prevented CHIPS from introducing allowing of setting cookies by third party websites with third party cookies blocked, but this is opposite, Brave is allowing all 3rd party cookies, completely ignoring the cookie settings.
I don't use Brave on other platform, this should be tested on other platforms too.
The text was updated successfully, but these errors were encountered: