Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Limit client side cookie lifetime to 24 hours #7853

Closed
jumde opened this issue Jan 21, 2020 · 2 comments
Closed

Limit client side cookie lifetime to 24 hours #7853

jumde opened this issue Jan 21, 2020 · 2 comments
Labels
closed/wontfix privacy/chromium-redqueen Work to remove or improve privacy-harming "features" added in Chromium. privacy

Comments

@jumde
Copy link
Contributor

jumde commented Jan 21, 2020

Description

As part of ITP 2.3, Safari reduced the expiry of client side cookies to 24 hours. We should do the same:
https://webkit.org/blog/9521/intelligent-tracking-prevention-2-3/

@jumde jumde added the privacy label Jan 21, 2020
@tildelowengrimm tildelowengrimm added the priority/P3 The next thing for us to work on. It'll ride the trains. label Jan 28, 2020
@fmarier
Copy link
Member

fmarier commented Jan 28, 2020

That ITP 2.3 blog post only refers to the previous change in ITP 2.2:

With ITP 2.2, when a webpage is navigated to from a domain classified by ITP and the landing URL has a query string or fragment, the expiry of persistent client-side cookies created on that page is 24 hours."

We responded to that by filtering the query string and removing known offenders. Capping all JS cookies to 24h might have a big usability impact.

From what I can tell, if Apple is limiting the lifetime of all JS cookies, then they haven't announced it publicly yet. In the absence of a query string params, they're still capping tracking JS cookies to 7 days (whereas we are capping all JS cookies at 7 days).

Until there are further changes in this space, I think we should leave the limit at 7 days to avoid introduce a potentially large source of webcompat issues.

@ryanbr
Copy link

ryanbr commented Jan 28, 2020

@tildelowengrimm tildelowengrimm added the privacy/chromium-redqueen Work to remove or improve privacy-harming "features" added in Chromium. label Feb 12, 2020
@tildelowengrimm tildelowengrimm added closed/wontfix and removed priority/P3 The next thing for us to work on. It'll ride the trains. labels Feb 19, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
closed/wontfix privacy/chromium-redqueen Work to remove or improve privacy-harming "features" added in Chromium. privacy
Projects
None yet
Development

No branches or pull requests

4 participants