Page MenuHomePhabricator

Disable WMF-Last-Access cookies for
Closed, ResolvedPublic


I'm experimenting with more strictly separated browser profiles. Aside from the typical work/personal split for different logins, also a split between "retained" and "ephemeral" storage. Where the retained one is only used for authenticated sessions on trusted websites (only allow cookies from trusted sites), and the ephemeral for everything else (the default "allow all", with a clear-on-exit rule).

I noticed that when saying "Allow" to phabricator, it still reported cookies being blocked. Specifically, these two:
 - Cookies:
 - Cookies:

I also noticed that our many non-canonical/redirect domains and TLS redirects also receive these cookies, which made the list of stored cookies significantly larger than expected after a day of browsing.

The Strict-Transport-Security header is already limited to HTTPS-only and on canonical domains only (slightly wider than canonical, but at least not all, including foreign host name values). That logic might be re-usable to some extent for this.

Event Timeline

This also relates to T202479, in that it touches on the larger problem of not having an established way to detect in Varnish whether the request is for a wiki or for something else. In particular, to avoid executing code on non-canonical domains, on IPs, on foreign domain names, and on former "cache_misc" domain names.

As part of my clinic duty, I am pinging Ema and Brandon so at least one of them can comment on this, as it goes beyond my knowledge.

jijiki triaged this task as Medium priority.Dec 3 2018, 1:24 PM

The swap of Traffic for Traffic-Icebox in this ticket's set of tags was based on a bulk action for all tickets that aren't are neither part of our current planned work nor clearly a recent, higher-priority emergent issue. This is simply one step in a larger task cleanup effort. Further triage of these tickets (and especially, organizing future potential project ideas from them into a new medium) will occur afterwards! For more detail, have a look at the extended explanation on the main page of Traffic-Icebox . Thank you!

BCornwall claimed this task.
BCornwall subscribed.

Hi, @Krinkle! Thanks to work in T262996 no longer has the last-access cookies set (since it's in the cache::alternate_domains list). is not in the list so it still sends the cookies, however @BBlack informs me that it's not necessary to add it since it would change more behavior than intended and the web page is a placeholder anyway. If you disagree, please feel free to re-open and duke it out with him! :)