Page MenuHomePhabricator

Mitigate phase-out of third-party cookies across in Wikimedia production
Open, Needs TriagePublic

Description

Third-party cookies are a set of cookie-based mechanisms for sharing information between websites which are on different domains. Adware and web analytics vendors use third-party cookies to track people's internet activity across many different websites; this has long been criticized by privacy advocates. All major browser vendors have committed to prevent such tracking, and for several years have been in a slow process of rolling out increasingly stringent limitations on third-party cookie use.

Wikimedia properties span many different domains, and while our use case is not objectionable (the privacy objections are about websites operated by different organizations sharing personally-identifiable information about their visitors, not different websites run by the same organization sharing it), our mechanisms are the same as used by the adtech industry; we aren't being internally targeted, but we are very much being affected by the restrictions nevertheless. We need to map how we will be affected, and mitigate negative effects; this will probably take significant effort.

Affected functionality

  • CentralAuth autologin
  • probably CentralNotice banners?
  • ???

Browser restrictions

(As of 2023 August; they are changing over time. Also, they are influenced by use of incognito mode and other, browser-specific configuration options such as "" in Chrome or "Enhanced Tracking Protection" in Firefox; and the exact effect of those settings / modes also changes over time.)

The main mitigation is either fully blocking or state partitioning third-party cookies. Browser vendors today define third-party cookies as cookies which belong to a different eTLD+1 / registrable domain than the page the user is visiting, but a resource (such as an image, script or iframe) from that different domain is embedded in the current page. State partitioned cookies (Privacy CG explainer) are only accessible within the context of the same top-level page, so e.g. login.wikimedia.org when visited directly and login.wikimedia.org when embedded as an invisible pixel in en.wikipedia.org see completely different cookies.

  • Chrome:
    • Doesn't limit third-party cookies currently by default.
    • With the "Block third-party cookies" user preference enabled, fully blocks third-party, and state-partitions cookies which indicate support via CHIPS.
    • Plans to make that default by mid-2024, with 1% rollout in 2024 Q1
    • When third-party cookie blocking is enabled, plans to prevent reading/writing cross-domain cookies via top-level redirect ("bounce tracking mitigation") unless the user has directly interacted with the other website in the last 45 days. Planned to land in Chrome in 2023 Q3.
  • Safari:
    • Blocks third-party cookies by default since 13.1 / 2020 March. Before that it had a feature called Intelligent Tracking Prevention which used a set of complex heuristics (including some machine learning) to dynamically classify domains as trackers.
    • Intelligent Tracking Prevention logic is still used to detect bounce trackers, in which case cookie lifetime is reduced to 24 hours.
  • Firefox:
    • Uses state partitioning (sometimes referred to in FF docs as dynamic first-party isolation or Total Cookie Protection) for third-party cookies by default since FF 112 / 2023 April. (Earlier it was enabled for the "Strict" setting of the "Enhanced Tracking Protection" user preference in FF 86 / 2021 February, in private browsing mode in FF 89 / 2021 June, via a prompt in FF103 / 2022 July, and default on Android only in FF 107 / 2022 November.) Users can opt out per-site. There are exceptions such as popups.
    • Blocks tracking domains listed by disconnect.me ("Enhanced Tracking Protection").
    • Redirect tracking protections is similar to bounce tracking mitigations in Chrome and Safari, but mostly limited to known trackers. Starting with FF 133, in strict Enhanced Tracking Protection mode, it's applied to all domains. (source docs, MDN docs.)
  • Edge: not much documentation; it has a "Block third party cookies" setting, which seems to be off by default, but allegedly on in private mode since Edge 86. A manual test confirms this.
  • Opera: also not much documentation; it has a "Block third-party cookies" user preference, some random forum threads claim it's off by default but on in private mode. A manual test confirms this.

Testing / debugging browser restrictions

Mitigation options

  • First-party sets (spec, WICG explainer, chromedev explainer and developer guide) allow a set-of domains to indicate that they have the same owner. Browsers might use this to allow cross-domain cookie access between such domains. This would be a very low-effort means of mitigation, if it happens.
    • status: behind a feature flag in Chrome, but Firefox and Safari are opposed. Also, in the fairly similar case of storage partitioning it was explicitly rejected by Chrome as well - not sure what's the exact difference between the "security boundary" concept cited as the reason for that, and domain boundaries in general.
  • CHIPS (Cookies Having Independent Partitioned State) (Privacy CG explainer, chromedev): enables state partitioning on browsers which don't support it by default (and would just reject third-party cookies instead). This is useful for data sharing between two specific domains, but not useful for sharing between a larger set of domains so probably not useful for us.
    • status: (caniuse, chromestatus) available in Chrome and Edge, other browser vendors are supportive
  • Use the requestStorageAccess() or requestStorageAccessFor() API, which allow access to third-party cookies. (requestStorageAccess is better supported, but needs to be called by the embedded resource, so it's only usable for iframes; requestStorageAccessFor is called by the embedder.) These would probably be part of using first-party sets, but can be used without those as well; however, then they would require explicit user opt-in (and separately for each domain), making them less practical. Also, they can only be called after user interaction.
    • support: requestStorageAccess (caniuse) is supported in Firefox and Safari, supported but requires first-party sets in Edge, behind a feature flag in Chrome. requestStorageAccessFor is Chrome-only (chromestatus).
  • SameParty cookie attribute (spec): this seems quite dead, listing for completeness only as it's sometimes referenced by other specs.
  • There might be other web APIs that can replace third-party cookies for some specific use-case but not generally, to be discussed in subtasks.
  • We could also just reimplement affected features to not use third-party cookies anymore. This probably requires significant infrastructure changes - anything that can support a workflow that's similar to third-party cookies is itself a candidate for ad tracker tech and as such a target of similar mitigations.
    • Specifically, using a top-level redirect instead of a subresource can be a relatively lightweight change, and browser are currently somewhat more permissive with third-party cookie access in that case; but that is unlikely to last long.

See also

Related Objects

StatusSubtypeAssignedTask
OpenNone
OpenNone
OpenTgr
StalledNone
OpenNone
ResolvedTgr
OpenNone
DeclinedNone
OpenNone
OpenNone
DeclinedNone
ResolvedDAlangi_WMF
ResolvedDAlangi_WMF
DeclinedNone
ResolvedTgr
OpenNone
ResolvedDAlangi_WMF
OpenNone
ResolvedPRODUCTION ERRORTgr
StalledNone
ResolvedTgr
ResolvedPRODUCTION ERRORTgr
ResolvedDAlangi_WMF
ResolvedDAlangi_WMF
ResolvedDAlangi_WMF
ResolvedDAlangi_WMF
ResolvedDAlangi_WMF
In ProgressDAlangi_WMF
DuplicateNone
In ProgressDAlangi_WMF
OpenNone
ResolvedArielGlenn
OpenNone
Resolvedmatmarex
Resolvedmatmarex
Resolvedmatmarex
Resolvedmatmarex
OpenNone
ResolvedTgr
Resolvedsbassett
ResolvedTgr
ResolvedTgr
ResolvedTgr
ResolvedSecurityTgr
Resolvedmatmarex
Resolvedmatmarex
ResolvedArielGlenn
ResolvedArielGlenn
Resolvedmatmarex
Resolvedmatmarex
ResolvedArielGlenn
OpenArielGlenn
DeclinedNone
OpenNone
ResolvedDAlangi_WMF
OpenNone
ResolvedJTweed-WMF
DeclinedNone
ResolvedNone
Resolvedmatmarex
Resolvedmatmarex
Resolvedmatmarex
Resolvedmatmarex
ResolvedJTweed-WMF
Resolvedlarissagaulia
ResolvedTgr
Resolvedpmiazga
OpenNone
ResolvedJTweed-WMF
ResolvedDAlangi_WMF
OpenNone
Openpmiazga
OpenNone
OpenDAlangi_WMF
OpenNone
OpenFeatureArielGlenn
ResolvedDAlangi_WMF
ResolvedTgr
OpenArielGlenn
Opennettrom_WMF
Resolvedpmiazga
OpenNone
OpenNone
OpenNone
Resolvedmatmarex
Resolvedsbassett
OpenTgr
OpenTgr
Resolvedmatmarex
ResolvedTgr
Duplicatepmiazga
ResolvedTgr
OpenNone
OpenNone
OpenNone
Resolved mepps

Event Timeline

Krinkle renamed this task from Mitigate phase-out of third-party cookies to Mitigate phase-out of third-party cookies across MediaWiki in production.Sep 1 2023, 5:53 PM

https://www.cookiestatus.com/ has a very nice summary of the current state of cookie blocking, and seems reasonably well updated.

Google apparently built a DevTools plugin (the Privacy Sandbox Analysis Tool) for detecting issues caused by cookie blocking, so that might be a good way of looking for potential breakage.

With T359957: Enroll in Chrome third-party cookies deprecation trial deployed, third-party cookie blocking is now disabled in Chrome (and maybe other Chrome-like browsers but I found no information about that) until the end of the calendar year. If you want to investigate whether something will be affected by cookie blocking, set chrome://flags/#top-level-third-party-cookie-deprecation-trial to Disabled first.

Tgr renamed this task from Mitigate phase-out of third-party cookies across MediaWiki in production to Mitigate phase-out of third-party cookies across in Wikimedia production.Sep 25 2024, 1:31 PM

Chrome developer console says on a https://en.wikipedia.org/wiki/Main_Page pageview:

Cookies with the SameSite=None; Secure and not Partitioned attributes that operate in cross-site contexts are third-party cookies. Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.

Learn more from the linked article about preparing your site to avoid potential breakage.

60 cookies
Name	Domain & Path
DISSESSION	idp.wikimedia.org/
DISSESSIONOauthOidcServerSupport	idp.wikimedia.org/
event_filter	gitlab.wikimedia.org/

(most cookies were T345249 related, removed those)

@brennen @SLyngshede-WMF FYI. Doesn't necessarily require any action (GitLab cookies are probably not used in a cross-site context; not sure about IDP).

Not sure how these cookies are related to enwiki at all; maybe Chrome is just complaining about them because they are wikimedia.org cookies without the Partitioned attribute? (That would be super confusing, but not the first time for a browser making terrible communication choices related to 3rd party cookies.)

Tgr updated the task description. (Show Details)