Question about 3rd party cookie blocking exceptions

[cowlicks]

Hello, I've been working on an anti tracking browser extension and was researching other projects. The project (privacy possum) also blocks 3rd party cookies, like cliqz. I've been trying to figure out a way to avoid breakages of non-tracking 3rd party iframes.

In your blog post you say "In order to enable this use case, our system allows cookies in cases when user interaction with the widget is detected". I was reading modules/antitracking/sources/cookie-context.es and oauth-detector.es to try to gain some insight. Do you just detect oauth, then allow cookies for this case? Are there other cases where you allow cookies? Is there documentation that explains more about how this works?

[sammacbeth]

Hi @cowlicks.

Sorry for not replying earlier, I was not watching this repo for questions.

We currently have multiple different heuristics for allowing third-party cookies in limited cases:

• On user-interaction. This is the mechanism mentioned in the blog post, and aims to be a heuristic 'click-to-play' for widgets embedded in the page. When an element is clicked we look for third-party domains inside the embedded element and temporarily whitelist these.
• Redirect-based. When domain a issues a first-party redirect to domain b, we trust b as a third-party to domain a pages for a short time. This handles single sign-on portals which rely on third-party cookies instead of oauth-based methods.
• OAuth detection. Practical implementations of oauth sometimes require some third-party cookies to be allowed in order to function correctly (Google is the main case). This heuristic detects the OAuth flow in the browser and allows cookies for these cases.

Unfortunately there are lots of edge-cases around the web, as many sites assume 3rd party cookies are allowed, and simply break when they are not. With these heuristics we manage to reduce some of the main causes of breakage.

[cowlicks]

Thank you @sammacbeth these all seem reasonable. I'm trying to figure out which to implement first with a score like number-of-cases-fixed / difficulty-to-implement. However I don't have a sense of what number-of-cases-fixed looks like for these, do you have any idea?

For now I'm starting with click detection, since it seems easyish and like it'll catch a lot of cases.

Redirect stuff seems a little harder, but I have no-clue how many cases it fixes.

OAuth detection seems hardest bc I'm most ignorant about it, but it also seems like it fixes many important cases that are annoying to users.