Limit JS set cookie lifetime to 7 days #3443
Comments
pes10k
added
privacy
privacy/tracking
tildelowengrimm
added
the
priority/P3
|
Should we start with 7 days or shorter (like 1 day)? |
|
2nd question - should this be tied to a shield state or be on all the time? |
tildelowengrimm
added
priority/P2
|
For my two cents, i suggest
|
The client-side cookie (i.e. document.cookie API) expiry limit is based off of the limit set by both Safari and Firefox: https://webkit.org/blog/8613/intelligent-tracking-prevention-2-1/ https://groups.google.com/forum/#!msg/mozilla.dev.platform/lECBPeiGTy4/cPP52vyZAwAJ whereas the server-side cookie (i.e. Set-Cookie header) limit was picked to avoid interfering in a noticeable way with user logins.
The client-side cookie (i.e. document.cookie API) expiry limit is based off of the limit set by both Safari and Firefox: https://webkit.org/blog/8613/intelligent-tracking-prevention-2-1/ https://groups.google.com/forum/#!msg/mozilla.dev.platform/lECBPeiGTy4/cPP52vyZAwAJ whereas the server-side cookie (i.e. Set-Cookie header) limit was picked to avoid interfering in a noticeable way with user logins.
The client-side cookie (i.e. document.cookie API) expiry limit is based off of the limit set by both Safari and Firefox: https://webkit.org/blog/8613/intelligent-tracking-prevention-2-1/ https://groups.google.com/forum/#!msg/mozilla.dev.platform/lECBPeiGTy4/cPP52vyZAwAJ whereas the server-side cookie (i.e. Set-Cookie header) limit was picked to avoid interfering in a noticeable way with user logins.
The client-side cookie (i.e. document.cookie API) expiry limit is based off of the limit set by both Safari and Firefox: https://webkit.org/blog/8613/intelligent-tracking-prevention-2-1/ https://groups.google.com/forum/#!msg/mozilla.dev.platform/lECBPeiGTy4/cPP52vyZAwAJ whereas the server-side cookie (i.e. Set-Cookie header) limit was picked to avoid interfering in a noticeable way with user logins.
The client-side cookie (i.e. document.cookie API) expiry limit is based off of the limit set by both Safari and Firefox: https://webkit.org/blog/8613/intelligent-tracking-prevention-2-1/ https://groups.google.com/forum/#!msg/mozilla.dev.platform/lECBPeiGTy4/cPP52vyZAwAJ whereas the server-side cookie (i.e. Set-Cookie header) limit was picked to avoid interfering in a noticeable way with user logins.
Set a limit on cookie expiration (fixes brave/brave-browser#3443)
|
@fmarier can you provide a test plan for manual QA? if manual QA is not needed, can you please label as |
|
I would suggest following the test plan on brave/brave-core#1905. Let me know if anything on there is unclear. |
|
I can set expiration for half a year with max-age. Is it only a visual bug in cookie expiration column or does it really persist for half a year? |
No, that looks like a regression. The "client-side cookies" portion of the test plan on brave/brave-core#1905 now fails. I filed #15048 to track this. |
|
well this 7 days expire thing destroys the youtube wide (theater mode) each week i need to manually add a cookie to get it working again |
|
Is there any way to override this behavior and have Brave work like any other browser? This things prevents me from using the browser as it is due to how annoying it gets to have a bunch of sites lose their settings every 7 days. |
|
yes its very bad to click all cookie banners on 100+ sites each week -.- also breaks some sites |
Theater mode in youtube is set via a session cookie (null expiry), cookie lifetime doesn't apply. |
Can you mention which cookie banners you're seeing? We should be blocking those anyway @ryanbr |
if i set theater mode it makes a cookie, when i restart brave its gone, on other browsers like chrome/edge it stays |
|
Screenshot of cookie message, and inspect item? |
|
it is maybe fixed, will come back if not |
ghost
mentioned this issue
|
Is this why Brave seems to always log me out of webpages, even if I click "remember me"? I've seen a number of posts about this issue around the web, but So far no one seems to be mentioning brave changing the cookie lifetime |
|
yes, but depends if the cookie is set to "auto reset 7 days" when you visit that page, i heard of |
A page can set a cookie to expire in 30 seconds, 2 hours, days, "never", or "when the browser closes". The developer decides based on what they think is best for the user. Now, cookies can be set in the HTTP response or by Javascript on the page. If I understand correctly, Brave is capping the expiration sent via Javascript to 7 days, regardless if the developer thought that a longer expiration date is safe and needed. Many sites use Javascript to set user preferences and other data. This explains why you may need to re-login or reset preferences after a week or so on those sites when using Brave. Apparently this expiration is to improve reliance against trackers which realized that they could circumvent cookie blockers by sending them via Javascript. The problem (IMHO) is that, by doing so, Brave is crossing a dangerous line, the one that separates security/privacy from deteriorated user experience, without giving people a way to opt-out. Notice that Brave is not doing anything wrong per se. As far as standards are concerned, a browser is free to expire cookies earlier that the indicated by the page as it sees fit, bearing in mind that this could affect user experiences. Lastly, there's #30634 which is a request to have a flag to turn off this behaviour. The request is over a year old with no response from the developers, so a change doesn't seem to be a high priority. |
Safari will start doing this soon, so that gives us some good webcompat cover
https://webkit.org/blog/8613/intelligent-tracking-prevention-2-1/
The text was updated successfully, but these errors were encountered: