Brave not blocking third-party cookies

[Diego-BF]

Description

Brave configured to block cross-sites cookies isn't stopping third-party cookies in the test at https://www.doileak.com/classic.html.

Steps to Reproduce

1. configure Brave to block only cross-site cookies in the shields, and check that in settings, in "Cookies and other site data", the option "Block third-party cookies" is selected;
2. go to https://www.doileak.com/classic.html and start the test;
3. check the test results and what cookies where allowed and blocked in Brave.

Actual result:

Cookies from www.doileak.com and mindmup.github.io allowed in the browser, and the test results show that third-party cookies are supported.

Expected result:

Cookies from www.doileak.com allowed and from mindmup.github.io blocked in the browser, and the test results showing that third-party cookies are not supported.

Reproduces how often:

Easily reproduced

Brave version (brave://version info)

• Brave: 1.25.70 Chromium: 91.0.4472.77 (official version) unknown 64 bits;
• Revision: 1cecd5c8a856bc2a5adda436e7b84d8d21b339b6-refs/branch-heads/4472@{Rewards tests should now use v2 endpoints #1246};
• SO: Linux.

Other Additional Information:

• Does the issue resolve itself when disabling Brave Shields? No.
• Does the issue resolve itself when disabling Brave Rewards? No.
• Is the issue reproducible on the latest version of Chrome? No. Running this test in Chromium 91.0.4472.77 and Firefox 89.0, both configured to block third-party cookies, cookies from www.doileak.com are allowed and from mindmup.github.io are blocked and the test results show that third-party cookies are not supported.

[Johann999]

This test gives incorrect results for multiple browsers.
The test under https://alanhogan.github.io/web-experiments/3rd/third-party-cookies.html returns the correct result.

[Diego-BF]

This test gives incorrect results for multiple browsers.
The test under https://alanhogan.github.io/web-experiments/3rd/third-party-cookies.html returns the correct result.

Ok. So why in my tests not only the test results from the site showed that third-party cookies were supported, but in the list of allowed cookies in Brave a third-party cookie from mindmup.github.io was allowed too? This isn't happening at Chromium.

[diracdeltas]

cc @ryanbr

[ryanbr]

@Diego-BF re-test toggling brave://flags/#brave-ephemeral-storage. These tests won't pick up our cookie handling thanks to Ephemeral Storage.

#15906

[Diego-BF]

@Diego-BF re-test toggling brave://flags/#brave-ephemeral-storage. These tests won't pick up our cookie handling thanks to Ephemeral Storage.

I tested here and indeed disabling this flag made Brave show the allowed and blocked cookies like in Chromium and passing the test.

When this flag is enabled Brave behaves like Firefox's cross-site cookie tracking protection? I'm asking this because Firefox with this protection have the same results in this test as Brave with this flag enabled.

[ryanbr]

I have no knowledge regarding the Firefox method of blocking cookies, but from previous methods of blocking of 3rd-party cookies in Brave caused issues on some sites. Ephemeral Storage improved web compatibility while still maintaining privacy.

Just to reference what was implemented, #8514 cc: @pes10k

[pes10k]

@Diego-BF just for a bit more information, Brave's approach to 3rd party DOM storage is more protective than Firefox's planned cross-site cookie tracking protection approach. Its more similar to Safari's approach, but also more restrictive / protective.

All three approaches are similar in that they give 3p's frames different storage areas depending on which 1p they're hosted under. So, child.com as a third-party frame under parent1.com will see different storage than child.com under parent2.com.

The difference is how long these partitioned storage areas last.

• In Brave, third-party storage is "site length"; storage for all 3p's under under parent.com are cleared when there are no more parent.com tabs open. (Brave actually waits a small amount of time, currently 30 seconds, before clearing storage, to avoid breaking some kinds of SSO flows)
• In Safari, third-party storage is "browser session length"; storage for all 3ps under parent.com are cleared when the browser is closed
• In Firefox, third-party storage is "persistently partitioned"; storage for all 3ps under parent.com are never automatically cleared

You can find more details about brave's approach here: https://brave.com/privacy-updates-7

I'm closing the because this isn't a bug, this is all functioning as expected. Third-party storage APIs appear to function as expected from the perspective of the site, but cross-site tracking is prevented because of storage partitioning, and cross-session tracking is prevented by minimizing the length of that partitioned storage exists for. Feel free to ask more questions below though if you'd like

Or, TL;DR; Brave makes it look to sites like 3p cookies are enabled, but sites are prevented from doing the kinds of privacy harm that 3p cookies are infamously used for.