Brave not respecting 3rd party cookies blocked settings. (Serious issue!!)

[TontyTon]

Description

Even with 3rd party cookies blocked, 3rd party websites are able to set cookies.

Steps to Reproduce

1. Block 3rd party cookies from settings, brave://settings/cookies
2. Visit https://chips-site-a.glitch.me/ or any other website which sets 3rd party cookies, like https://www.whatismybrowser.com/detect/are-third-party-cookies-enabled

Actual result:

Both partitioned and unpartitioned cookies are visible (that is accessible to site B), and 'yes' on 2nd website.

Expected result:

According to CHIPS only partitioned cookies should be accessible to site B.
In Brave, a privacy focussed browser, no cookies should be set by 3rd party, with 3rd party cookies blocked.

Reproduces how often:

Always.

Brave version (brave://version info)

Version 1.58.127 Chromium: 117.0.5938.88 (Official Build) (64-bit)
Windows 10 Version 22H2 (Build 19045.3448)

Version/Channel Information:

• Can you reproduce this issue with the current release? yes
• Can you reproduce this issue with the beta channel? -
• Can you reproduce this issue with the nightly channel? -

Other Additional Information:

• Does the issue resolve itself when disabling Brave Shields? No
• Does the issue resolve itself when disabling Brave Rewards? No
• Is the issue reproducible on the latest version of Chrome? -

Miscellaneous Information:

This is serious, cross-site tracking is serious. Brave should have prevented CHIPS from introducing allowing of setting cookies by third party websites with third party cookies blocked, but this is opposite, Brave is allowing all 3rd party cookies, completely ignoring the cookie settings.

I don't use Brave on other platform, this should be tested on other platforms too.

[ghost]

Brave doesn't block 3p cookies/other data.
Brave uses Ephemeral Storage on 3p storages (like Firefox's Total Cookie Protection does), so it writes data to a temporary storage and it gets cleared on site close.
Just like Firefox. it will avoid 3p cookies to be added to the Persistent Storage and doesn't allow any site to have access to the 3p data written on the Ephemeral Storage. That makes many websites work as expected without having to allow 3p cookies.

Anyway, if you go to brave://flags/#brave-ephemeral-storage and disable it, the site should work as expected and then you will have to allow 3p cookies/other data in websites where it is required.

[TontyTon]

@Emi-TheDhamphirInLoveUnderTheFrozenStar @rebron

If I am disabling 3rd party cookies, 3rd parties cookies should get disabled. I as a user chose to disable 3p cookies, why should the browser override that? Also, if you visit chips-site-a.glitch.me , you can check that cross site tracking can happen, how's is it right?! That too when I as a user has disabled 3p cookies.

What you are saying can be the case when 3p cookies aren't disabled, it shouldn't be with 3p cookies disabled!!

[ghost]

Again, this is the intended behavior in Brave. You obviously barely read my comment, and instead of researching further to understand more the benefits of Ephemeral Storage and how it helps to increase privacy, you come and type that comment.
In fact, Brave doesn't use the old and archaic block cookies and done approach for almost 3 years, it is the ONLY Chromium browser making a difference.
If you wanted to know more about it it was easy to find links like: You can read more in https://brave.com/privacy-updates-7 or https://github.com/brave/brave-browser/wiki/Ephemeral-Storage-Design

In fact, you issue has to be closed as this is an intended behavior: #16310 (comment)

Especially, when I already explained basically what Ephemeral Storage does and why it is the DEFAULT behavior made by Brave to actually help with reducing tracking while not breaking websites that need 3p cookies.

Also, I don't get the problem, when I also explained how to disable it, if you want to go back to the archaic block 3p cookies like any other Chromium browser, then do that and done.

So why are you intentionally ignoring what I said in my comment?

Only because the terms in Brave say 'block' which is the default for 3p data or 'clear on site close' for 1p, doesn't mean Brave has to follow that archaic method of dealing with data like Chromium and others do.

Again, Data is being isolated in the Ephemeral Storage and that's a good thing.
Yes, sites might say 'you are allowing 3p cookies', because that's technically true, but doesn't mean it is bad, because no other website will have access to that 3p data, nobody else can see it, touch it, or do anything with it, it lives in a different world nobody can do anything with it, so no tracking will happen. Data will just disappear when you close the site that 'wrote' the 3p data in the Ephemeral Storage and done.

The problem I think is you have a wrong idea how tracking works, if you think writing data to a temporary storage that disappears and nobody has access to is a problem or will increase the tracking or something. Well, you might have to understand better how tracking works and why Brave developed this type of feature which even Firefox has it.

Of course, I can give you a simple and basic example why isolating data in the Ephemeral Storage is better than basic and archaic blocking cookies only option.

If you are blocking cookies and you go to a website X and X needs 3p cookies from Y to function properly... what do you do? well, you only have two choices, close the website and move on, or allow the Y cookies in brave://settings/cookies.
That means you either have to add Y domain to the Sites that can always use cookies or you add X domain with the checkbox Including third-party cookies on this site, that matters depending on what the website exactly wants.
Well, in the end you are writing the Y 3p data to the Persistent Storage, which means, when you go to Y site, Y will have easy access to that 3p data that was generated when you went to X site.

How is that good?

In the case of Ephemeral Storage, it will allow websites to generate X in the Persistent Storage (unless you change the behavior, of course) and Y will be isolated in the Ephemeral Storage, and only X has access to it. When you close X, Y data will disappear and done, nothing had to be allowed, and X never complained about Y data being blocked. If you go to Y site, Y will never have access to what X generated as 3p, since it is long gone or Y can't see it since it didn't came from Y.

Or another example, where Ephemeral Storage not only helps with tracking but also to make sites functional and work better if a site needs 3p data to function as it was made.

1. https://anix.to/anime/samurai-x-trust-and-betrayal-m3p7/ep-1
2. select Filemoon server
3. go to any time in video, and hit f5
4. the video will continue where you hit the f5.

If you disable Ephemeral Storage, well, it will start from zero.
How is that bad? The site will work as it was intended to work, but since other browsers 'block cookies' that type of features will be blocked as well for no reason and to get the benefit, you have to allow Filemoon cookies which means they can be used for tracking purposes in other websites.

I hope you understand it better, the benefits of it. Of course, you can keep researching and reading more about it, but it is an intended behavior and it is a good one, in fact, It's Brave's default behavior for almost 3 years, way before Firefox released their Total Cookie Protection feature.
Of course, you can still disable it, even if it is pointless and doesn't make sense, but it is your choice.

Of course there are some cases where you have to allow cookies with or without Ephemeral Storage. For example, like logging in to nintendo.co.uk; you actually login in nintendo.com domain and then .co.uk will read the information and log in.
So you are forced to allow nintendo.com cookies, because either way .co.uk will never see it. Just to point out how Ephemeral Storage doesn't mean you are immune to allow cookies, but doesn't mean the archaic old block cookies are necessary anymore, and Brave Ephemeral Storage is one of the greatest features about Brave.

[TontyTon]

@Emi-TheDhamphirInLoveUnderTheFrozenStar (that account is deleted/shadow banned, so tagging you @rebron cause you liked their first comment)
Thanks for the detailed explanation. I did read about 'Ephemeral Storage' before replying to you. That's why I especially pointed my issue in wrong naming. Brave should atleast inform the user that with 'Block 3p cookies', instead of blocking 3p cookies Ephemeral Storage will be used. You are right in comparing with firefox, but firefox informs the user about it, and gives the options to user. But a Brave user won't find that out until he check using 3rd party tool or check documentation.

So I request you to either change the title of the option, or add option for user to select, based upon your preferences.

[poige]

+1 for @TontyTon; users shall be saved from going through such long-reads as this to realise theirs expectations are actually wrong b/c of something. Brave's devs said 3rd parties cookies blocked but they weren't. That's a huge blunder. Very big one.

[ShivanKaul]

Firefox also says that they block cross-site cookies in their Privacy & Security section in Standard/default mode (though with a pointer to TCP below), and they behave identically on the test website posted here. I'm happy to hear ideas about how we can better explain ephemeral partitioned state to users in brave://settings, but let's have that conversation on #36363 where we're discussing how to improve our Privacy & Security settings sections.