currently 3rd party service workers are blocked in FF95 when dFPI is enabled (which this version has should anyone update to 96-alpha)
- but I get an error even on first party - https://arkenfox.github.io/TZP/tzp.html#storage
- I get : service worker | test : enabled | failed: SecurityError
in FF96+ service workers they are covered by dFPI
- see https://bugzilla.mozilla.org/show_bug.cgi?id=1731999
we've never used these
- service workers are disabled (or soon to be covered by dFPI when enabled) and sanitizing is already done (or will be done via enhanced cookie cleaning)
- storage API, storage access API: we sanitize on close, and sites are isolated by eTLD+1
- in v94 we switched to cookies lifetime as session, so users could use site exceptions to retain selected cookies (to stay logged in one assumes)
- that mean not deleting all cookies on shutdown
- but some login methods/types require more than cookies and also need the "site data" part of "cookies + site data" - that's the offlineApps part
- note: all site data (and cookies) is still cleared on close except site exceptions
FYI: https://bugzilla.mozilla.org/1738372
There is a small privacy issue with shoulder surfers, but in reality, this just needs to happen IMO
- we already prompt where to save, but even if we didn't, we also know we clicked or initiated a download
- unless it's a drive by or user-gesture trickery - which is why we prompt
- the download icon is shown (if hidden) and the throbber/accent color go to work
- users can always click the icon to show entries (and open folder etc)
- this maintains the current behavior in FF94
anti-fingerprinting doesn't fit here: it's not a major component or priority of this user.js, and only a few prefs outside RFP (as a robust built-in browser solution that defeats naive scripts) have anything to do with it
move all sanitizing on exit prefs into 2800
switch to cookie lifetime as session
- now users can utilize exceptions (as allow)
- session cookies still block service workers (which we disable anyway)
- we still block 3rd party cookies (until we move to dFPI)
- we still have defense in depth for 3rd party cookies with 2803
- we still bulk sanitize offlineApps on exit: localStorage, service worker cache, QuotaManager (IndexedDB, asm-cache)
- i.e you get to keep the cookies only IF you add an exception
add `privacy.clearsitedata.cache.enabled`
