Forum Discussion
MicrosoftDev channel update to 90.0.782.0 is live
Hi,
why Adding cookies to the Allow list makes them bypass the 3rd party cookie blocking?
MicrosoftHotCakeX from a logical standpoint, the cookie allow list is a global allow list. Like, you're allowing these cookies, period. The idea that changing another setting would change the context of that allow list to all of a sudden not be global is something that honestly had never occurred to me since there's no indication that such a thing would happen (since of course it doesn't). I'm definitely curious how many people would expect the third party cookie blocking setting to have exceptions since we're not trying to make it seem like it does, but I suspect not many since you have to have a lot of mental context to even know what is or isn't a third party cookie at any given time. Like, how would you know where the cookies in that list won't be allowed? I mean yes, they won't be allowed anywhere except when you're actually on those sites, but you also don't know what other sites do or don't try to use them as third party cookies, so it's impossible to list everywhere they won't be allowed (in other words, all the exceptions to that list).
josh_bodner wrote:HotCakeX from a logical standpoint, the cookie allow list is a global allow list. Like, you're allowing these cookies, period. The idea that changing another setting would change the context of that allow list to all of a sudden not be global is something that honestly had never occurred to me since there's no indication that such a thing would happen (since of course it doesn't). I'm definitely curious how many people would expect the third party cookie blocking setting to have exceptions since we're not trying to make it seem like it does, but I suspect not many since you have to have a lot of mental context to even know what is or isn't a third party cookie at any given time. Like, how would you know where the cookies in that list won't be allowed? I mean yes, they won't be allowed anywhere except when you're actually on those sites, but you also don't know what other sites do or don't try to use them as third party cookies, so it's impossible to list everywhere they won't be allowed (in other words, all the exceptions to that list).
Hi,
the reason I use Allow list is to specify a list of websites whose cookies I want to be kept in the browser, and then I add these 2 items to the "clear on exit" list
so with this setup, I clear all cookies that belong to websites I don't care about, every time browser closes.
I think we can all agree that this is a good security practice. I really only interact with ~30 websites regularly, so I don't need to have cookies of 1000 domains in my browser, tracking my every move on the Internet.
in fact, I wish Edge would do this automatically for everyone. like, let user use the browser for at least a week, detect the most visited websites and add them to the allow list, then clear all other cookies after browser closes.
of course this won't be a default behavior, but one that privacy-aware people would want to turn on or explore.
okay, so far so good, now about the 3rd party cookie blocking...
so, you have made it clear in the settings, where 3rd party cookie blocking exception is.
that option exists in Google Chrome too.
when someone sees that checkbox and has 3rd party cookie blocking turned on, they will know that checking that box will create an exception for that specific domain.
But, it's not expected when user adds a domain to the "Allow" list and then 3rd party cookie blocking thinks it's an exception too. it really isn't.
the exception for 3rd party cookie blocking should only be done through that checkbox, where it's explicitly specified.
This is why I'm saying that the "Allow" list shouldn't be confused, by the browser, with an exception list.
to me this all sounds logical to be honest.
I have a question, your last paragraph kinda got me confused. you're saying that it's in fact possible for a website, xyz.com , to use Google.com's cookies, and present them in the form of first party cookies ?
https://www.ionos.com/digitalguide/hosting/technical-matters/what-are-third-party-cookies/
HotCakeX there is an option for clear all cookies with exceptions:
Personally I block all third-party cookies. But with 'allow list' I can bypass global blocking and allow these cookies for specific domains. 'Allow list' has worked this way in Chromium for many years.
eddiezato wrote:HotCakeX there is an option for clear all cookies with exceptions:
Personally I block all third-party cookies. But with 'allow list' I can bypass global blocking and allow these cookies for specific domains. 'Allow list' has worked this way in Chromium for many years.
there are 2 things to note here,
Edge and Chrome already have an "Allow list" or "exception list" for 3rd party cookie blocking.
it happens when you check this box:
if you Don't check that box, it shouldn't happen. they are clearly mentioning that to the user, if you check the box, third-party cookies on this site will be allowed.
there is no need to apply it to the whole "Allow" list.
also, there is an option to clear cookies on exist with exception, in here
edge://settings/clearBrowsingDataOnClose
but it doesn't sync the websites we add.
so based on what I explained in my previous comment, it's impossible to have that kind of security in Edge.
there is literally no way, if there is then please tell me how to:
- limit Google.com's cookies only to Google.com
- have a list of frequently visited sites (which also includes Google.com) and let them save their cookies on Edge.
- delete all cookies that don't belong to the frequently visited sites list (aka allow list) in here:
edge://settings/content/cookies
whenever the browser is closed.
I'm open to all suggestions and I hope I'm wrong
