State Partitioning is a broad effort to rework how Firefox manages client-side state (i.e., data stored in the browser) to mitigate the ability of websites to abuse state for cross-site tracking. This effort aims to achieve that by providing what is effectively a "different", isolated storage location to every website a user visits. This article gives an overview of the mechanism, lists the affected APIs and explains how to debug affected sites.
State Partitioning is currently turned on by default in the Firefox Nightly channel. A subset of the state partitioning efforts (namely network partitioning) has been enabled by default in the release channel of Firefox since version 85.
Browsers traditionally key client-side state by the origin (or sometimes
registrable domain) of the location a resource was loaded from. For example,
the cookies, localStorage objects, and caches available to an iframe loaded
https://example.com/hello.html will be keyed by
example.com. This is true regardless of whether the browser
is currently loading resources from that domain as a first-party
resources or as an embedded third party resources. Trackers have taken
advantage of this cross-site state to store user identifiers and access them
across websites. The example below shows how
example.com can use
its cross-site state (in this instance, cookies) to track a user across its
own site as well as
State Partitioning is a different approach to preventing cross-site tracking. Rather than block access to certain stateful APIs in a third-party context, Firefox provides embedded resources with a separate storage bucket for every top-level website. More specifically, Firefox double-keys all client-side state by the origin of the resource being loaded and by the top-level site. In most instances, the top-level site is the scheme and eTLD+1 of the top-level page being visited by the user.
In the example below
example.com is embedded in
B.example. However, since storage is
partitioned, there are three distinct storage buckets (instead of one). The
tracker can still access storage, but since every storage bucket is
additionally keyed under the top-level site, the data it has access to on A
will be different than the data on B. This will prevent a tracker from storing
an identifier in their cookies when visited directly and then retrieving that
identifier when embedded in other websites.
The Privacy Community Group has a Work Item for Client-Side Storage Partitioning. This serves as an overview of the standardization efforts for storage partitioning in the individual standards affected. We intend to align our state partitioning implementation with these efforts as the Work Item is standardized.
Networking-related APIs are not intended to be used for websites to store data, but they can be abused for cross-site tracking. As such, the following network APIs and caches are permanently partitioned by the top-level site.
Note: Network Partitioning is permanent. Websites can't control or relax these restrictions.
However, unlike Network Partitioning, this boundary is dynamic and access to a third-party's unpartitioned storage can be granted:
- using the Storage Access API.
- automatically, such as for third-parties providing federated login.
Details about automatic grants are provided in the Storage Access Heuristics section.
Storage Access Heuristics
To improve web compatibility, Firefox currently includes some heuristics to grant unpartitioned storage access automatically to third parties that receive user interaction. These heuristics are intended to allow some third-party integrations that are common on the web to continue to function.
Warning: Storage access heuristics are a transitional feature meant to prevent website breakage. They should not be relied upon for current and future web development.
- When a partitioned third-party opens a pop-up window that has opener access to the originating document, the third-party is granted storage access to its embedder for 30 days.
When a first-party
a.exampleopens a third-party pop-up
b.exampleis granted third-party storage access to
a.examplefor 30 days.
Note: For third-parties which abuse these heuristic for tracking purposes, we may require user interaction with the popup before storage access is granted.
If a site
b.examplereceives storage access to its embedder
b.examplehave been visited and interacted with within the last 10 minutes. This storage access will be granted for 15 minutes.
If a tracker
tracker.example(as classified by the Enhanced Tracking Protection) redirects to a non-tracker
tracker.examplereceived user interaction as a first-party within the last 45 days,
tracker.exampleis granted storage access to
a.examplefor 15 minutes.
Storage Access API
Third-party frames may use document.requestStorageAccess to request unpartitioned storage access through the Storage Access API. Once granted, the requesting third-party will gain access to its first-party storage bucket (i.e., the storage it would have access to if visited as a first-party). Any calls to dynamically partitioned APIs, for example localStorage, will be made in context of the first-party bucket.
Warning: When storage access is granted there may still be references to the partitioned storage. However, sites shouldn't rely on being able to use partitioned and unpartitioned storage at the same time.
We encourage site owners to test their sites, particularly those that rely on third-party content integrations. There are several features in Firefox to make testing easier.
Here is an overview of the messages logged to the web console when interacting
with storage in a third-party context. In the following examples,
a.example is the top-level site which embeds the third-party frame
|Storage of a third-party frame is partitioned||Partitioned cookie or storage access was provided to "b.example" because it is loaded in the third-party context and storage partitioning is enabled.|
|Storage access is granted through a heuristic||Storage access automatically granted for First-Party isolation "b.example" on "a.example".|
|Storage access is granted via the StorageAccessAPI||Storage access granted for origin "b.example" on "a.example".|
Clear Third-Party Storage-Access
If a third-party iframe is granted storage access to the parent context, Firefox sets a permission. To revoke access you can clear the permission via the Site Information Panel in the permissions section under "Cross-site Cookies".
Warning: Make sure to set these preferences in a separate Firefox profile or reset them after testing.
Disable Web Compatibility Features
false will disable all
ETP and State Partitioning web-compatibility features. Disabling these features
can be useful when testing, to ensure your website is fully compatible with the
State Partitioning mechanism in Firefox and it does not rely on temporary
Features disabled by the pref include:
- Storage access heuristics: Unpartitioned storage access can only be acquired via the Storage Access API.
- Automatic storage access grants: document.requestStorageAccess will always prompt the user.
- SmartBlock's "unblock on opt-in" feature, which will allow certain trackers when users interact with them.
- Any temporary anti-tracking exceptions granted to websites via the skip-listing mechanism.
The following preferences can be used to disable individual storage access heuristics via the config editor:
Enable / disable the redirect heuristics:
Enable / disable the window open heuristics:
Disable Network Partitioning
Network partitioning can be disabled with the
Disable Dynamic State Partitioning
To disable dynamic storage partitioning for all sites you can use the
|5||Reject (known) trackers and partition third-party storage.|
|4||Only reject trackers (Storage partitioning disabled).|
Exempt specific origins from partitioning
Dynamic State Partitioning can also be disabled for specific
origins with the
preference. This pref holds a comma separated list of origins to exempt.
The pref value should follow the following format
For example, to disable partitioning for
example.com and for
news.example, you would set the pref to the following: