User.js: Redirect tracking protection might not work properly [fixed FF85+]

The user.js also sets

user_pref("privacy.sanitize.sanitizeOnShutdown", true); // 2802
user_pref("privacy.clearOnShutdown.cookies", true); // 2803
user_pref("privacy.cpd.cookies", true); // 2804

Cookies (redirect or not) are deleted if you restart or clear-manually.

In addition you can use an add-on like ClearURLs, Request Control or Skip Redirect to skip redirect-trackers. This has the advantage that the server isn't contacted so it has no "IP 1.2.3.4 has clicked a link on example.com to visit example2.com".

Alternative you could use TC with global isolation.

privacy.clearOnShutdown.siteSettings has NEVER ever been set to true

user.js today
https://github.com/arkenfox/user.js/blob/27dd6aa62d1d73e9cdb0b751a7d4d4acdb893b75/user.js#L1320

user.js Feb 17 2017
https://github.com/arkenfox/user.js/blob/e97a1ceb5beb707d3a05252bc74a5e36530b3d9e/user.js#L1305

privacy.purge_trackers.enabled

• Added false in FF75+ 1599262
• Read this here on what redirect tracking is
  
  
  
  • they talk about FF79
  
  
  • "Once every 24 hours ETP 2.0 will completely clear out any cookies and site data stored by known trackers. This prevents redirect trackers from being able to build a long-term profile of your activity."
  
  
• Flipped true in stable release in FF83+ 1675596
• hotfix ... 1672394 .i.e don't purge if X or Y

So the question is, what exactly is being purged ... what exactly are you not already protected against. Answer those and you then you can probably close this issue

The first answer is (emphasis mine)

• This only applies to known trackers ... _with a 45 day exception for any trackers that you’ve interacted with directly_
• hence ETP requires history (and site permissions) in order to determine interaction
• clearly, sanitizing history means there are no exceptions, hence everything gets was purged = excellent!!! 👍 FukYeah™ - edit: except now it's not purged, they added an exception so people don't get logged out of sites like twitter .. this sucks FukNo™ 👎

The user.js is set up to sanitize all site data on close: i.e web data, not site exceptions or passwords

However, users can tweak shit. Some people want to keep some cookies (I do) and bulk sanitize cookies on close doesn't allow that

• note: "cookies" = cookies only (so users auto-login etc). localStorage, service worker cache and IDB etc are covered by a different sanitizing pref
• example A: user keeps nothing: default user.js = sweet AF
• example B: user keeps history but not cookies: now purging happens (minus exceptions) - except the user.js already sanitizes all web data
• example C: user keeps cookies but not history: purging does not happen
• example D: user keeps cookies and history: purging works (minus exceptions) = default FF setup

In A+B the user is fine
In C + D the user has bigger problems keeping all cookies by default, let alone redirect tracking ones.

I don't know the answer: I actually don't recommend cookie cleaner extensions because they often leave orphaned web data lying around. TC though doesn't. But I don't know if these extensions handle cleaning up a website cookie/data used as a redirect/bouncy-bouncy

Thanks for that extensive explanation! I wasn’t aware, that privacy.purge_trackers.enabled only or mainly deals with cookies.

Thanks for that extensive explanation! I wasn’t aware, that privacy.purge_trackers.enabled only or mainly deals with cookies.

purging quoted from the link above (emhasis mine)

Once every 24 hours ETP 2.0 will completely clear out any cookies _and site data_ stored by known trackers

When I said cookies = cookies only, that in relation to the sanitizing prefs, talking about tweaking the user.js

/*** [SECTION 2800]: SHUTDOWN
     - "Offline Website Data" includes appCache (2730), localStorage (2710),
       service worker cache (2740), and QuotaManager (IndexedDB (2720), asm-cache)
***/
/* 2803: set what items to clear on shutdown  ***/
user_pref("privacy.clearOnShutdown.cookies", true);
user_pref("privacy.clearOnShutdown.offlineApps", true); // Offline Website Data

FYI: fixed in FF85 1675018

Hah ... ETP's "tracking content" is only enabled in PB mode windows by default (and PB mode stuff is memory only)

Note: the user.js makes sure to not start in pb mode, and it does not set ETP's tracking protection on in all windows - maybe we should

the user.js makes sure to not start in pb mode

How?
Doesn't need the browser.privatebrowsing.autostart be false to prevent PB mode?

yeah, sorry. We don't enforce it, it's commented out .. my bad