Limit cookie lifetime for cross-site redirections

[fmarier]

In order to limit the usefulness of redirect trackers (also called bounce trackers), we could cap the lifetime of the first-party cookie they set to a very low number (e.g. 1 hour).

This would affect only:

• top-level cross-site requests
• HTTP status codes: 301, 302, 303, 307, 308

It would not help with meta refreshes or JavaScript redirects (e.g. setting window.location) but it would likely defeat a number of cookie syncing techniques.

To test:

• SSO login flows (e.g. accounts.google.com redirects to youtube.com to set cookies on both).
• OAuth flows involving multiple domains (e.g. Referer header stripped breaks OKTA SAML integration #9470)

Related: #539, #817.

[fmarier]

If this simple heuristic breaks OAuth flows, we could exempt redirects which contain the expected OAuth parameters (e.g. response_type, client_id, scope, state).

[fmarier]

Other signals to consider:

• The presence of a valid P3P header may indicate non-essential cookies.
• The presence of an explicit SameSite=None cookie attribute may indicate non-essential cookies.
• The presence of both HttpOnly and Secure cookie attributes may indicate a useful cookie

[fmarier]

@pes10k Can this be closed now that we have ephemeral first-party storage for redirects? Or is there anything useful in here that we're not yet doing?

[pes10k]

yep, good to close. Good catch! I'll close it now