README.md

# Cookie Policy

*NOTE*: It's early on in the development process, so a lot can and will change.

An extension that helps user dynamically analyze a site and recommends 
appropriate more strict cookie security flags, including `Secure;`, 
`SameSite=[Lax|Strict];`, and `HttpOnly;` and cookie prefixes __Secure-*
 and __Host-*.

## Overview

The modern web heavily relies on HTTP Cookies, some of which are
used to track users, invading their privacy. Since cookies have "dual use" 
(for privacy-invading trackers as well as useful features), the user can 
not disable cookies without breaking the majority of the sites online.
This extension aims to inform the user of the potential privacy risk 
associated with specific cookies. It aims to perform only a small set of 
functions and do them well. In general, *the user should also use other 
software* to protect own privacy, because cookies are not the only 
technology used for tracking. Please refer to "This extension is 
*not*" for a summary of what *other* software you might want to use 
*together* with this extension.

### This extension is:

 - A method to visualize HTTP cookies and their contents and behavior
TODO: write details

### Limitations of this extension, or what this extension is *not*:

 - Network filter, sometimes referred to as ad blocker.
   The best way to ensure a connection does not disclose any information
   is to block the connection entirely. (E.g., even a mere act of 
   establishing a connection already leaks user IP address.) Request 
   blocking is implemented by many other software solutions:
    - uBlock Origin (not to be confused with uBlock) is a browser extension
      widely praised for versatility, efficiency, absence of monetary 
	  conflicts of interest, and a good [privacy policy](https://github.com/gorhill/uBlock/wiki/Privacy-policy).
    - uMatrix is sometimes referred to as uBlock Origin for advanced users
    - Privacy Badger 
	- AdGuard has browser extensions and stand-alone network filters
    - Adblock - a commercial product, with "Acceptable Ads" controversy 
	- Adblock Plus - another commercial product, also tainted by "Acceptable Ads" controversy
    - Firefox has "Tracking Protection" (limited to Disconnect filters)
    - Brave browser has a built-in filter engine
    - Opera browser has a built-in filter engine
    - Yandex.Browser has a built-in filter engine (and whitelist for 
      tracking services provided by Yandex itself)
 - HTTPS enforcer (mixed content resolver)
   HTTP is a plaintext protocol, which means someone can temper with it 
   in transit. Specifically, "man in the middle" can observe all transmited
   information and modify it. User should always be cautious when visiting 
   HTTP pages, and prbably use extension that forces HTTPS for content available
   over HTTPS. "HTTPS Everywhere" is a a great tool for that.

### 

## Privacy and Security

### Privacy Policy

This extension exists to fulfill only one goal -- to protect user's 
privacy -- therefore:
 - All user information is stored locally in the user's browser and 
   is never shared with anyone.
 - All information is discarded as soon as it is no longer needed.
 - The user can delete all collected information at all times.
 - This extension runs with the least API permissions possible. 
   See API Permissions Policy for details.

### API Permissions Policy

This extension runs with the least API permissions possible.
 - Each permission is declared "optional" if it is practical.
 - On the first install, the user should go into the extension options
   and enable all the desired features (and give the permissions).
 - Permissions are removed if they are no longer required (and 
   requested again if the user activates feature requiring the permission).
   The browser might not prompt the user every time if the user granted the
   permission already.

The actual permissions include:
TODO: write stuff

### Security

Nothing can be private unless it is secure, therefore this extension 
takes the following precautions:
 - Uses the least API permissions possible
 - Reasonable CSP

## Building

The extension relies on `npm` modules and `webpack` for building.

To get started, follow these steps:
1. Download official [Node.js](https://nodejs.org/) installer and install it
2. Clone this repo somewhere and `cd` into that folder
3. Install all dependencies with `npm i`
4. Download [Font Awesome](https://fontawesome.com/) icons with `npm run icons`
5. Now you can build and rebuild the extension with `npm run build`

Just edit files in `source/common` and rebuild the extension (step 5) and test it.

## Dependencies

This extesion uses the following `npm` modules: *TODO: WRITE WHICH ONES*

## Folder structure

 - `source/*` WebExtension source code
   - `source/common/*` contains code shared among all WebExtension extensions
     - `source/common/background/*` contains all background scripts
       - `source/common/background/cookiestore.js` maintains the cookie database
     - `source/common/pages/*` contains all the interfaces
     - `source/common/content_scripts/*` contains all the code 
	 interacting with the page from its own context
     - `source/common/web_accessible_resources/*` contains all the 
	 code injected into the page context
   - `source/chromium/*` contains Chromium-specific code
   - `source/firefox/*` contains Firefox-specific code
 - `build/*` contains all the builds generated from the source code
 - `node_modules/*` is the land of `npm`, don't go there

## Minimum browser requirements

The extension is built for [WebExtensions API](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions),
which is supported by modern Chromium, Firefox, and Microsoft Edge browsers. Specifically, it requires following APIs: `cookies`,
`storage`, and optionally (recommended) `webRequest`.

### Chromium

Chromium is the primary target for this extension development, because of 
This extension requires Chromium 26 and up because it relies on `chrome.cookies` API, 
however `SameSiteStatus` is accessible only in Chromium 51 and up. [source](https://developer.chrome.com/extensions/cookies)

### Firefox

Doesn't work with Firefox yet, but will eventually.

### Microsoft Edge

Does not support Microsoft Edge, but might eventually.

### Apple Safari

Probably will never support Apple Safari natively, because Safari does not support WebExtensions API. Even then, Safari support is not a priority currently. Might support Safari in a distant future via a polyfill library.


https://www.sjoerdlangkemper.nl/2017/02/09/cookie-prefixes/