umm, as far as I know firefox only allows cookies to be set for the domain the object was fetched from.
now if you have a page fetched from one server that contains a link to an image (or other object) on another server, that other server can set a cookie that it will get the next time it is accessed.
this is what companies like doubleclick use to track you as you go to different sites, but there are also many legitimate reasons for this to happen, if you blocked all links that pointed at a server other than the one you pulled the initial page from you would break the web.
if you are referring to something else when you say 'third party cookies' please help me understand.
as far as history retrieval from css goes, the only way to block that is to disable the ability of css to do different things for links that you have visited vs ones that you have not. while doing this is a useful option to have, It's pretty valuable to be able to tell which links on a page you ahve clicked on recently, so I can see why they wouldn't want to disable that globally.
referrer data also has legitimate uses (although I don't have as solid a reason for it off the cuff, and probably not one that you would consider acceptable), and if you want to eliminate it I don't see why you would allow it for embedded content
while I agree that the two actions that you mention harm privacy, they are also features that many people want to have. so you are saying that these features should not exist, which leaves people vulnerable to phishing attacks. I don't see that as a winning approach
as for the multiple pop-ups, you do have the option to tell firefox "don't ask me again for this server". this doesn't mean that there are no problems. the fact that firefox will happily open up hundreds of duplicate pop-ups is a problem (this is problem for authentication pop-ups as well as cookie pop-ups), but I see this as a separate problem (one I would like to see them fix.