| |||||||||||||
|
| |||||||||||||
Mozilla, Google and privacyMozilla, Google and privacyPosted Aug 13, 2009 23:28 UTC (Thu) by dlang (✭ supporter ✭, #313)In reply to: Mozilla, Google and privacy by Tobu Parent article: Ubuntu removes "multisearch"
umm, as far as I know firefox only allows cookies to be set for the domain the object was fetched from.
now if you have a page fetched from one server that contains a link to an image (or other object) on another server, that other server can set a cookie that it will get the next time it is accessed.
this is what companies like doubleclick use to track you as you go to different sites, but there are also many legitimate reasons for this to happen, if you blocked all links that pointed at a server other than the one you pulled the initial page from you would break the web.
if you are referring to something else when you say 'third party cookies' please help me understand.
as far as history retrieval from css goes, the only way to block that is to disable the ability of css to do different things for links that you have visited vs ones that you have not. while doing this is a useful option to have, It's pretty valuable to be able to tell which links on a page you ahve clicked on recently, so I can see why they wouldn't want to disable that globally.
referrer data also has legitimate uses (although I don't have as solid a reason for it off the cuff, and probably not one that you would consider acceptable), and if you want to eliminate it I don't see why you would allow it for embedded content
while I agree that the two actions that you mention harm privacy, they are also features that many people want to have. so you are saying that these features should not exist, which leaves people vulnerable to phishing attacks. I don't see that as a winning approach
as for the multiple pop-ups, you do have the option to tell firefox "don't ask me again for this server". this doesn't mean that there are no problems. the fact that firefox will happily open up hundreds of duplicate pop-ups is a problem (this is problem for authentication pop-ups as well as cookie pop-ups), but I see this as a separate problem (one I would like to see them fix.
(Log in to post comments)
Mozilla, Google and privacy Posted Aug 14, 2009 11:43 UTC (Fri) by Tobu (subscriber, #24111) [Link] Cookies are set for the domain content was fetched from, but included content makes the distinction irrelevant. This is indeed what I meant by third-party cookies: cookies set by third-party content. I don't suggest breaking the web by refusing third-party content. Just that a cookie set on domain D via inclusion on domain A should not be the same as a cookie set on domain D via inclusion on domain B. As far as cookies are concerned, this should be enough to restore privacy.
Mozilla, Google and privacy Posted Aug 15, 2009 3:12 UTC (Sat) by dlang (✭ supporter ✭, #313) [Link]
if you refuse to allow cookies for third-party content, you run the very real risk of breaking that third-party content if it needs cookies for it's functionality.
your suggestion to add a referrer-type tag to the cookie store is interesting and I think it would be a very good thing for someone to try implementing.
however it will break some legitimate uses as well as the people you are trying to break. you won't see this breakage on most small sites, but on large sites that spread functionality across multiple URLs you make it will break portions of the site that are common.
Mozilla, Google and privacy Posted Aug 15, 2009 20:17 UTC (Sat) by Tobu (subscriber, #24111) [Link] The sites I could see being broken by this are domains that maintain user sessions across tlds, like google.tld and lastfm.tld . They could use redirects to transfer the session between the .com domain and the country domain. Most sites that run analytics or ads via just a script tag wouldn't bother.
Mozilla, Google and privacy Posted Aug 15, 2009 3:17 UTC (Sat) by foom (subscriber, #14868) [Link] > that other server can set a cookie that it will get the next time it is accessedIn Safari it can't. From the preferences...
Accept Cookies:
Mozilla, Google and privacy Posted Aug 15, 2009 3:21 UTC (Sat) by dlang (✭ supporter ✭, #313) [Link]
interesting to know that this is an option.
I assume that this isn't the default (that it defaults to yes)
any idea how many sites get broken by this option?
Mozilla, Google and privacy Posted Aug 15, 2009 3:36 UTC (Sat) by foom (subscriber, #14868) [Link] It is the default. I don't know if any sites get broken by it, but I certainly haven't noticed any. Not that I would have even thought to try changing that option if I did run across a broken site, so who knows.Quite a few are broken by me disabling Flash's data storage, though.
Mozilla, Google and privacy Posted Aug 15, 2009 19:30 UTC (Sat) by njs (subscriber, #40338) [Link]
Firefox also has this option (though AFAICT not on by default): uncheck Edit > Preferences > Privacy > Accept third party cookies.
Mozilla, Google and privacy Posted Aug 15, 2009 20:01 UTC (Sat) by Tobu (subscriber, #24111) [Link] Yeah, but it is ineffective. I have this option in Chromium and Firefox. All it does is check that the cookie setter (RFC 2965, the dom, maybe equivalents in html5 dom storageĀ ) requests a domain compatible with the current domain. Content included from another domain works around it, and here both Firefox and Chromium have a myriad of cookies from adservers (these aren't leftovers, they get removed at the end of a session through another firefox setting). The problem is that the effective way to prevent this (namespace cookies with the referer domain in addition to the cookie domain) hasn't been implemented, and these settings are just a distraction. I haven't tried Safari, but at least for the browsers I use, exposing them as "block third party/tracker/adserver cookies" is misleading. Maybe there is a reason fixing this is not that simple, but I suspect the reason is a big conflict of interest.
|
|
||||||||||||