|
|
Subscribe / Log in / New account

"Total cookie protection" from Firefox

[Posted June 14, 2022 by corbet]

Mozilla has announced the enabling of its "total cookie protection" feature in all versions of the Firefox browser.

Total Cookie Protection works by creating a separate “cookie jar” for each website you visit. Instead of allowing trackers to link up your behavior on multiple sites, they just get to see behavior on individual sites. Any time a website, or third-party content embedded in a website, deposits a cookie in your browser, that cookie is confined to the cookie jar assigned to only that website. No other websites can reach into the cookie jars that don’t belong to them and find out what the other websites’ cookies know about you.

to post comments

"Total cookie protection" from Firefox

Posted Jun 14, 2022 14:11 UTC (Tue) by dskoll (subscriber, #1630) [Link] (9 responses)

That sounds like an excellent feature. I wonder how much pushback there will be from the likes of Google and other "don't be evil" advertising corporations?

"Total cookie protection" from Firefox

Posted Jun 14, 2022 14:32 UTC (Tue) by Archimedes (subscriber, #125143) [Link] (7 responses)

ack,
but still for me the question is why did this take 101 versions and is not in since version 1 ... (the 101 versions is a figure of speech as firefox changed their versioning scheme some time ago)

"Total cookie protection" from Firefox

Posted Jun 14, 2022 14:45 UTC (Tue) by josh (subscriber, #17465) [Link] (3 responses)

Features like this are a balance between protecting users and causing users to experience broken websites. I would expect that, leaving aside the usual problem of feature development roadmaps and development bandwidth, the biggest challenge with a feature like this is to avoid causing breakage that drives users away, makes them think websites are broken, makes them think the browser is broken, or similar.

"Total cookie protection" from Firefox

Posted Jun 14, 2022 15:22 UTC (Tue) by eduperez (guest, #11232) [Link] (2 responses)

What (legitimate) use cases could break because of this feature?

"Total cookie protection" from Firefox

Posted Jun 14, 2022 16:01 UTC (Tue) by josh (subscriber, #17465) [Link] (1 responses)

Single sign-on. Login via third-party service. Integration with a third-party service that benefits from the user being logged in to that service.

"Total cookie protection" from Firefox

Posted Jun 14, 2022 21:07 UTC (Tue) by iabervon (subscriber, #722) [Link]

I think it needs to be a bit more clever than the brief description (like, if a site redirects you somewhere, and then that site redirects you back, cookies from the middle ought to go in the original/final site's jar in order to match how it appears to the user). But I'd prefer that embedded YouTube videos don't act like I'm logged in unless I say to share that aspect.

"Total cookie protection" from Firefox

Posted Jun 14, 2022 15:02 UTC (Tue) by jhoblitt (subscriber, #77733) [Link] (1 responses)

From the horse's mouth: https://montulli.blogspot.com/2013/05/the-reasoning-behin...

"Total cookie protection" from Firefox

Posted Jun 14, 2022 15:21 UTC (Tue) by eduperez (guest, #11232) [Link]

It's so sad to see an article with 20 comments, all of them being SPAM.

"Total cookie protection" from Firefox

Posted Jun 14, 2022 16:56 UTC (Tue) by ttuttle (subscriber, #51118) [Link]

Version 1 was in 2004; I suspect tracking was not nearly as widespread and pervasive as it is not, and it wasn't yet an issue that caught users' and developers' attention.

"Total cookie protection" from Firefox

Posted Jun 14, 2022 14:52 UTC (Tue) by nim-nim (subscriber, #34454) [Link]

That‘s a most excellent feature…

…except it’s years too late, the pervasive monitoring usual suspects have moved to something else long ago.

Moving slower than lawmakers (and cookie banners) is not something to be proud of.

That been said other browsers are worse of.

"Total cookie protection" from Firefox

Posted Jun 14, 2022 15:56 UTC (Tue) by yoshi314 (guest, #36190) [Link] (2 responses)

something tells me websites will make it incredibly inconvenient to use Firefox or any other browser that decides to lock down privacy from now on.

"Total cookie protection" from Firefox

Posted Jun 14, 2022 20:48 UTC (Tue) by Gaelan (guest, #145108) [Link]

Safari did this a couple years ago and it's not too bad? Embedded Facebook posts refuse to interact with you (e.g. play a video) unless you give them tracking permission, IIRC.

"Total cookie protection" from Firefox

Posted Jun 16, 2022 9:05 UTC (Thu) by NRArnot (subscriber, #3033) [Link]

Except, how can they know that you are using this feature? All they can tell, is that their cookies are in the jar where they put them, and that some other site's cookies aren't. Which could just mean that you've recently cleared your cookies, or re-installed your browser, or fired up a new VM.

Of course, they might start trying to prevent use of Firefox altogether. In a previous decade there were sites that attempted to prevent one from using any browser that wasn't Internet Explorer. I just stopped using those sites, although it was also possible to tell Firefox to "lie" and identify itself as IE. Any organisation that sells you stuff is unlikely to want to annoy its potential customers in this way. "The customer is always right".

"Total cookie protection" from Firefox

Posted Jun 14, 2022 16:08 UTC (Tue) by smurf (subscriber, #17840) [Link] (1 responses)

"Windows and Mac", they say. I do expect that to apply to Linux versions, but I do wonder whether the Android version (completely separate codebase AFAIK) will get that feature.

NB, is there a way to teach the thing that some domains should have a common cookie jar? This is relevant for sites with multiple domains, e.g. countries. Let's assume that foobar.de temporarily redirects me to auth.foobar.com/login/de in order to log me in, then goes back to foobar.de and tries to read the .com cookie it just created. Owch.

"Total cookie protection" from Firefox

Posted Jun 14, 2022 22:13 UTC (Tue) by roc (subscriber, #30627) [Link]

Android has different UI code but the same Gecko engine so this should be the same on Android.

"Total cookie protection" from Firefox

Posted Jun 14, 2022 23:09 UTC (Tue) by salimma (subscriber, #34460) [Link] (3 responses)

Somehow the blog post doesn't mention how this might interact with Multi-Account Containers -- would there still be use cases for using MAC if total cookie protection is enabled?

"Total cookie protection" from Firefox

Posted Jun 14, 2022 23:12 UTC (Tue) by atnot (subscriber, #124910) [Link] (2 responses)

I will personally still appreciate the way it lets me sign into multiple accounts on a website in one session

"Total cookie protection" from Firefox

Posted Jun 14, 2022 23:41 UTC (Tue) by salimma (subscriber, #34460) [Link] (1 responses)

Oh, good point, thanks. Right now my main use case is preventing surveillance capitalism sites I use under duress from mining my data, I totally forgot about the multiple-login use case.

"Total cookie protection" from Firefox

Posted Jun 15, 2022 20:27 UTC (Wed) by flussence (guest, #85566) [Link]

One thing I keep MAC around for is that it erases referrers on navigation between containers (merely having HTTPS used to be enough for this, but it seems the ad industry forced the issue), so e.g. hotlinks to imgur just show the image requested instead of crapping megabytes of unwanted webapp onto my system.

"Total cookie protection" from Firefox

Posted Jun 16, 2022 11:19 UTC (Thu) by bahner (guest, #35608) [Link] (1 responses)

Isn't this exactly what cookie paths are meant for? The browser could ask the user if they see "*", or "*.com" -path cookies and ask what to do?

"Total cookie protection" from Firefox

Posted Jun 16, 2022 15:04 UTC (Thu) by nye (subscriber, #51576) [Link]

IIUC, this new feature is really only about third-party cookies, and means that even foo.com sets a cookie with path "/", if resources from foo.com are embedded in sites from different origins, then they will be different sets of cookies.

Certainly the feature as described doesn't *sound* any different from the status quo for first-party cookies. It's possible I'm missing something though because this seems strictly weaker than just blocking third party cookies altogether, which is absolutely a valid strategy if you're willing to permit a tiny number of exceptions, and from that perspective this half-way version seems kind of pointless.


Copyright © 2022, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds