LWN: Comments on ""Total cookie protection" from Firefox"

"Total cookie protection" from Firefox

nye — Thu, 16 Jun 2022 15:04:32 +0000

IIUC, this new feature is really only about third-party cookies, and means that even foo.com sets a cookie with path "/", if resources from foo.com are embedded in sites from different origins, then they will be different sets of cookies.

Certainly the feature as described doesn't *sound* any different from the status quo for first-party cookies. It's possible I'm missing something though because this seems strictly weaker than just blocking third party cookies altogether, which is absolutely a valid strategy if you're willing to permit a tiny number of exceptions, and from that perspective this half-way version seems kind of pointless.

"Total cookie protection" from Firefox

bahner — Thu, 16 Jun 2022 11:19:28 +0000

Isn't this exactly what cookie paths are meant for? The browser could ask the user if they see "*", or "*.com" -path cookies and ask what to do?

"Total cookie protection" from Firefox

NRArnot — Thu, 16 Jun 2022 09:05:06 +0000

Except, how can they know that you are using this feature? All they can tell, is that their cookies are in the jar where they put them, and that some other site's cookies aren't. Which could just mean that you've recently cleared your cookies, or re-installed your browser, or fired up a new VM.

Of course, they might start trying to prevent use of Firefox altogether. In a previous decade there were sites that attempted to prevent one from using any browser that wasn't Internet Explorer. I just stopped using those sites, although it was also possible to tell Firefox to "lie" and identify itself as IE. Any organisation that sells you stuff is unlikely to want to annoy its potential customers in this way. "The customer is always right".

"Total cookie protection" from Firefox

flussence — Wed, 15 Jun 2022 20:27:54 +0000

One thing I keep MAC around for is that it erases referrers on navigation between containers (merely having HTTPS used to be enough for this, but it seems the ad industry forced the issue), so e.g. hotlinks to imgur just show the image requested instead of crapping megabytes of unwanted webapp onto my system.

"Total cookie protection" from Firefox

salimma — Tue, 14 Jun 2022 23:41:59 +0000

Oh, good point, thanks. Right now my main use case is preventing surveillance capitalism sites I use under duress from mining my data, I totally forgot about the multiple-login use case.

"Total cookie protection" from Firefox

atnot — Tue, 14 Jun 2022 23:12:06 +0000

I will personally still appreciate the way it lets me sign into multiple accounts on a website in one session

"Total cookie protection" from Firefox

salimma — Tue, 14 Jun 2022 23:09:51 +0000

Somehow the blog post doesn't mention how this might interact with Multi-Account Containers -- would there still be use cases for using MAC if total cookie protection is enabled?

"Total cookie protection" from Firefox

roc — Tue, 14 Jun 2022 22:13:43 +0000

Android has different UI code but the same Gecko engine so this should be the same on Android.

"Total cookie protection" from Firefox

iabervon — Tue, 14 Jun 2022 21:07:54 +0000

I think it needs to be a bit more clever than the brief description (like, if a site redirects you somewhere, and then that site redirects you back, cookies from the middle ought to go in the original/final site's jar in order to match how it appears to the user). But I'd prefer that embedded YouTube videos don't act like I'm logged in unless I say to share that aspect.

"Total cookie protection" from Firefox

Gaelan — Tue, 14 Jun 2022 20:48:24 +0000

Safari did this a couple years ago and it's not too bad? Embedded Facebook posts refuse to interact with you (e.g. play a video) unless you give them tracking permission, IIRC.

"Total cookie protection" from Firefox

ttuttle — Tue, 14 Jun 2022 16:56:19 +0000

Version 1 was in 2004; I suspect tracking was not nearly as widespread and pervasive as it is not, and it wasn't yet an issue that caught users' and developers' attention.

"Total cookie protection" from Firefox

smurf — Tue, 14 Jun 2022 16:08:38 +0000

"Windows and Mac", they say. I do expect that to apply to Linux versions, but I do wonder whether the Android version (completely separate codebase AFAIK) will get that feature.

NB, is there a way to teach the thing that some domains should have a common cookie jar? This is relevant for sites with multiple domains, e.g. countries. Let's assume that foobar.de temporarily redirects me to auth.foobar.com/login/de in order to log me in, then goes back to foobar.de and tries to read the .com cookie it just created. Owch.

"Total cookie protection" from Firefox

josh — Tue, 14 Jun 2022 16:01:04 +0000

Single sign-on. Login via third-party service. Integration with a third-party service that benefits from the user being logged in to that service.

"Total cookie protection" from Firefox

yoshi314 — Tue, 14 Jun 2022 15:56:37 +0000

something tells me websites will make it incredibly inconvenient to use Firefox or any other browser that decides to lock down privacy from now on.

"Total cookie protection" from Firefox

eduperez — Tue, 14 Jun 2022 15:22:35 +0000

What (legitimate) use cases could break because of this feature?

"Total cookie protection" from Firefox

eduperez — Tue, 14 Jun 2022 15:21:02 +0000

It's so sad to see an article with 20 comments, all of them being SPAM.

"Total cookie protection" from Firefox

jhoblitt — Tue, 14 Jun 2022 15:02:37 +0000

From the horse's mouth: https://montulli.blogspot.com/2013/05/the-reasoning-behin...

"Total cookie protection" from Firefox

nim-nim — Tue, 14 Jun 2022 14:52:47 +0000

That‘s a most excellent feature…

…except it’s years too late, the pervasive monitoring usual suspects have moved to something else long ago.

Moving slower than lawmakers (and cookie banners) is not something to be proud of.

That been said other browsers are worse of.

"Total cookie protection" from Firefox

josh — Tue, 14 Jun 2022 14:45:21 +0000

Features like this are a balance between protecting users and causing users to experience broken websites. I would expect that, leaving aside the usual problem of feature development roadmaps and development bandwidth, the biggest challenge with a feature like this is to avoid causing breakage that drives users away, makes them think websites are broken, makes them think the browser is broken, or similar.

"Total cookie protection" from Firefox

Archimedes — Tue, 14 Jun 2022 14:32:29 +0000

ack,
but still for me the question is why did this take 101 versions and is not in since version 1 ... (the 101 versions is a figure of speech as firefox changed their versioning scheme some time ago)

"Total cookie protection" from Firefox

dskoll — Tue, 14 Jun 2022 14:11:59 +0000

That sounds like an excellent feature. I wonder how much pushback there will be from the likes of Google and other "don't be evil" advertising corporations?