from Hacker News

Firefox rolls out Total Cookie Protection by default to all users

by BoumTAC on 6/14/22, 1:16 PM with 322 comments

  • by agluszak on 6/14/22, 1:48 PM

    Why weren't separate cookie jars the default in the first place? I know that browsers other than Firefox have no real incentive to protect your privacy, but I'm wondering why cookies were designed to be shared among different pages in general

  • by letmeinhere on 6/14/22, 2:56 PM

    Does this obviate the need for [Facebook Container](https://addons.mozilla.org/en-US/firefox/addon/facebook-cont...)?

  • by madmax108 on 6/14/22, 2:27 PM

    I wonder if there's anyone from any advertising/ad-targeting companies on HN who can shed some light on if/how much this change may affect their "product".

    Asking this since I know friends working at companies that were DRASTICALLY affected by the Apple advertising changes in terms of user targetability (and hence revenue) and I'm wondering if this change will be similar.

  • by dev_tty01 on 6/14/22, 2:24 PM

    Is this better or worse than Safari's "Prevent cross-site tracking" feature?

    https://support.apple.com/guide/safari/prevent-cross-site-tr...

    It appears Safari is just blocking the cookies, while Firefox is isolating the cookies. I guess Safari has to keep track of who to block while Firefox just isolates everybody. Are there other benefits to the Firefox approach?

    Frankly, I have a hard time understanding why this Cookie Sandbox approach wasn't implemented a long time ago. I get that 25 years ago we weren't concerned about privacy, but there has been plenty of time to fix this. Advertiser influence?

  • by bitwrangler on 6/14/22, 3:11 PM

    It would be nice to allow users to create "trusted tuples" to list small groups of domains that are allowed to share their cookies. For instance: Zendesk, Asana, Jira, etc.

    But have each tuple listed still be isolated from the other, only domains listed together in a single list could share a cookie container.

  • by GRBurst on 6/14/22, 3:10 PM

    Very cool to see more privacy by default in Firefox.

    It is still a lot of effort to have clear separations in every browsern...

    I am using Firefox containers with the temporary containers plugins (with history deletion enabled) as well as cookies auto delete plugin (which supports containers).

    Therefore, everything is usually isolated in a container inside a tab and only white listed cookies are kept in the named containers.

  • by ghusto on 6/14/22, 2:15 PM

    I've never understood the thinking that went behind allowing one site to see the existence of another site's cookie in the first place. I don't think I'm even coming at this with the security hindsight of decades, it's just common sense, isn't it?

  • by flipbrad on 6/14/22, 1:45 PM

    Cool. Just a heads' up that I had to disable it on Zendesk and Asana so they could talk to each other - you might experience similar issues.

  • by rdsubhas on 6/14/22, 2:52 PM

    Privacy wins aside, can anyone please help educate if third party single sign ons will still continue to work?

  • by bityard on 6/14/22, 2:45 PM

    > making Firefox the most private and secure major browser available across Windows and Mac.

    Which one do they think is the most private and secure browser for Linux?

  • by Animats on 6/14/22, 7:23 PM

    I've had third party cookies blocked for ten years. Some sites don't work. I don't use those sites.

  • by legalcorrection on 6/14/22, 1:36 PM

    I wonder why Microsoft doesn't make Edge a privacy-oriented browser. I'm surprised they think they can make more from the data economy than they would gain by seriously hurting Google et al.

  • by eslaught on 6/14/22, 4:30 PM

    How is this different from the old privacy.firstparty.isolate, and do I still need that/should I keep that enabled?

  • by kuon on 6/14/22, 4:44 PM

    I've been blocking cookies actively for a long time, and except some technical embeds (for example STEP file viewer on misumi) I had zero issue.

    This is great news. I really hope we will not lose firefox. I'm not saying it is better than chromium, but I think it is important that it exists.

  • by lucasyvas on 6/14/22, 1:36 PM

    How does this relate to the existing tracking protection settings - should I turn off "block all third party cookies"?

    That setting breaks a few things, but mostly works OK. I'm confused which protection level this new capability corellates to.

  • by mastermedo on 6/14/22, 2:25 PM

    I remember losing a bet a while back, because I was naive enough to think that was how cookies worked in the first place. Why did other sites ever have access to cookies they didn’t create was beyond me.

  • by easytiger on 6/14/22, 2:48 PM

    If anyone wonders how bad the situation RE cookies is there is a local newspaper owner in the UK called reach PLC who own 100+ newspaper websites.

    Their cookie allow dialog has over 700 data share partners, not including their own "legitimate interest" cookies. The dialog looks like this [1] and cannot be resized and is lazy loaded (i.e. you have to manually scroll to have the page load all of them with a few visible each scroll). And its slow so it takes a while and doesn't play well with the mouse in the iframe. There are even ones not in english or latin characters [2]

    [1] https://imgur.com/a/ciuRWSx [2] https://i.imgur.com/4yc6Flo.png

    Anyway i lazy loaded all of them and there are 753 (the html just to display it is > 1 megabyte

        $ xmllint --format reach2.html | grep qc-cmp2-list-item-header | tail && xmllint --format reach2.html | grep qc-cmp2-list-item-header | wc -l
        <button role="listitem" class="qc-cmp2-list-item-header" aria-label="Yieldmo, Inc." aria-live="polite">
        <button role="listitem" class="qc-cmp2-list-item-header" aria-label="YOC AG" aria-live="polite">
        <button role="listitem" class="qc-cmp2-list-item-header" aria-label="YouGov" aria-live="polite">
        <button role="listitem" class="qc-cmp2-list-item-header" aria-label="ZAM Network LLC dba Fanbyte" aria-live="polite">
        <button role="listitem" class="qc-cmp2-list-item-header" aria-label="Zemanta, Inc." aria-live="polite">
        <button role="listitem" class="qc-cmp2-list-item-header" aria-label="zeotap GmbH" aria-live="polite">
        <button role="listitem" class="qc-cmp2-list-item-header" aria-label="Zeta Global" aria-live="polite">
        <button role="listitem" class="qc-cmp2-list-item-header" aria-label="Ziff Davis LLC" aria-live="polite">
        <button role="listitem" class="qc-cmp2-list-item-header" aria-label="zillian sa" aria-live="polite">
        <button role="listitem" class="qc-cmp2-list-item-header" aria-label="Zoomd Ltd." aria-live="polite">
    753
    It's crazy

  • by xnorswap on 6/14/22, 1:41 PM

    Does this affect single-sign-on implementations?

  • by DoubleGlazing on 6/14/22, 3:15 PM

    I know Firefox has a small market share, but this is the sort of feature other browsers may adopt. Maybe not the big boys like Chrome or Edge, but I could see all the niche privacy focused browsers implementing it and maybe even Safari given Apples claims to support user privacy. If a certain percentage of browsers started to use similar functionality I could tracking companies starting to develop countermeasures.

    In fact I've already encountered one site that gave me a popup telling me to enable third party cookies. It was one of those dodgy sites that scrapes and copies Stack Overflow content and the JavaScript that enabled it was very clunky - but it worked. I'm surprised there aren't more websites already doing something similar.

  • by dmw_ng on 6/14/22, 2:31 PM

    Does anyone know if this covers network-layer state like keep-alive or TLS session reuse?

  • by grishka on 6/14/22, 6:31 PM

    Why not abolish third-party cookies altogether? There are very few good uses for them.

  • by sampa on 6/14/22, 2:18 PM

    It's nice, but is that so hard for Mozilla to tell in which version it will appear? Is it the current version or is it the next 102 version (which releases in 2 weeks, but then why they say it "rolls out"?)

  • by dahart on 6/14/22, 3:52 PM

    When will the browsers take care of handling the cookie options for all the sites, so I can declare my preferences once and everyone stops putting up a popup? Surely this is already in the works?

  • by Sytten on 6/14/22, 2:20 PM

    Does someone have a link about the technical details for developers that it might affect (SSO, cookies for subdomains, etc). This is just a marketing post.

  • by olliej on 6/15/22, 1:33 AM

    Ok, is this just a more complicated (and less private) version of the 3rd party cookie blocking that’s been in safari for more than 15 years?

    If it is better - which seems surprising given it still seems to result in 3rd party cookies continuing to exist - how does it compare to safari’s domain partitioning from what seems like 5 years back, or the newer aayyyy iiiii tracker detecting stuff?

  • by qxxx on 6/14/22, 5:29 PM

    please someone fix the internet... I don't want to see any cookie popups on each site and accept / decline each cooke first only so I can see the content I want. I don't care about all these cookies and this should be managed by a browser. I hope what Firefox did is the beginning of such a fix.

  • by drexlspivey on 6/14/22, 2:37 PM

    Is that basically the PrivacyBadger plugin integrated into Firefox? Can I uninstall it now?

  • by chasd00 on 6/14/22, 2:33 PM

    given that Electron is really just a featureless browser shouldn't it be straightforward to make your own browser now? An address bar, navigation, and bookmarks ought to be enough to get you there. Seems like you should be able to make a browser for your specific needs/wants pretty easily these days. I'm not suggesting some sort of money making venture where you're beholden to investors to try and turn revenue with it but more just like a utility. Like a script or something... maybe that's the way to think about it, something cobbled together quickly to read websites.

  • by dizhn on 6/14/22, 3:45 PM

    When Mozilla comes out with a feature like this it usually whitelists google, microsoft and similar big sites so people can still log in across their network. Anybody know the current list for this feature?

  • by corentin88 on 6/14/22, 1:20 PM

    Reminds me of what Google Chrome (and others browsers) did for cache. That's clever, not 100% sure this will prevent tracking, but at least it makes tracker's life a bit harder.

  • by jokoon on 6/14/22, 1:41 PM

    I really want to enable resist fingerprinting, unfortunately it disables dark theming on github, ddg and other websites.

    I wish I could add an exception rule to this...

  • by Terry_Roll on 6/14/22, 2:04 PM

    I think OS Telemetry will see to it that its not private!

    However this will make it easier than it currently is, to work out who is data sharing illegally.

  • by gbN025tt2Z1E2E4 on 6/14/22, 2:37 PM

    This will only further entrench the big players (google, facebook, etc) while making it impossible for new & small players to compete. All of the services the big players offer effectively make working without universal cookies trivial.

    For the small players though, without massive ad-supported service offerings like Gmail, Facebook (as a platform), etc, this will screw them completely.

    Mind you, I'm a HUGE privacy advocate, so I like the new Firefox functionality... but the unintended side effects cannot be ignored.

  • by jaywalk on 6/14/22, 1:46 PM

    This is a fantastic way to do this. I wish Safari worked the same way instead of just completely blocking third-party cookies.

  • by stvnbn on 6/14/22, 2:54 PM

    I see this and I ask why it hasn't been this way since the beginning? why it took so long to have it?

  • by samstave on 6/14/22, 4:29 PM

    UIs there a dashboard of somesort where I can see all the tracking/cookies bullshit affecting me?

  • by steren on 6/15/22, 4:50 AM

    Can someone help me understand how this is different from blocking third party cookies?

  • by sdze on 6/14/22, 2:41 PM

    Firefox + ublock origin is my trusted porn browser.

  • by hestefisk on 6/14/22, 4:18 PM

    Would love for Safari / iOS to follow suit.

  • by sharno on 6/14/22, 2:41 PM

    Wish there was a feature or extension to auto accept cookie banners on websites

  • by xtat on 6/15/22, 1:19 AM

    Cool but this product naming sounds like some scummy antivirus from 2001

  • by fancl20 on 6/14/22, 2:02 PM

    Before anyone jumps to why Chrome doesn't block third-party cookies, some context:

    Regulators did warn Google NOT TO block third-party cookies before they provide a replacement, UK CMA accepted the latest proposal from Google: https://www.gov.uk/government/news/cma-to-keep-close-eye-on-...

    Apple's tracking rules also raised a lot of anti-trust concerns, giving advertisement in App Store unfair advantages among other ad platforms. Latest from German Government: https://www.bundeskartellamt.de/SharedDocs/Publikation/EN/Pr...

    Banning third-party cookies will increase the gap between Google, Microsoft, Apple and other ad platforms, because they can still track you based on your account (e.g. Gmail, Hotmail, iCloud). It's a huge red flag for antitrust cases they are facing (especially Google).

  • by hericium on 6/14/22, 2:23 PM

    About 90% of Mozilla's income comes from Google.

    If this would prevent tracking, Google would not allow Mozilla to release it.