Firefox 22 will block third-party cookies

Nice one

 

And how is this different than just unchecking "Accept third-party cookies" in Privacy? Or is that going to be the default in 22? And that needed a "patch?"

 

At this point I find it hard to tell how this will mesh with other cookie preferences and work in various contexts. However, from the patch author's blog:

Aren't there various contexts where you might want a third-party site, which you've never visited as a first-party, to be be able to set/get cookies including when there would be no cookies already set for the domain? One scenario that comes to mind is a bank that uses a third-party bill pay service and isn't masking that via DNS. Typically that third-party bill pay service only needs session cookies too.

There are various scenarios where it would make sense to allow a site to set/get cookies as a first party while preventing it from being able to set/get cookies as a third party. Here again there are some banking scenarios where the banking site should never receive third-party requests. Also, and perhaps more importantly, many major sites that you might care to interract with as a first-party but that you definitely would not want to be able to track you via third-party requests (should they use them now or in the future).

 

In the bug report for this (https://bugzilla.mozilla.org/show_bug.cgi?id=818340) there is a screenshot which presumably represents the latest implementation of the preference:

https://bugzilla.mozilla.org/attachment.cgi?id=693740&action=edit

At this point I think they're changing "Accept third party cookies" from a two-state preference (always, never) to a tri-state preference (always, only if the third-party site already has a cookie set, never).

Before:

After:

As for defaults, I think that is specified in all.js and the diff for that is:

Before:

After:

So it looks to me like everything except Android and Gonk (Firefox OS) platforms are headed for a default change, from "allow all third-party cookies" to "accept third-party cookies only if the third-party site already has a cookie set". If anyone sees anything they disagree with above, please pipe up.

 

# 22 ?

Too many updates too frequently. Seems they are "rushing" a bad sign

 

I'm not getting started on the fast updating thing again, that argument is old and irrelevant now. What I do see with this move is advertisers and trackers becoming more aggressive and maybe even completely getting around using cookies. It seems the more you push back against that industry, the greater and shadier lengths they're willing to go to to push right back.

 

Not much you can really do about that. Block cookies by default, allow when necessary, and surf in a sandbox. I empty my sandbox between visiting bookmarked sites. That might be a bit much to ask the typical user, but the typical user doesn't really care about online privacy. Got to ask yourself, how much do you value your privacy? It's a lot like identity theft protection. Your can do it yourself, or pay someone else with more resources to handle/automate the process.

 

FWIW, I think that mentality is not uncommon amongst victims of long-term abuse from a powerful, seemingly unstoppable opponent. Even those who start out thinking "I shouldn't be taking any abuse and must do whatever it takes to defend myself" often end up thinking "I think I can handle things as they are; I just don't want to risk making them angry and getting a worse beating". Problem is, N++ years of level X abuse *is* worse than N years of level X abuse and things often have a way of escalating no matter what the victims do.

I'm certain if you look back on the history of the direct marketing and targeted advertising industry you will find that it has always pursued new, "better", ways of abusing us and like a plague spread to infect new technologies. Third party tracking cookies continue to be a threat, no doubt. However, there has already been a very substantial shift towards building alternative unique identifiers (and even advertising systems) directly into our devices/platforms and also tying those to account based services. You don't need conventional cookies if you can sucker or force someone into downloading an app that they tie to an account or accounts, that uses an advertising identifier already built-into the platform or generates its own GUID, that takes advantage of ever expanding new "web platform" features that allow cross-domain communications and custom protocols, etc. Those types of things along with single signon systems, cloud-based services which revolve around web APIs and provider A pulling user account information from provider B, and so forth are already quite common. IOW, I don't think we need to worry too much about pissing them off and them starting work on some better approaches. They are well on their way already.

 

I like that they're addressing issues/bugs/vulnerabilities as quickly as possible. To me that's a good thing. But what I don't like is assigning a new version number every time when the changes are minimal. Really... Firefox 4 was the last really new version if you ask me. It was the last major change to the product. Instead of 19.0.2 it should be like 4.6.2 right now.

It will just be strange a few years from now saying: "Firefox 21,874 is now available for download!"

 

Web advertisers attack Mozilla for protecting consumers' privacy
https://www.consumeraffairs.com/new...-for-protecting-consumers-privacy-031413.html

The IAB's rant against the proposed new default of allowing *some* third party cookies rather than allowing all (an adjustable option remember, so Firefox is not actually banning anything) is on their main page with the all CAPs heading "Mozilla Firefox changes will hurt small business & consumer privacy". Direct link:

IAB President & CEO Randall Rothenberg’s Statement Opposing Mozilla’s Intention to Block Third-Party Cookies
http://www.iab.net/mozilla_rothenberg

The (third-party) opt-out cookies issue is worth noting. Where such cookies lack a GUID, the DNT header would/should communicate the same desire. Where such cookies contain a GUID, you are literally giving them the means to track/profile you and you open yourself up to the possibility that they will interpret opt-out as only applying to the serving of targeted advertising rather than that and all forms of tracking/profiling in general. IIRC, that is the "definitions game" these and other bodies have been trying to pull with the DNT header. If you want some surety, you should configure your browser not to send *any* requests to these third party ad networks.

I assume most people are smart enough to realize that tracking/profiling individuals... even just using similar mechanisms to count ad views and/or click-throughs... isn't actually necessary for advertising in general let alone a rich/vibrant Internet economy or world economy.

I was amused by the suggestion that AMBER alerts and weather emergency notifications require third-party (tracking/profiling) cookies. It was a nice "your children will be at risk and so will you!!!!" touch.

 

.... and why did we go with FF in the beginning?


it had better security than IE at the time right? no script or something... memory lane....


.... and now this.... ~ Snipped as per TOS ~.


I hate these guys and their motivation, their business model, their ethicless mind set, their need to spy....

this is my March rant....

IF some vendor came out with a pay for browser instead of a free spy.... that did not track, trick users etc etc... blocked malware.... well they would clean up....and make honest $$$$$$.

 

I'm trying to find an add-on for Firefox or Internet Explorer that could Securely Shred cookies (not remove them) without closing the browser.
Right now, I periodically clean cookies but I'd like to shred cookies and my browsing history while I'm still on-line.

 

I got self destructing cookies and better privacy. How is this going to change anything?

 

They don't give a crap about users or even small business, they care about the money they'll lose from not being able to track the users who have somehow never realized they could block them all along without Mozilla forcing it. I'm on the fence here. Part of me sees ad industry crying for exactly what it is, the other part of me knew this was going to happen, and questions why Mozilla had to throw wood into a fire already burning when they didn't need to.

Things were actually better when browser makers weren't trying to force issues like this. 3rd party blocking has been available and easy for a long time, Mozilla really didn't need to rile anyone up further. I think we're going to come to a point where the majority of websites will shoo ad blocking users away and force 3rd party cookies, and moves like this from major vendors aren't going to slow that day from arriving.

 

Cookie handling behavior can always be altered.