Mozilla Firefox keeps cookies kosher with quarantine scheme, 86s third-party cookies in new browser build

Hey man, are your cookies trackin' me? Take 'em out. You gotta keep 'em separated


Mozilla has revised the way the latest build of the Firefox browser handles HTTP cookies to prevent third-parties from using them to track people online, as part of improvements in build 86 of the code.

HTTP cookies are files stored by web browsers to save state – e.g. is the user logged in? – that get set by code running on the visited website. Some such code, known as tracking scripts or trackers, may point to third-party servers, like those run by ad tech companies.

The third-party cookies placed by these scripts can be read on other websites that also load tracking code and are often used to follow people from website to website in order to build interest profiles for behavioral ad targeting. At least that's the case for those who haven't already limited the reach of third-party cookies through privacy-focused browsers like Brave, Firefox, and Safari.

Though third-party cookies are on their way out – Google plans to stop supporting them in 2022, the ad giant has said – they're still used in ways that impinge upon the privacy of web users.

In a blog post on Tuesday, Mozillans Tim Huang, Johann Hofmann and Arthur Edelstein said that Firefox, as part of its Enhanced Tracking Protection (ETP) Strict Mode, now includes a feature called Total Cookie Protection that creates a separate partitioned space for cookies so they can only be accessed by the website that created them.

Huang, Hofmann, and Edelstein describe this as a separate cookie jar for each website.

cookie

Firefox 85 crumbles cache-abusing supercookies with potent partitioning powers

READ MORE

"Any time a website, or third-party content embedded in a website, deposits a cookie in your browser, that cookie is confined to the cookie jar assigned to that website, such that it is not allowed to be shared with any other website," they said.

That sort of isolation will prevent third-parties from being able to read cookies set by code on first-party websites.

Total Cookie Protection represents a more accessible take on First Party Isolation, a privacy technology added to Firefox 55 in August, 2017 that was inspired by Tor's Cross-Origin Identifier Unlinkability. First Party Isolation wasn't mentioned in Firefox's release notes at the time, presumably because it was experimental and broke services like third-party login systems (Single Sign-On services like Google Sign-In, Facebook Login). To enable it, you had to alter parameters in Firefox's about:config settings page.

What makes Total Cookie Protection more accessible is that it isn't really Total Cookie Protection. Rather it's Total Cookie Protection With Some Exceptions, Handled Automatically – not exactly the sort of branding that rolls off the tongue. As the trio of Mozillans explain, "Total Cookie Protection makes a limited exception for cross-site cookies when they are needed for non-tracking purposes, such as those used by popular third-party login providers."

Mozilla's implementation tries to handle exceptions automatically using rules to detect legitimate (non-tracking) uses of browser storage by third-parties such as the Single Sign-On, so it can grant access accordingly.

But this is only intended to be a temporary solution until the Storage Access API, a proposed JavaScript API to handle legitimate exceptions to privacy protections like SSO usage, sees wider adoption. Currently, the API is supported in Edge, Firefox, and Safari, and is accessible in Chrome by setting a feature flag.

The three Mozillans contend that Total Cookie Protection, in conjunction with the supercookie protection that debuted last month in Firefox 85 will "prevent websites from being able to 'tag' your browser, thereby eliminating the most pervasive cross-site tracking technique."

Meanwhile, Google and its ad tech frenemies are racing to develop various Privacy Sandbox proposals so they can implement behavioral ad targeting "without needing to collect a particular individual’s browsing history." ®


Biting the hand that feeds IT © 1998–2021