Firefox's Total Cookie Protection Aims To Stop Tracking Between Multiple Sites

As part of its war on web tracking, Mozilla is adding a new tool to Firefox aimed at stopping cookies from keeping tabs on you across multiple sites. From a report: The "Total Cookie Protection" feature is included in the web browser's latest release -- alongside multiple picture-in-picture views -- and essentially works by keeping cookies isolated between each site you visit. Or, in Mozilla's words: "By creating a separate cookie jar for every website." Firefox's new feature pares with last month's network partitioning tool, which works by splitting the Firefox browser cache on a per-website basis to prevent tracking across the web, itself targeted at blocking more stubborn "supercookies." According to Mozilla, these types of cookies are more difficult to delete and block as they are stored in obscure parts of the browser, including in Flash storage, ETags, and HSTS flags. Both tools are available as part of Firefox's enhanced tracking protection suite in "strict mode" on desktop and Android.

Re: C is for Cookie

[BAReFO0t]

That is an outdated meme. Chrome os way way worse at this nowadays.
But yes, it could still be better. E.g. by killing the whole "web" platform.and choosing something saner. :)

That's good news!

[QuietLagoon]

Now, if Mozilla could only get auto-play media to not auto-play. There's a config option for it, but that option does not seem to work.

Re:

[wooloohoo]

Seems to be working well for me across multiple systems. Maybe take a look at this support page: https://support.mozilla.org/en... [mozilla.org]

Re: That's good news!

[BAReFO0t]

Nope, I can verify that on marmiton.org, if a page contains a video at the top, it is automatically played on mobile, in any case, ... completely ruining my data cap.

Re:

[Merk42]

Does it not autoplay in any browser? There seems to be a lot of JavaScript operating that player.

Re:That's good news!

[sound+vision]

Why are they giving you a GUI option for it when you have to go to about:config and mess with 4 or 5 different values to get it to actually do what it says? This has been broken for years, across many versions. Eventually I just installed Noscript.

This shouldn't need a third-party plugin, config-file tinkering, or even a GUI option to turn off. It should be the default behavior of the browser.

Re:

[wooloohoo]

This shouldn't need a third-party plugin, config-file tinkering, or even a GUI option to turn off. It should be the default behavior of the browser.

https://www.mozilla.org/en-US/... [mozilla.org]

Re:

[AmiMoJo]

The config option only disables the HTML tag that starts playback. Most sites use JavaScript to do it now so are not blocked.

uBlock helps but unfortunately all the popular block lists don't work too stop autoplay video because they don't want to break other parts of the site. I wish there was an option to just break the site if there is no other option to stop video and hide cookie consent overlays.

Re:

[drinkypoo]

That is lame. They should be prepending to the start of the video player, not dealing with HTML at all

Re:

[AmiMoJo]

It is frustrating. The problem is that if they just disable the Javascript play function then sites with a play button won't work.

We had this problem before with pop-up windows, tried to allow them only when the user interacted with the site and not running automatically when the page loads etc. Didn't work, spammers would just tie it in to timers or move movement events and stuff like that, so in the end they were just banned entirely.

The same could work for video. Only allow video to be played via control

Re:

[sound+vision]

NoScript errs on the side of "just break the site", if that's what you want. For me, that's exactly the kind of heavy hand that I need. "When I try to use the internet these days... (TrueScore: 5, Informative)"

The couple of domains I regularly want video from are whitelisted, so they work fine. Rarely do I want video from anywhere else, and when I do, "Disable restrictions for this tab" is just 2 clicks away.

Re:

[sound+vision]

Under the section "Settings: Autoplay" you get a drop-down menu with 3 choices: "Allow Audio and Video", "Block Audio", and "Block Audio and Video". There is no further explanation.

It doesn't make any distinction between HTML tags or Javascript - nor should it, because it doesn't matter. You want to block this stuff to conserve bandwidth & CPU or maintain aural peace. Not because you favor the JS method to accomplish autoplay over the HTML method.

The setting does not do what it says; autoplay audio and

Re:

[AmiMoJo]

I know, I'm just trying to explain why it's hard to actually make that setting work. Nobody has found a reliable way to do it that doesn't break large numbers of popular websites.

Re:

[QuietLagoon]

Thanks, I tried the changes suggested on that support page, and it does seem to not autoplay during my quick testing. Why aren't those settings triggered when I select "do not autoplay" in the config dialog? If the "do not autoplay" setting in the config dialog does not do what it's name suggests, why is it there?

Re:

[inode_buddha]

Yes, I remember the time I hot linked my brother to goatse, back when he has a 22" Sun RGB monitor...

Re:

[Joce640k]

the real (Google/Facebook) trackers use more sophisticated methods

Such as...?

Re:Googlefox

[Ostracus]

Magic. Some powerful stuff.

Re: Googlefox

[BAReFO0t]

List of available fonts, screen size, browser version, OS version, IP address, time, language, many different caches and their cache states for various resources, everything that recaptcha is using (like the timing patterns of your typing and mouse movements etc), you name it.

You get enough bits for uniqie identifiability pretty quickly.
Firefox stops many of those though.
But I wouldn't be surprised of the next step was using exploits. Because Jubii Chat already used that on IE (to store some state data) in

Re:

[Joce640k]

List of available fonts, screen size, browser version, OS version, IP address, time, language, many different caches and their cache states for various resources, everything that recaptcha is using (like the timing patterns of your typing and mouse movements etc), you name it.

Firefox stops many of those though.

Those are all old and mostly blocked.

You said yourself that Firefox already stops them.

Re:

[src04c]

Google analytics and other embedded JS that gets dumped in pages. Adsense. DNS (a LOT of people use their public recursive DNS resolvers). And 1x1 transparent tracking pixels/web beacons... to name a few.

Re: Googlefox

[shadow_slicer]

If you're using lynx on a vt100 for privacy then you're doing it wrong. There's probably only two people that send out that user agent on every request. I'm not sure they could realistically avoid being able to track you.

You're better off using something mainstream and hide in the crowd. Use common commodity hardware and software (yes that likely means something Chromium based diet the browser). Use one or more VPNs based in the same country. Don't install extensions or local fonts. Run the browser maximize

Re:Googlefox

[AmiMoJo]

Firefox is getting more aggressive about blocking, but can't go too fast or they will break sites people use. For example they are now starting to clear out data from sites you have not visited for a while, ignoring things like cookie expiry dates. That clears out everything, cache, cookies, all other site data.

They blocked fingerprinting via canvas for 3rd parties too. Would be nice to block all of it, or randomize it a bit to prevent fingerprinting from being useful. Font list fingerprinting has been blocked for a while too.

You still need some extensions for protection, but they are making some big improvements and the idea that they are "controlled" is laughable. In fact the idea that Chromium browsers are controlled is kind of hilarious too, given that they all allow extensive blocking via add-ons, and Google spent a considerable amount of time and money making the blocking API even more efficient to support them.

Re: Googlefox

[BAReFO0t]

Since Firefox Daylight, they are just as condescending and locked-down too.

On mobile, you can't even open about:config anymore. Let alone anything that lets you go behind the curtain on a site.
Can't put bookmarks on the new tab page either. Only its shitty non-portable clone, "collections".
Add-ons are limited to a fixed set of a very very few "approved" ones.
Don't even dream of running Greasemonkey or Stylish scripts. "Take back the web." my ass.

Yet I'll die before I ever touch anything Google. I've got a s

Re:

[AmiMoJo]

Firefox Mobile is a work in progress. They should call it beta because it's rapidly evolving. The new tab page will be replaced soon, for example.

Long term getting rid of about:config is the goal. It's not portable, doesn't sync, it's a pain to use and creates configurations that can't easily be tested. The functionality it offers will either be moved to the config UI or removed. I know you like it but it's a huge burden to support.

Re:

[iampiti]

I know it's gonna get better but it was a PITA that they released this new version of Firefox mobile without some features of the previous version (I used the tab queue and thought it was brilliant). You seem to know quite a bit about this. Just out of curiosity, do you work in Firefox? or just follow it closely?

Re: Googlefox

[BAReFO0t]

So the kids today got a name for that? "tab queuing"?

We used to Ctrl-click links to open things in background tabs way back when Firefox was new, and even before that, in Opera. I even remember selectinf a list of links (lile linked gallery images), and pressing ctrl-enter, o open them all up in the BG.

But I guess if you appity app app enough appiness into it, it's appily new again. :P

Re:

[ebyrob]

wget? What ever happened to curl?

Re:

[gweihir]

Actually, the gdpr does not mention cookies. I am not sure why everybody looks at cookies at the moment. Possibly there are some relevant verdicts regarding them. But the GDPR outlaws any kind of tracking or storing of personal data on your machine without consent.

Re:

[pjt33]

Actually, the gdpr does not mention cookies.

There is one incidental mention, in Recital 30:

Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural perso

Re:

[gweihir]

Indeed. "Bafflement" is exactly right.

Thanks for the reference though, people may have overlooked the "such as" and only saw "cookie identifiers". Well, I guess the courts will have to sort this out. At least when doing DGPR audits, I always tell people that it is not about the cookies but about the tracking and some actually get it.

Move fast and break things

[shadow_slicer]

I know Chrome also has an implementation of sharded third-party state (which is the technical term for separating caches and cookies [and socket pools] by first party site). I even think they started working on it first, but it's still in the experimental stage as it breaks too much to deployed by default.

I think it mainly breaks advertising, but causes problems with other embeds -- and what's the point of YouTube premium if you still see ads on embedded videos?

That said, good job for Firefox. It's not easy separating stuff out like this, as you effectively have to change every map to use 2-3 element tuples as keys instead of a single string. And if you keep in mind all of the different caches and storage browsers support (HSTS, favicons, pages, fonts, cookies, indexDB, service workers, etc) it's quite a bit of work.

Just another step of the current path...

[src04c]

With the stances many are taking anyhow. Cookies arent really being relied on as much. Google announced a year ago that third party cookies wouldn't even be supported about a year from now anyhow. https://www.cnbc.com/2020/01/1... [cnbc.com] What FF is doing that is nice is their Multi-Account containers. It previously was an add-on. But will be a default. https://addons.mozilla.org/en-... [mozilla.org] What i would really like to see them add support for per-container settings. Things like noscript settings, ublock settings, even proxy settings.

Re:

[sound+vision]

Looks like the perpetrators have got a 20-year jump on the EU regulators. Cookies are so Web 1.0. Reminds me of the text in the Brexit deal recommending Netscape Navigator. I suppose it's still better than not trying at all, which is the path the US is taking.

Re:

[Retired ICS]

I haven't supported third-party cookies for 40 years. Nice that Google is finally catching up. It took a long time to catch up to banning Flash. I wonder how long it will take to deprecate iframe's (which I already have disabled since 40 years).

There goes their funding

[bazmail]

Google's gonna love this

ephemeral storage

[awwshit]

I want a solution that makes all cookies, local storage, history, all temporary files of any type evaporate when I close the tab. Everything stored temporarily per tab and gone when I close the tab. Temporary means temporary, right?

Re:

[Errol backfiring]

Yeah, but even in nature an Ephemeron lives for one day.

Re:

[doconnor]

Don't private tabs already do a lot of that?

Re:

[awwshit]

Not exactly. And I'm talking about non-private tabs. Some browsers have a feature like this for when you close the entire browser vs a tab, but even then most of them miss local storage or other things. Can't remove everything, like favicons so easily. My browser mostly works for advertisers and not me.

Re:

[Luthair]

No he is right. The only distinction is that private browsing isn't per-tab its per-session, which you probably do want otherwise opening a link in a new tab may not work.

Re:

[AmiMoJo]

Cookie Auto Delete does that. Despite the name it clears everything.

Re:

[Big Bipper]

Use Qubes OS and do your browsing in a disposable VM. Voila, everything disappears when you close the VM.

Re:

[Retired ICS]

That is called "Forget Me Not" ... It has been around for many years.

A platform, built by hacks, for hack jobs.

[BAReFO0t]

I'm a former (pre-HTML5) web developer, and: Does anyone else think this is yet another example of how the "web" platform is designed, from ground up, by hacks doing hack jobs, for hacks doing hack jobs, and was never meant to be used for things as large as today?

I mean, I was there, I saw it. Netscape Navigator and IE... the one a horrible mess of spaghetti code, and the other one ... IE.
But anyone working in the industry today, how do you see it.
Is it still full of clueless people hiring clueelss people

Re:A platform, built by hacks, for hack jobs.

[Nrrqshrr]

As someone doing bioengineering and learning web development for fun, the amount of "workarounds" and little hacks I see people do is amazing. Watching people in the field work keeps reminding me of a quote from Saint-Exupery: 'Perfection is achieved, not when there is nothing more to add, but when there is nothing left to take away.'
I cant imagine someone designing a car or a protein and adding extra parts just as a workaround or to overwrite the former guy's work without deleting it. Every part of the process must be fully accounted for and must exist for a specific single role that is absolutely vital to how the whole thing function.

Yet what I saw in web development is beyond ridiculous. Imported libraries that are never needed, using bloated frameworks for a single page website when pure JS/HTML/CSS could have done the job just fine, people not really worrying about performance because "Modern phones can handle it", following the latest flashy trends and adding buttons and animations and floating notifications when the end user just wants to read some fucking text...

Of course, am not working for a FAANG or a cutting edge "innovating" company from Silicon Valley (or Austin, now), so maybe what am seeing is just the works of the bottom-tier developers, but this field is still such a mess.

Re:

[Ostracus]

Bloat.

https://youtu.be/cvDyQUpaFf4 [youtu.be]

Re:

[Anonymous Coward]

>I cant imagine someone designing a car or a protein and adding extra parts just as a workaround or to overwrite the former guy's work without deleting it.

A lot of common crops have their entire genetic code duplicated multiple times, which is far more redundant

PARES?!

[MrNaz]

PARES?!
What the fuck people.

Count me in

[ddtmm]

Criticize in Firefox all you want but this is exactly the type of thing we need more of. I would even buy more ram for my browser's use if it meant I could finally start realizing true privacy. Tracking and personal privacy invasion have gone way too far and I love that Firefox and to a degree Safari are trying to do something about it. I've often thought I would even pay for a browser if it was truly all about the user experience and eliminated privacy concerns. Of course, with so many people hooked on "free" the critical mass needed to float that idea will never get off the ground. Sad.

And putting Android Add-ons back ?

[poptopdrop]

All this amazing new stuff. Mozzila.

Now how about putting back what you broke ?

Totally Broken ...

[daveime]

I don't know what the hell they've done, but I'm constantly getting logged out of websites that require a login. And not only the "common login" ones like Instagram using my Facebook login, but sites like Github and Reddit also that have dedicated login mechanisms.

How about clearing all cache's between

[oldgraybeard]

Web Sites and No Cross Site Anything! Seems simple to me ;)

I use NoScript in Firefox and you go to most web sites now and there are 5-10-20+ other sites providing pieces of the site or running scripts.
How in the heck does anyone even a tech savvy person really know what is going on. Let alone a normal web user.
To me I just enable the main site and if that does not work I move on. Unless I am forced to sort out the mess.

I really think we have 3 Internets now
1. The Commercial Internet, Ads Ads and more Ads, Tracking sand Spying galore. Rampant Ideological and Political censorship! And no privacy at all!
2. The Deep Web, which to me is becoming the real back bone.
3. The Dark Web oooo Danger Will Robinson Danger! ;) lol
I am thinking 2 and 3 are really getting to be the place to operate.
And encryption, encryption, encryption!

Commercialization and Monetization has made the www, domain named web useless and why even hang there much.

Cooke is for stage 1

[xeoron]

Hopefully next they will focus on blocking tracking pixels and also JS that tracks people across services for targeted advertising, which Google, FB, AWS Ads, and other services use.