Slashdot Mirror
Firefox Will Soon Block Third-Party Cookies
An anonymous reader writes "Stanford researcher Jonathan Mayer has contributed a Firefox patch that will block third-party cookies by default. It's now on track to land in version 22. Kudos to Mozilla for protecting their users and being so open to community submissions. The initial response from the online advertising industry is unsurprisingly hostile and blustering, calling the move 'a nuclear first strike.'"
Translation: Boo-fucking-hoo. Online marketing scum have been abusing users for years, making this a retaliatory measure. Let them cry all they want, because nobody gives a shit.
"So after all this, you make my case for me. To end this stalemate, you must die..."
Stick it in v19.0.1. Bring it on!
Since Netscape 4.7, there was an option to block third-party cookies (yet DoubleClick found a way around that). Changing a default option should have no impact on the advertisers - they can adapt or die.
[grumpy cat] Good.
If the advertising industry is still capable of responding, we obviously haven't nuked them enough yet.
...would be incorporating AdBlockPlus and NoScript and enabling both by default.
Do it.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Block 3rd party cookies, and that is. This is my default setting, and it rarely has any impact on the actual content of a website.
Enjoy life! This is not a dress rehearsal.
The great thing about Firefox is you can block all cookies by default, and whitelist only specific domains. Just block everything except ones you know you need (like maybe your banking site). Use "allow for session" for sites that need cookies for some reason but you don't need to save permanent data. There's also a great extension called "Cookie Monster" that will let you set all those options on a per-domain basis from the status bar.
cry more. If you want money, go get a real job.
Doesn't Safari already do this by default?
When they just get websites using their advertising services to add subdomains covering their cookies.
At that point you WON'T be able to solve this without a huge mess of per-domain whitelists, eventually coalescing into the cookies for the advertisers being handled THROUGH the corporate websites.
I was arguing this a decade or decade and a half ago to anyone who would listen, but it was brushed off (And rightfully so given that it's taken this long for a browser to actually this by default.)
The initial response from the online advertising industry is unsurprisingly hostile and blustering, calling the move 'a nuclear first strike.'
This is a completely justified nuclear response. The nuclear first strike was when the advertising industry started stalking people everywhere they go without informed consent or even an easy way for average people to opt out, and with no way to purge your history. If you had only used cookies in the public interest, the browser that cares about its users would not have to respond to your hostile behavior.
Stop-Prism.org: Opt Out of Surveillance
I regularly clean out my cookies with "delete all", but I'd prefer to keep the ones for sites that require a login. But it's too hard to delete cookies individually.
You can achieve that in Firefox without any extra extensions: Under Privacy: 1. Use Custom settings for history - Accept cookies from sites - Keep until: I close Firefox 2. Under Exceptions: - Add sites you want to allow permanent cookies sites using "Allow" button Done. Sites you allow can store cookies until they expire while other cookies are cleared every time you close the browser.
Most sites will work fine, but you'll have to add an exception for disqus.com if you want to post comments on sites that use disqus. Latest version of it should detect and warn you to enable coolies though.
I would go even further than Mozilla plans to go (and Safari goes already):
By default, I would require all cookies to be either 1st party or "blessed" by either the user or the 1st party.
In other words, if Slashdot had a Facebook widget, either the end user would have to whitelist Facebook to allow it to deposit cookies from anywhere, or Slashdot would have to explicitly "bless" the specific widget or the web browser would not let the embedded Facebook widget read or write cookies without prompting the user first.
By default, I would have the web browser remind the user periodically that he had non-recently-used cookies and offer to clear them out.
Of course I would give the user options that included more or less privacy than the default.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
The patch is not exactly a one-liner, because the implemented behavior is not as straight-forward as just "block 3rd party cookies".
It's "block cross-site cookies from origins which I've not visited yet as a 1st party websites and have already 1st party cookies from".
This means, for instance, that Facebook, Google and Twitter gets likely a free-pass to track almost anybody.
And that once you (accidentally or not) click any ad box, you give a free-pass to its advertising agency too.
There's a browser safer than Firefox, it is Firefox, with NoScript
The "first-party context" loophole is the deathknell of this thing, just as Safari's own mechanism doesn't actually protect anybody's privacy.
If you don't like tracking cookies, that's fine, but there is an infinite variety of workarounds for this so-called solution. One can easily use a URL proxy, for instance -- you click a link marked "Next Page" that actually goes to "entirelylegitimatewebsite.com/track_me_please," which sets a cookie and immediately redirects you to "mysite.com/nextpage." Hey presto, first-party context cookie set!
On the other hand, there's browser local storage, beacon URLs via AJAX... the list goes on and on. Hell, even if most web browsers _do_ start blocking all third-party cookies under all circumstances, the data kingpins will start offering handy little Rack and Tomcat plugins that use first-party cookies to track user behavior across the Web.
If you're a Web user who's paranoid about information leaks, you should already be using Tor and some privacy-centric web browser. But given the degree of personalization inherent in most of the 21st century Web, I have a hard time understanding why a paranoiac would use the Web at all.
Above post should be moderated to +10.
Sounds like the big guys are looking to squeeze out any smaller competition. Not a surprise, since Mozilla is pretty much Google's bitch.
Sites will start blocking Firefox browsers. If enough popular sites do this, people will be switching to other browsers. Or people will start making Firefox masquerade as a different browser, which (if it becomes popular) will subsequently be made illegal. That is assuming that third-party cookie blocking won't just be made illegal.
It is appropriate to describe this as a first-strike, because there will be a retaliatory salvo, and much of our Internet freedom will get caught in the crossfire.
If you have some spare time restart your browser, fire up wireshark and filter for DNS queries then go to just the home page of any of a bazillion web sites... It is insane... one single page load of something like cnn,fox,nbc,forbes translates into 20-30 of dns queries for all manner of advertising and market intelligence companies.. Everyone knows this stuff exists but I was genuinly shocked by the volume and number of sites involved.
If it isn't cookies it will be fingerprinting, flash cookies, DNS cache probing + IP but we can work to mitigate these things as well.
It would be a wonderful world if that happened. I've always been really sad that we didn't manage to have a micropayment system in place in 1995, so that we could pay for what we used instead of having advertising shoved down their throats. I would much rather be the customer than the product.
That's a great idea. Then they could make a micropayment back to me for everything in the page they end up sending me that I don't actually read so they can offset the bandwidth cap that my ISP starts charging me extra for after it's been exceeded.
PS: Micropayments are an incredible bitch to implement, if you've ever tried it, since the transaction fees and data storage pile up. There's a reason the phone companies charge so much per text message, and a lot of it has to do with paying micropayments to themselves every time someone makes a micropayment on sending a text message. The transactional overhead is very high.
That's why we can block whichever cookies we choose.
Do you doubt that making "block all" the default is best?
You are welcome on my lawn.
Above post should be moderated to +10.
Sounds like the big guys are looking to squeeze out any smaller competition. Not a surprise, since Mozilla is pretty much Google's bitch.
Although I'd prefer that tracking would simply be made illegal, I tell you what: I'm less concerned about letting the big guys doing it because they are more likely to have some basic security in place and controls to at least respect the TOS. I'm more concerned about small guys...
What a frelling disaster. The end of third party cookies will pose problems for my household. My wife is getting better at baking but so far cookies seem beyond her even with third party products.
I also think this could block lots of cookies used for SSO. Some people do actually like to be able to log using their twitter or github credentials.
then the question is, why not doing it the other way round: allow 3rd-partys to access their own cookies, but do not allow them to set a cookie, if they are not the 1st party at the moment.
Fuck these assholes until they bleed.
"Nuclear first strike"? It's a counter-measure. I'm so sick of people using war rhetoric inappropriately. There is no "nuclear cookie blocker" and there is no "war on Christmas". There are no bombs going off and nobody is dying in the streets. This statement makes me want to bomb the corporate office of an ad agency so they have something to complain about*. Might stop the spam for a week too.
*This user does not support the actual use of explosives to make a point. Bombs are not educational tools and should be used responsibly. We now return to your regularly scheduled flame war.
Bullshit. Votes are more important than campaign funds.
And each company in the entertainment industry can control votes by using whatever news outlets its parent company owns to frame the political discourse.
Did you forget that Google is the third party cookie?
I never quite understood how, for the past several years, embedded PayPal payment buttons have remained completely broken if the client disabled third party cookies. Maybe if all browsers did this PayPal would finally fix their system.
In my opinion this is by far not enough. I think by default a browser should refuse any 3rd party content. (subdomains of same company don't count as 3rd party, there are public-suffix-lists to determine these) Not images and especially not javascripts.
Just give the user a visual hint that the page tried to include stuff from non-trusted domains and give the user the possibility to allow some 3rd-party domains for the page he's currently using.
This is not meant as a way to prevent online advertisement. It would still be possible for web-hosters to point a subdomain or proxy-path to an adprovider. But if they do so this means explicitly hosting and taking responsibility for all scripts and tracking pixels they include in their pages. And also that the ads would not be in the same cookie-context.
About the only thing that'll survive a nuclear war is cockroaches. So, if the cookie tracking online ad industry survives this nuclear strike, are they cockroaches...?
I hate to rain on your parade, but...
Let's say someone has a website http //www.good.example.com, and want http //ads.doubleclick.net to get past this filter. Assuming they control their own DNS, they simply need to set up a CNAME www.bad.example.com that points to ads.doubleclick.net. Voila, the ads.doubleclick.net server shows up on the same domain as www.good.example.com.
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
Which is based on OAuth and has precisely nothing whatsoever to do with third-party cookies.
It does cause problems for other completely legitimate use cases, but this is not one of them.
How are sites slashdotted when nobody reads TFAs?
If this change reduces the overall efficacy of advertising on websites, then we'll likely see many independent websites go out of business. Facebook will love this, as it seems like their goal to rub out (yes, I mean this in the mobster sense) the web outside of them.
Maybe we need a compromise?
Have a website somehow "vouch" for the third-party cookies in use on their site by either disclosing them to their users, or letting them present an option/warning to visitors that says "To keep our site financially sustainable, we ask that visitors accept cookies from our advertisers -- to that end, we require cookies to not be blocked to access our content".
I understand why people detest advertising, but it's also part of a commercial ecosystem that keeps the independent web alive and kicking. If we allow the blocking of third-party cookies, we should also give webmasters the power to block access from anyone who is blocking them, and even more, blocking ads on their site. It's only fair.
Steve Magruder, Metro Foodist
If you're relying upon 3rd party cookies for SSO, you're doing it wrong.
Very, very wrong.
My
Except that the Ad agencies want to track you across different sites and won't have access to that cookie when the user is on foobar.com
I'm less concerned about letting the big guys doing it because they are more likely to have some basic security in place and controls to at least respect the TOS
Exactly! Big companies would never have buggy infrastructure with poor security practices!
Kinda like Sony. Oh... wait.