Firefox Will Soon Block Third-Party Cookies

An anonymous reader writes "Stanford researcher Jonathan Mayer has contributed a Firefox patch that will block third-party cookies by default. It's now on track to land in version 22. Kudos to Mozilla for protecting their users and being so open to community submissions. The initial response from the online advertising industry is unsurprisingly hostile and blustering, calling the move 'a nuclear first strike.'"

Online Advertising Response

[FSWKU]

The initial response from the online advertising industry is unsurprisingly hostile and blustering, calling the move 'a nuclear first strike.'

Translation: Boo-fucking-hoo. Online marketing scum have been abusing users for years, making this a retaliatory measure. Let them cry all they want, because nobody gives a shit.

Re:Online Advertising Response

[CheshireDragon]

I have always turned of the third party cookies, but good move for making it a default.
And to hell with marketers, they can cry all they want. They have already stripped most television show of a title sequence and forced shows to start rolling credits while still running. Ihave always wondered why I pay for a ton of cable channels when all I am really doing it watching commercials. Good thought to the creator of the DVR.

Re:Online Advertising Response

I think the advertisers have a legitimate point, and should retaliate. How about trying to pay web site owners to alter their sites so they refuse to load on FireFox? I bet that would be a hilarious and very short negotiation.

In all seriousness, advertisers are simply the worst form of corporatism: All they want is more of everything, regardless of what they already have. They don't like being blocked like this, let them invent their own Internet with its own bizarre, user-hostile set of rule. They could call it facebook, perhaps...

Re:Online Advertising Response

[bipbop]

I think whether or not it's newsworthy is decided by its effects, not how much effort it takes to implement.

Re:Online Advertising Response

[JaredOfEuropa]

Killing 3rd party cookies doesn't mean the end of advertising, not even the end of targetted ads like Google adwords. Neither rely on 3rd party cookies. It will mean the end of tracking users across sites, collecting browsing history that they have no business collecting (and which most users are not even aware of).

Re:Online Advertising Response

[bhagwad]

I would much rather pay by seeing ads instead of paying actual cash. Websites are free to advertise to me as much as they want. If I don't like the ads, I stop using them. There's no need for browsers to protect me.

Re:Online Advertising Response

[fluffy99]

It's interesting that no-one has ever tried to retaliate against them using the COPPA law, which makes it illegal to track and retain information on underage kids.

Re:Online Advertising Response

blocking third party cookies doesn't, in any way, prevent a website from displaying ads on a website. This isn't an either/or situation. The third-party cookies are used to track users.

Re:Online Advertising Response

[Cryacin]

Wait a second. "Think of the children" used to PROMOTE privacy? That's not how it's supposed to work! My head hurts, I have to go and lie down for a while...

Re:Online Advertising Response

[Mitreya]

And to hell with marketers, they can cry all they want. They have already stripped most television show of a title sequence and forced shows to start rolling credits while still running.

If they only stopped at that!
Are you not getting the damn characters running across your show, in the middle of the show? It superimposes over the current show I am actually watching, just like a popup ad online

Also, a simple comparison of show length, demonstrates that in the 60s/70s shows ran for 26.5 minutes, while current sitcoms are around 22.5 minutes per half hour. And you get to see pop-ads in the middle of some of those three 7-minute long pieces.

Re:Online Advertising Response

IMHO, the next step is to block referrer information to third party sites. E.g. if example.com loads a script from gstatic.com, then the HTTP_REFERER header is not sent to gstatic.com. There's almost zero collateral damage (one captcha service doesn't work), and companies like Facebook and Google no longer get to know every site that most internet users visit.

Re:Online Advertising Response

[PopeRatzo]

Sorry Charlie, but advertising and monetization drives the "free content" you see on the web.

And blocking third party cookies does nothing to stop advertising and monetization.

It just puts it on a more honest footing.

By the way, there was free content on the web before there was advertising. Maybe you're not old enough to remember.

Re:Online Advertising Response

I canceled Sky a long, long time ago, when they started broadcasting general advertisement on History Channel, National Geographic etc. Went from reading 1-2 books per year to more than 30. There's not much to see anyway: films are quite boring and lame, TV series are the same or really bad production (Sword of Truth comes to mind) and most documentaries are simply ridiculous with one third of the content being useless reviews after advertisements (just imagine to see them with half of the number of interruptions, it's completely insane). I would gladly pay for BBC documentaries however.

Re:Online Advertising Response

[me+at+werk]

Ah, well, it seems they're doing that in the mobile market, anyway.

They're actually doing something about this because some smartphone games for children do location tracking, and nobody knows why.

According to the FTC, among its more troubling findings is that many children's apps "shared certain information with third parties -- such as device ID, geolocation, or phone number -- without disclosing that fact to parents. Further, a number of apps contained interactive features -- such as advertising, the ability to make in-app purchases, and links to social media -- without disclosing these features to parents prior to download."

Re:Online Advertising Response

[petsounds]

Well, the public was given a choice back in the 90's. There were ad-driven sites, and there were subscription-based sites.

We know which business model won. The "free" one, because people tend to value short-term rewards over long-term ones. The tracking and collusion by ad companies is just natural evolution of the wild west world of internet advertising. Ad rates have gotten so low that Google would probably be as poor as Yahoo if they weren't keeping tabs on you wherever you go and offering that profiling to advertisers. Facebook as well.

So, this completely has to do with ads on the internet. The public chose short-term self-interest, and now we're reaping the consequences of that choice. I know that a lot of newer slashdotters probably work at VC-funded startups, and think that the internet is just a giant playground where everything is free, but some of us lived and worked through dot-com fantasyland 1.0, and the reality is that businesses have to actually make money. The sad thing is that we're just going through the same cycle again. VC money is a cancer on the tech industry, because it creates unsustainable business models, suppresses competition, and turns the customer into a product.

Re:Online Advertising Response

[JaredOfEuropa]

Good point... I don't see any harm in allowing 3rd party session cookies (anyone?). I don't think FF currently has an option to block 3rd party cookies but allow session cookies from 3rd parties,not even manually. If you're in the business of making apps like this, perhaps it's worth pointing out to the FF guys; they might not have thought of everything. Just look at the crappy cookie law we just got in Europe.

Re:Online Advertising Response

[hedwards]

It's not the writers and producers, it's the TV station owners that make those decisions. I doubt very much that the writers, producers and assorted people that work so hard to create the programming like to see the credits smashed up so that nobody can read them.

Re:Online Advertising Response

[TheGratefulNet]

I have not watched network/premium tv for quite a while, now (3 yrs, maybe longer).

recently, I was staying in some hotels and wanted to see what 'was on'. realize, I have not seen the state of 'current tv' for years.

the moving ads at the bottom and all the rest that you and parent posters have said really turned me off. enough that I will still not consider paying for satellite, cable or anything else 'pay tv'.

really gross and hard for me to accept. I'm over 50 and I do remember when tv was watchable. (yes, goml, etc). but if you have not been desensitized by it gradually, the jump in annoyance factor is too great. I think they have lost me, forever now, as a customer.

tv was always an ad medium, but now its just too absurd!

I can fully, fully understand why the youth culture is all about capturing shows, editing the BS out of them and reuploading them. I fully understand that and I can't blame anyone for wanting to get around the crap.

sorry, industry; you pissed off your customers and many have rebelled and won't ever come back.

Re:Online Advertising Response

[CFTM]

Your analysis fails to take into account that for a very long time (since TV was invented) the distribution channels have been tightly controlled thus content creators had to jump through the hoops of the content distributors. This is changing, but change takes time and producing content at this scale is a very expensive proposition thus people are unwilling to take risks on independent distribution.

You can draw corollaries to the music industry which is notorious for screwing over content creators. Again, music companies were able to use their position in distribution to extract economic rents and dictate how business took place.

This is *NOT* about the creators not caring, it's about there being no viable alternative in their mind (which isn't the case but someone has to prove ... and oh by the way, Macklemore did just that with "Thrift Shop").

Re:Online Advertising Response

[egarland]

> I have always wondered why I pay for a ton of cable channels when all I am really doing it watching commercials.

Because, half the cost of the programming you are watching comes from commercials. The average TV watcher watches about $80 worth of adds per month. (That's assuming about $0.02 per commercial watched, 30 commercials per hour, and 130 hours of TV watched per month which, as far as I know, are roughly accurate averages.) Would you pay $80 more for all that content without the commercials?

Re:Online Advertising Response

[nmb3000]

IMHO, the next step is to block referrer information to third party sites. E.g. if example.com loads a script from gstatic.com, then the HTTP_REFERER header is not sent to gstatic.com. There's almost zero collateral damage (one captcha service doesn't work), and companies like Facebook and Google no longer get to know every site that most internet users visit.

I agree whole-heartedly with this sentiment, but it might cause more grief that most would guess.

Over the last year or so I've played around with blocking the referer header from being sent at all, to any websites. 99% handle this just fine, but every now and then I'll come across sites that fail, and in various ways. Sometimes I get a useless error message from CloudFlare, and sometimes the page will simply render blank, like this one (in this case because TypeKit issues a 403 when requesting the CSS if the referer is missing).

I have no idea why some sites rely so heavily upon an HTTP header which is not required to be present at all. I'd love to see a browser start to do what you suggest and exclude the header in 3rd party requests because it would force sites to treat the header as it was intended (advisory only) and would also make it easier for those who want to block sending it entirely.

Re:Online Advertising Response

[brandonY]

The trick is to make sure that you never have any way of finding out that the person you're tracking is under 13. Never ask for their age.

Re:Online Advertising Response

[nedlohs]

For firefox: network.http.sendRefererHeader, set it to 0 in about:config

Re:Online Advertising Response

[LordLimecat]

That doesnt work in statutory rape cases, why would it work here?

Why wait for v22?

[Jimbookis]

Stick it in v19.0.1. Bring it on!

Re:Why wait for v22?

[kthreadd]

Because there is a staging process for adding features to Firefox, so that nothing breaks once something reaches the release builds.

First strike was in Netscape

[Sigma+7]

Since Netscape 4.7, there was an option to block third-party cookies (yet DoubleClick found a way around that). Changing a default option should have no impact on the advertisers - they can adapt or die.

Need more nukes

[femtobyte]

If the advertising industry is still capable of responding, we obviously haven't nuked them enough yet.

A nuclear first strike...

[John+Hasler]

...would be incorporating AdBlockPlus and NoScript and enabling both by default.

Do it.

Re:A nuclear first strike...

[Mitreya]

incorporating AdBlockPlus and NoScript and enabling both by default.

Quite a few websites (whether intentionally or not) make it difficult to figure out which domain needs to run javascript for them to function. It is often _not_ the current domain. So users will end up choosing "Enable all scripts (dangerous)" option with NoScript sooner or later.

Also, when the webpage redirects you to a processor for finalizing a payment, a lot of work can be lost. Cannot go back without losing entered data and cannot complete the payment because reload will screw things up. NoScript should really ask you "Click redirects to a different domain -- enable scripts there?"

Re:A nuclear first strike...

[Mr.+Slippery]

More likely ad supported sites would start testing for and blocking users of those addons

...and so we teach the addons to cheat on those tests.

If you don't, you should

[bradley13]

Block 3rd party cookies, and that is. This is my default setting, and it rarely has any impact on the actual content of a website.

just block all cookies

[manicpop]

The great thing about Firefox is you can block all cookies by default, and whitelist only specific domains. Just block everything except ones you know you need (like maybe your banking site). Use "allow for session" for sites that need cookies for some reason but you don't need to save permanent data. There's also a great extension called "Cookie Monster" that will let you set all those options on a per-domain basis from the status bar.

No the complaining will start...

When they just get websites using their advertising services to add subdomains covering their cookies.

At that point you WON'T be able to solve this without a huge mess of per-domain whitelists, eventually coalescing into the cookies for the advertisers being handled THROUGH the corporate websites.

I was arguing this a decade or decade and a half ago to anyone who would listen, but it was brushed off (And rightfully so given that it's taken this long for a browser to actually this by default.)

Nuclear Response

[Bob9113]

The initial response from the online advertising industry is unsurprisingly hostile and blustering, calling the move 'a nuclear first strike.'

This is a completely justified nuclear response. The nuclear first strike was when the advertising industry started stalking people everywhere they go without informed consent or even an easy way for average people to opt out, and with no way to purge your history. If you had only used cookies in the public interest, the browser that cares about its users would not have to respond to your hostile behavior.

Re:Nuclear Response

[Blue+Stone]

The ad industry launched several nuclear 'first-strike' slavos against browsers: pop-ups, pop-unders, interstitials, flashing seizure-inducing Gif ads, javascript pop-overs, flash audio adverts, scroll-overs, surreptitious super cookies, etc, etc, etc.

Fuck them. In the ass.

No lube.

Re:Safari

[Forever+Wondering]

Doesn't Safari already do this by default?

In the first bugzilla entry for the patch, it details what Safari does and proposes to mimic it.

Re:Feature Request: remove all cookies EXCEPT

[rihkama]

I regularly clean out my cookies with "delete all", but I'd prefer to keep the ones for sites that require a login. But it's too hard to delete cookies individually.

You can achieve that in Firefox without any extra extensions: Under Privacy: 1. Use Custom settings for history - Accept cookies from sites - Keep until: I close Firefox 2. Under Exceptions: - Add sites you want to allow permanent cookies sites using "Allow" button Done. Sites you allow can store cookies until they expire while other cookies are cleared every time you close the browser.

Not that simple (Re:Online Advertising Response)

[Giorgio+Maone]

The patch is not exactly a one-liner, because the implemented behavior is not as straight-forward as just "block 3rd party cookies".

It's "block cross-site cookies from origins which I've not visited yet as a 1st party websites and have already 1st party cookies from".

This means, for instance, that Facebook, Google and Twitter gets likely a free-pass to track almost anybody.

And that once you (accidentally or not) click any ad box, you give a free-pass to its advertising agency too.

Consequences

Sites will start blocking Firefox browsers. If enough popular sites do this, people will be switching to other browsers. Or people will start making Firefox masquerade as a different browser, which (if it becomes popular) will subsequently be made illegal. That is assuming that third-party cookie blocking won't just be made illegal.

It is appropriate to describe this as a first-strike, because there will be a retaliatory salvo, and much of our Internet freedom will get caught in the crossfire.

Re:Consequences

[Mashiki]

Sites will start blocking Firefox browsers...

Considering anyone with 3 firing neurons already blocks advertising to begin with, this is pretty much moot. The reality is advertisers have been abusing cookies for decades, the worst of advertisers have been abusing advertising itself, and allowing malware into their networks and taking a 'cut' of the scam.

Personally? Until advertisers man up, and stop acting like the guy standing on the corner of a shady neighborhood going "hey, wanna buy some shit..." they can simply suck it.

Insanity laden cookies

[WaffleMonster]

If you have some spare time restart your browser, fire up wireshark and filter for DNS queries then go to just the home page of any of a bazillion web sites... It is insane... one single page load of something like cnn,fox,nbc,forbes translates into 20-30 of dns queries for all manner of advertising and market intelligence companies.. Everyone knows this stuff exists but I was genuinly shocked by the volume and number of sites involved.

If it isn't cookies it will be fingerprinting, flash cookies, DNS cache probing + IP but we can work to mitigate these things as well.

Micropayments

[tlambert]

It would be a wonderful world if that happened. I've always been really sad that we didn't manage to have a micropayment system in place in 1995, so that we could pay for what we used instead of having advertising shoved down their throats. I would much rather be the customer than the product.

That's a great idea. Then they could make a micropayment back to me for everything in the page they end up sending me that I don't actually read so they can offset the bandwidth cap that my ISP starts charging me extra for after it's been exceeded.

PS: Micropayments are an incredible bitch to implement, if you've ever tried it, since the transaction fees and data storage pile up. There's a reason the phone companies charge so much per text message, and a lot of it has to do with paying micropayments to themselves every time someone makes a micropayment on sending a text message. The transactional overhead is very high.

Re:Not that simple (Re:Online Advertising Response

Above post should be moderated to +10.

Sounds like the big guys are looking to squeeze out any smaller competition. Not a surprise, since Mozilla is pretty much Google's bitch.

Although I'd prefer that tracking would simply be made illegal, I tell you what: I'm less concerned about letting the big guys doing it because they are more likely to have some basic security in place and controls to at least respect the TOS. I'm more concerned about small guys...

Re:Not that simple (Re:Online Advertising Response

[eric_herm]

I also think this could block lots of cookies used for SSO. Some people do actually like to be able to log using their twitter or github credentials.

Re:Not that simple (Re:Online Advertising Response

[allo]

then the question is, why not doing it the other way round: allow 3rd-partys to access their own cookies, but do not allow them to set a cookie, if they are not the 1st party at the moment.

- is tired of hyperbole

[SampleFish]

Fuck these assholes until they bleed.

"Nuclear first strike"? It's a counter-measure. I'm so sick of people using war rhetoric inappropriately. There is no "nuclear cookie blocker" and there is no "war on Christmas". There are no bombs going off and nobody is dying in the streets. This statement makes me want to bomb the corporate office of an ad agency so they have something to complain about*. Might stop the spam for a week too.

*This user does not support the actual use of explosives to make a point. Bombs are not educational tools and should be used responsibly. We now return to your regularly scheduled flame war.

Maybe PayPal will fix their system...

[t4ng*]

I never quite understood how, for the past several years, embedded PayPal payment buttons have remained completely broken if the client disabled third party cookies. Maybe if all browsers did this PayPal would finally fix their system.

Re:Maybe PayPal will fix their system...

[t4ng*]

Whoops, just read through the thread on Bugzilla about the patch. It's not really disabling third party cookies completely. It still allows third party cookies to be exchanged if cookies from that third party already exist on the client. So if you visited PayPal directly, then went to a web site with an embedded PayPal button, that site would still send client's PayPal cookies.

That seems like a good trade-off between security and zero-config for most cases. But if also means unless you explicitly disable all third party cookies, sites like Facebook will still be able to follow you around the web.

They are claiming to be cockroaches?

[the_B0fh]

About the only thing that'll survive a nuclear war is cockroaches. So, if the cookie tracking online ad industry survives this nuclear strike, are they cockroaches...?

Easy to bypass 3rd-party-cookie-blocking via CNAME

[knorthern+knight]

I hate to rain on your parade, but...

Let's say someone has a website http //www.good.example.com, and want http //ads.doubleclick.net to get past this filter. Assuming they control their own DNS, they simply need to set up a CNAME www.bad.example.com that points to ads.doubleclick.net. Voila, the ads.doubleclick.net server shows up on the same domain as www.good.example.com.

Re:Not that simple (Re:Online Advertising Response

[Firehed]

Which is based on OAuth and has precisely nothing whatsoever to do with third-party cookies.

It does cause problems for other completely legitimate use cases, but this is not one of them.

Re:Not that simple (Re:Online Advertising Response

[Zenin]

If you're relying upon 3rd party cookies for SSO, you're doing it wrong.

Very, very wrong.