Mozilla Delays Default Third-Party Cookie Blocking In Firefox

← Back to Stories (view on slashdot.org)

Mozilla Delays Default Third-Party Cookie Blocking In Firefox

Posted by Soulskill on Friday May 17, 2013 @02:58AM from the even-foxes-like-cookies dept.

hypnosec writes "Mozilla is not going ahead with its plans to block third-party cookies by default in the Beta version of its upcoming Firefox 22. Mozilla needs more time to analyze the outcome of blocking these cookies. The non-profit organization released Firefox Aurora on April 5 with a patch by Jonathan Mayer built into it which would only allow cookies from those websites which the user has visited. The patch would block the ones from sites which hadn't been visited yet. The reason for Mozilla's change in plans is that they're currently looking into 'false positives.' If a user visits one part of a group of site, cookies from that part will be allowed, but cookies from related sites in the group may be blocked, and they're worried it will create a poor user experience. On the other side of the coin, there are 'false negatives.' Just because a user may have visited a particular site doesn't mean she is comfortable with the idea of being tracked."

21 of 106 comments (clear)

Min score:

Reason:

Sort:

No issue. by magic+maverick+ · 2013-05-17 03:06 · Score: 5, Insightful

I have third-party cookies (indeed, all cookies, except those from domains specifically whitelisted) blocked. I've never noticed a problem with blocking third-party cookies. I have a heck of a lot more issues with third-party JavaScript (people using Google-hosted or similar JQuery for example).
So, Firefox, take note, there are not going to be any problems for the vast majority of people.
(I use CookieMonster, it works real nice like.)

--
HELP MY ACCOUNT HAS BEEN HACKED BY AN ILLIBERAL ART STUDENT SET TO DESTROY THE INTERWEBZ!
1. Re:No issue. by rudy_wayne · 2013-05-17 03:31 · Score: 5, Insightful
  
  I have third-party cookies (indeed, all cookies, except those from domains specifically whitelisted) blocked. I've never noticed a problem with blocking third-party cookies. I have a heck of a lot more issues with third-party JavaScript (people using Google-hosted or similar JQuery for example).
  So, Firefox, take note, there are not going to be any problems for the vast majority of people.
  I find it laughable that one of Mozilla's excuses for not doing this is "they're worried it will create a poor user experience". Over the last few years Mozilla has made a number of changes to Firefox that were met with user complaints, and continue to be a source of user complaints and the developer's response is always a resounding "fuck you".
  As far as cookies go, don't forget that Mozilla currently gets $300 Million a year from Google, whose entire gazillion-dollar-a-year business model is based on tracking people.
I block 3rd party cookies by default by Anonymous Coward · 2013-05-17 03:10 · Score: 3, Interesting

The only thing I notice is I can't comment on Disqus (a 3rd party site that handles comments on some blogs). I don't care about it, block them.
Firefox should focus on privacy, its their usp. Google for example, doesn't let you accept cookies for the 'session only', you accept them or not on their Android browser. At some point you have to accept cookies, so this is a fake choice, you'll end up with that feature always on because its too much fuss to turn it on when its needed.
Firefox 'accept cookies for session only' option is my default, it lets me work on sites that use cookies, but throws them away when I close the browser.
Things like this are why I use Firefox.
1. Re:I block 3rd party cookies by default by flimflammer · 2013-05-17 06:20 · Score: 2
  
  The problem Mozilla finds itself in now is that since a large number of people use it, it's harder to make such changes. You might think this is a no brainer, but people who use Disqus or other services which are built around third party cookies, of which there are many, might disagree with their page or sites they visit breaking and either not knowing the cause, or not being knowledgeable enough to fix it.
  This wasn't such a problem when using Firefox was more of a techie thing. Now they need to tread lightly. It'll happen; they just need to consider what happens to the users who are affected negatively by this.
I've been blocking 3P cookies for years by KeithH · 2013-05-17 03:17 · Score: 5, Insightful

and have never noticed a problem. This has always struck me as a no-brainer and it's annoyed the hell out of me that I have to modify the setting on every platform for each of my five family members.
I can't wait for them to change the default behaviour and I'll be very interested to see if they uncover any side effects that could conceivably be considered undesirable by the user.
My biggest worry is what the websites might do to circumvent the change.
Re:Ummmm.. by bazmail · 2013-05-17 03:18 · Score: 5, Insightful

Blocking third party cookies will not break cross site logins like Google have implemented between google.com and YouTube, as they use the redirect method. Sign into google and watch the address bar. they redirect to YouTube passing a one-time sign-in code in the query string. It has nothing to do with 3rd party cookies as the only cookies you get are from the sites in your address bar.

The only thing 3rd party cookies are useful for is tracking you. Anyone who says otherwise makes their living out of stripping you of your privacy.
Bullshit by fustakrakich · 2013-05-17 03:19 · Score: 3, Interesting

They caved to pressure from advertisers

--
“He’s not deformed, he’s just drunk!”
Re:Ummmm.. by Oo.et.oO · 2013-05-17 03:34 · Score: 2

not for sites that use 3rd party commenting systems, et al. discus
i'm not saying i like this implementation, but surely this firefox feature will break this. i see it all the time using cookie monster plugin
Hasn't been a problem for me by IntermodalAgain · 2013-05-17 03:42 · Score: 4, Insightful

I've been managing my cookies with extensions for years. Even most first-party sites have no business leaving cookies and are seldom a problem. I look forward to this becoming standard.
Disqus is the problem by MobyDisk · 2013-05-17 03:51 · Score: 5, Insightful

There is one very large product that relies on 3rd-party cookies: Disqus. It is used by a lot of popular sites such as Thingiverse and StackOverflow. Disqus simply needs to fix the problem. There is actually a discussion on StackOverflow about this: http://meta.stackoverflow.com/questions/126764/why-does-registration-require-third-party-cookies-to-be-enabled
The last time I looked at it it claimed the problem was fixed, but I just now tried to register and it says this:

Third Party Cookies Appear To Be Disabled
This site depends on third-party cookies, please add an exception for https://openid.stackexchange.com/.
1. Re:Disqus is the problem by Luthair · 2013-05-17 04:23 · Score: 4, Interesting
  
  Really, who cares about Disqus? I immediately added a filter for them to adblock when I noticed a suggested thread 'Soandsos baby mama' on the AngularJS API docs.
  Anyone the least bit privacy conscious should be blocking Disqus along with G+, Facebook, Twitter, etc. on their party sites.
2. Re:Disqus is the problem by MightyYar · 2013-05-17 04:31 · Score: 2
  
  I'm sure that I'm naive, but can't they just run a little script that detects the cookie, and if not found asks the user to click a link to enable comments? Then the user would have visited the site (Disqus) and the Firefox block would be removed forever forward.
  
  --
  W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
3. Re:Disqus is the problem by gl4ss · 2013-05-17 04:48 · Score: 2
  
  ...by providing a login button that does the redirect dance back and forth.
  that's how such system would have been meant to be used in the first place. of course they wouldn't get random visitor tracking as their business model that way but meh, those are the breaks.
  
  --
  world was created 5 seconds before this post as it is.
4. Re:Disqus is the problem by EXTomar · 2013-05-17 06:41 · Score: 2
  
  Disqus is only an example but the point is that there are "third party web components" that will be effected by a platform wide block. For cases like this it is good to give legitimate component software a "transitional grace period" to move away from the deprecated behavior before locking it out from modern versions onward.
  I view control over "third party sources" in web content as a serious security issue but I also admit that I don't know the full ramifications of an outright ban either where taking the grace period to do some metrics is probably a good idea. What I would like Mozilla to do is allow it in Firefox 22 but expose it an option under Options/Advanced so it can be toggled with removing the option and enabling it later.
5. Re:Disqus is the problem by gl4ss · 2013-05-17 11:38 · Score: 2
  
  You're going to have go into more detail. At the very least:
  1. Explain how having to reload the page (Jump to Disqus and then bounce back) going to be positive for the user's experience. I certainly don't see how it would be remotely positive.
  2. How is this going to work without the host installing something on their server? As I said, a selling point of Disqus is that it doesn't need anything on the hosts' server at all, just some boiler plate HTML that inserts the Disqus Javascript script.
  I don't see your solution as being "How they should have done it all along". It's inefficient, kludgy, and fails the ease-of-installation test.
  the solution can entirely be javascript included in the page source, mostly as it is. the only thing that would break with breaking of cross site cookies/storage would be that you wouldn't be already logged in when you go to another disqus enabled site.
  though, admittedly, I viewed it as a bonus that the login is intrusive and the user has to visit the site of the service he's authenticating to. think of it as one-click-sign-on instead of already logged in when you go to a new site single-sign-on.. the page could be redirected automatically to go through disqus and back of course causing slight inconvience.
  they would still have cross site tracking of everyone who logged in - moved the tracking information from disqus domain to the domain of the site, that's what the login is - and yes this does not need anything running on the server just javascript on the page that gets the data and saves it in cookie or localstorage on return from the login.
  mainly the point was the disqus wouldn't _totally_ break from breaking 3rd party cookies.
  
  --
  world was created 5 seconds before this post as it is.
Re:Um ... by neminem · 2013-05-17 04:54 · Score: 2

I'd give you mod points if I had them: +1 for singular they. Using a gendered word for a person of unknown gender is dumb, and singular they is a perfectly reasonable workaround.
Re:Ummmm.. by Bill_the_Engineer · 2013-05-17 04:59 · Score: 2

And blocking it is a bad thing?

--
These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
Re:Ummmm.. by Runaway1956 · 2013-05-17 05:09 · Score: 3, Interesting

I block third party cookies. What happens when I land on a page that uses Disqus? I have to coax the browser to log me in to Disqus. And - that is just the way I want things to be. Disqus doesn't need to know where I browse, or what I'm reading, unless and until I CHOOSE to summon Disqus.
Children, if you're going to dabble in the arcane arts, you must learn to control those demons - or you will find that the demons control YOU!

--
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
Are they really that bad? by roosauce · 2013-05-17 05:48 · Score: 2

I've been in digital advertising for over 14 years, and have always been involved in tracking / targeting of ads. I don't bother to block cookies, simply because I honestly don't see much privacy infringement. At the back end of our tracking systems I just see a bunch of numbers. I've never once seen a name and honestly I have no desire to target or track an individual ... there's no money in such a tight target group, but we purposely don't try in any case.

All this Mozilla change means to me is that a lack of data will mean I pay web publishers less ... and I deliver nappy ads to pensioners :P

What worries this little advertising stalwart is credit checking firms, they're much more likely to have the data you're looking to protect and none of it comes from third party cookies.

Peace out ...
Analyze this, Mozilla. by UltraZelda64 · 2013-05-17 07:33 · Score: 2

I've been blocking third-party cookies for years with absolutely no hint of any site failing to load correctly. If there is ever a problem, it is scripting, and choosing to disable NoScript on one or more sites typically sorts that out. Get the advertising industry's dick out of your ass and just fucking block third-party cookies already, Mozilla. It should have been done a hell of a long time ago. This new versioning system can be so amazingly retarded; we're at Firefox 21 already, already talking about Firefox 22, and Mozilla is still dragging their feet around on something as simple as the default fucking setting of a checkbox regarding third-party cookies. Talk about illusion of progress! You know that by this point, Mozilla no longer gives a shit about their actual users and seems to have their priorities in the advertisers; otherwise there would be no question, no delay. Why hasn't there been a fork of Firefox yet? IMO, it's been needing one free of Mozilla's bullshit since the 2.x.x days at the very least, or possible 3.x. This is getting ridiculous.
Once, long ago by Arker · 2013-05-17 07:35 · Score: 2

Cookies used to be really easy to deal with using mozilla, it wrote them all to cookies.txt. You just went in, deleted cookies.txt once, then mkdir cookies.txt. Then set it to allow cookies across the board. All websites worked fine, but anytime you restarted the browser they were all gone. Not 100% ideal but still a quick and relatively foolproof way to assert some sanity. So of course they changed that.
Now... let me get this straight, they are thinking about maybe, eventually, blocking third party cookies by default. Better late than never I guess, but it seems pathetic both in timing and scope as well, since they appear to be worried only about cookies(!) rather than scripting. Third party scripts are a much bigger problem. Both cases should have been blocked by default 10 years or more ago. At this point, yes, I would imagine some problems.

--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.