Slashdot Mirror

← Back to Stories (view on slashdot.org)

Another Tor Browser Feature Makes It Into Firefox: First-Party Isolation (bleepingcomputer.com)

Posted by msmash on from the great-marriage dept.

An anonymous reader writes: Unbeknown to most users, Mozilla added a privacy-enhancing feature to the Firefox browser over the summer that can help users block online advertisers from tracking them across the Internet. The feature is named First-Party Isolation (FPI) and was silently added to the Firefox browser in August, with the release of Firefox 55. FPI works by separating cookies on a per-domain basis.

This is important because most online advertisers drop a cookie on the user's computer for each site the user visits and the advertisers loads an ad. With FPI enabled, the ad tracker won't be able to see all the cookies it dropped on that user's PC, but only the cookie created for the domain the user is currently viewing. This will force the ad tracker to create a new user profile for each site the user visits and the advertiser won't be able to aggregate these cookies and the user's browsing history into one big fat profile. This feature was first implemented in the Tor Browser, a privacy-focused fork of the Firefox browser managed by the Tor Project, where it is known as Cross-Origin Identifier Unlinkability. FPI was added to Firefox as part of the Tor Uplift project, an initiative to bolster the Firefox codebase with some of the Tor Browser's unique privacy-focused features. The feature is not enabled by default. Information on how to enable it is in the linked article.

93 comments

  1. Make TOR default by Anonymous Coward · · Score: 0, Insightful

    All problems solved!

    1. Re:Make TOR default by Anonymous Coward · · Score: 0

      Or just disable third party cookies.

    2. Re:Make TOR default by ArmoredDragon · · Score: 1

      Many websites will break if you do this; USAA is broken with this, for example. My preferred method, without addons, is to set third party cookies to session only, something that no browser can do except for firefox.

      My opinion? Combine privacy badger, cookie autodelete, and third party cookies session only, as FPI can break some websites, but the combination above should not break anything. For good measure, also add searchonymous2 and a redirect bypassing addon (redirect bypasser was the best, but I'm not sure which is right now.) Unfortunately, at the present time, extensions can't do anything about localstorage, which sites can and do use to track you. FPI effectively sandboxes localstorage from site to site, but it wastes disk space. Mozilla is extending the webextension API to allow manipulation of localstorage and will probably be the only browser to do so. The cookie autodelete developers plan on using it as soon as it's available, so that will be a complete solution.

      That's the nice thing about firefox going forward: Mozilla continues to add new features to the webextension API and is very responsive to requests, but Chrome usually doesn't, and you can pretty much count on Edge only going so far as to always remain a subset of what Chrome does, as Microsoft just copies the Chrome API verbatim, but doesn't implement everything. Microsoft also uses a "whitelist only" model in Edge, which involves paying a fee to Microsoft and requesting that they review your extension, which they ignore in most cases, even if you own a very popular chrome extension.

      I'm betting that in about a year, Firefox will be the browser with all of the best addons, just like it was before the switch to webextensions, and Edge will remain king at its job of being the tool everybody uses to download firefox.

    3. Re:Make TOR default by Anonymous Coward · · Score: 0

      None of the web sites I have ever used broke because of it and if they did, I would stop using them. I do not permit third party eavesdropping or the ability to write shit to my disk. I haven't even heard of this singular example of "USAA" you mention, so obviously it's not a widespread problem, nor do any of the important sites break.

      Firefox, Chrome and Edge all suck ass. I'll stick with Pale Moon, which is by far the best browser in existence currently.

  2. Private browsing by Anonymous Coward · · Score: 1

    This seems like the kind of feature that should be enabled by default when using a private browsing window, or using the "never remember history" option in the settings page.

    1. Re:Private browsing by mspohr · · Score: 4, Insightful

      I naively thought that this was the default behavior for cookies. Why would anyone think it was a good idea to allow random people to read cookies from any domain?
      Cookies should be confined to a single domain where I am viewing content, not intrusive ad networks.

      --
      I don't read your sig. Why are you reading mine?
    2. Re:Private browsing by Anonymous Coward · · Score: 0

      this is analogical option in opera? 2012 year https://cdn.ghacks.net/wp-content/uploads/2012/06/opera-do-not-track-600x489.jpg

    3. Re:Private browsing by fustakrakich · · Score: 1

      Private browsing? Maybe on your local network... On the internet there's no such thing.

      --
      “He’s not deformed, he’s just drunk!”
    4. Re:Private browsing by Luthair · · Score: 3, Informative

      I'm not sure you understand the scenario. These are third-party cookies that the browser would receive via headers when the tracking network was included on another site The tracking networks cookie would only appear on the headers to that network and could not be read by other sites.

    5. Re:Private browsing by Anonymous Coward · · Score: 0

      only now INTERNET...)

    6. Re:Private browsing by Fahrvergnuugen · · Score: 3, Informative

      It's trickier than that...

      What happens when you insert the facebook or adsense code on your website is that you are actually including content hosted by the ad network.

      Your browser is then loading that content from that ad network because in addition to loading mygreatwebsite.com, you are also loading ads.adcompany.com or whatever.

      The cookie from the ad network is linked to ads.adcompany.com. The same cookie is being set for every website that serves content from that same ad network, and so they are able to build a profile on you.

      The bigger an ad network gets, the more websites it is installed on, the more clear the profile becomes.

      I guess (I don't know the details of it) what this feature is doing, is preventing any cookies that differ from the domain displayed in the URL from being loaded. I'm not sure how exactly this is different from private browsing.

      --
      Kiteboarding Gear Mention slashdot and get 10% off!
    7. Re: Private browsing by mspohr · · Score: 2

      Thanks for the additional information. I guess my question now is why would a browser allow random third party domains set cookies when viewing a site?

      --
      I don't read your sig. Why are you reading mine?
    8. Re: Private browsing by Luthair · · Score: 2

      All but Safari which turned it off a few years ago iirc. There have been some legitimate uses like Google's login services.

    9. Re: Private browsing by Anonymous Coward · · Score: 5, Informative

      If the browser loads a resource from a domain, that domain can set a cookie for itself via HTTP headers (or if the resource is a script, through the script). That's normal, isn't it? But this is also true if that resource comes from a "third party" domain, i.e. one which is different from the domain of the web page itself. Example: You are looking at slashdot.org, which loads a script from taboola.com. Then the taboola.com script can set a cookie for taboola.com. Slashdot.org can not read that cookie, but if a page from a different domain also loads a script from taboola.com, that script can (normally) read the cookie for taboola.com. That cookie usually contains a tracking ID, so when many sites on the web load a taboola.com script, taboola.com can track you across web sites. With first-party isolation, the third party cookie can still be set, but it is only readable when the third party resource is loaded in the same first party domain context where it was set. Something else you can do (and probably should do) is disallow third party cookies altogether or at least make them expire when you close the browser. If you do the latter, first party isolation still helps by preventing in-session tracking.

    10. Re:Private browsing by sexconker · · Score: 5, Informative

      I guess (I don't know the details of it) what this feature is doing, is preventing any cookies that differ from the domain displayed in the URL from being loaded. I'm not sure how exactly this is different from private browsing.

      No, it's in the summary.

      This is isolation, not blocking. Plenty of sites won't work if you outright block 3rd party cookies.
      What this does is allow the cookie to be set and sent back in future requests, but it's one cookie per ad domain AND per visited site.

      If you go to pussy.com and it loads a tracking asset for ass.com, Firefox sets a cookie for ass.com.
      If you go to pussy.com again and it loads a tracking asset for ass.com, Firefox sends the same cookie back.
      So ass.com can track you on pussy.com.

      If you then go to titties.com and it loads a tracking asset for ass.com, Firefox sets a separate cookie for ass.com.
      This way, ass.com can't track you across pussy.com and titties.com as a single user by use of their cookies.

      They will still try (and generally succeed) at such tracking via browser fingerprinting, timing, meta analysis, and the good ol' IP address.

    11. Re: Private browsing by Anonymous Coward · · Score: 0

      It should be the default for any browser.

      By default.

      Did I mention, 'by default'?

    12. Re: Private browsing by Anonymous Coward · · Score: 0

      There have been some legitimate uses like Google's login services.

      You just contradicted yourself there, no?

    13. Re:Private browsing by Anonymous Coward · · Score: 0

      Nice comment. Could have used something less crass though, imo

    14. Re: Private browsing by mspohr · · Score: 1

      I understand how this helps advertisers but I really don't want to help advertisers. I can't think of a legitimate use for this "feature".
      When I'm viewing a website such as cnn.com, I don't want random ad networks to be able to set or read their cookies. If I'm on cnn.com the only cnn.com should be able to set and read cookies.
      I'd like to disallow third party cookies ...
      For instance, Chrome doesn't have this option. They do have a "do not track" option which I have set but that doesn't seem to do anything. It should prevent third parties from setting and reading cookies but it doesn't. There is no option to exclude third party cookies.
      I just checked Opera and it does have an option to exclude third party cookies so I'll try this and see how it works.
      I do have the new Firefox (57) and it does have the option to "Never" accept third party cookies (set by default) so it looks like a good option.

      --
      I don't read your sig. Why are you reading mine?
    15. Re:Private browsing by Anonymous Coward · · Score: 0

      From an account named sexconker I actually expected more crass, but different strokes for different folks.

    16. Re: Private browsing by EndlessNameless · · Score: 1

      I can't think of a legitimate use for this "feature".

      It wasn't a feature per se. It was simply how things worked under the same-origin policy. The browser loads what it's told to load, and each cookie is accessible to its parent domain. Advertisers started abusing this default security posture.

      Blocking third-party cookies and first-party isolation are responses to that abuse.

      Both of those options are far simpler than fundamentally changing the same-origin policy. There would need to be a consensus on an alternative security model across the whole ecosystem: browsers, web servers, and web app developers. It's not worth the effort when a simple user option can accomplish the same thing.

      --

      ---
      According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
    17. Re:Private browsing by Anonymous Coward · · Score: 0

      If you go to pussy.com and it loads a tracking asset for ass.com, Firefox sets a cookie for ass.com.
      If you go to pussy.com again and it loads a tracking asset for ass.com, Firefox sends the same cookie back.
      So ass.com can track you on pussy.com.

      If you then go to titties.com and it loads a tracking asset for ass.com, Firefox sets a separate cookie for ass.com.

      Cool, thanks for the explanation! Wait how do you know my browsing history?

    18. Re: Private browsing by Anonymous Coward · · Score: 0

      The purpose of third party cookies is to store user preferences for scripts and other resources that may be included on many different sites. Tracking is an abuse of the feature, albeit an obvious one.

      The "do not track" option makes the browser send an additional header with every request that tells the server you don't want to be tracked. What the server does with that information is entirely up to its operators.

      For blocking third party cookies, see "Block cookies from other sites" on this page: Clear, enable and manage cookies in Chrome, or don't use a browser made by an advertising company.

    19. Re:Private browsing by Anonymous Coward · · Score: 0

      Whatever floats your boat.

    20. Re:Private browsing by Anonymous Coward · · Score: 0

      They will still try (and generally succeed) at such tracking via browser fingerprinting, timing, meta analysis, and the good ol' IP address.

      Yep. But all of those can be addressed too in the same way (except for IP address) The basic idea is to inject some data derived from the URL in the box at the top of the browser into the inputs used to calculate those other tracking values. So, for example, they get one fingerprint if you are on facebook and another fingerprint if you are on disney.com.

      As for the IP address that can be mitigated by using a VPN and merging your traffic with thousands of other users behind the same IP address and switching to new egress nodes on a random basis. Or even more hardcore, use a specific egress node for each site you visit - consider a firefox extension that switched proxies based on the page URL and a VPN provider that ran proxies on all its egress nodes so that facebook always sees you on IP address A and disney.com always sees you on IP address B, even if you are browsing them both simultaneously in two different windows.

    21. Re: Private browsing by Anonymous Coward · · Score: 0

      When a feature (such as third party cookies) does not have any legitimate purpose, using it for nefarious purposes is not abuse, it's simply use.

    22. Re:Private browsing by Anonymous Coward · · Score: 0

      He doesn't. It just shows up as ***.com and *****.com to him and everyone but you.

    23. Re:Private browsing by Anonymous Coward · · Score: 0

      I guess (I don't know the details of it) what this feature is doing, is preventing any cookies that differ from the domain displayed in the URL from being loaded. I'm not sure how exactly this is different from private browsing.

      No, it's in the summary.

      This is isolation, not blocking. Plenty of sites won't work if you outright block 3rd party cookies.

      I'm not sure what percentage constitutes "plenty", but I've been blocking third-party cookies for many years now (Firefox has supported this for long) and I haven't gotten any significant problems...

    24. Re: Private browsing by Anonymous Coward · · Score: 0

      Google is a search engine. It does not need cookies nor logins.

    25. Re:Private browsing by Anonymous Coward · · Score: 0

      You misunderstand. If 3rdparty.com creates a cookie on 1stparty.com, they can't read that same cookie on someother1stparty.com. In any case it seems inferior to just blocking all 3rd-party cookies.

    26. Re: Private browsing by mspohr · · Score: 1

      Google searches you.

      --
      I don't read your sig. Why are you reading mine?
  3. Re:Another NSA Browser Feature Makes It Into FF by Anonymous Coward · · Score: 0

    you which use browser? opera (not chrome mod) ?

  4. Re:Another NSA Browser Feature Makes It Into FF by NicknameUnavailable · · Score: 2

    How does it feel to fail at even the most inane of tasks?

  5. What about the data Firefox collects and sends? by Anonymous Coward · · Score: 0, Informative

    Everyone who considers using Firefox should read its privacy policy.

    Firefox's privacy policy mentions it sending data to organizations/companies like Mozilla, Google, SalesForce, Leanplum, Adjust, and possibly others.

    The privacy policy dated September 28, 2017 contains awful stuff like:

    Firefox sends data about your interactions with Firefox to us (such as number of open tabs and windows; number of webpages visited; number and type of installed Firefox Add-ons; and session length) and Firefox features offered by Mozilla or our partners (such as interaction with Firefox search features and search partner referrals).

    Firefox sends data about your Firefox version and language; device operating system and hardware configuration; memory, basic information about crashes and errors; outcome of automated processes like updates, safebrowsing, and activation to us. When Firefox sends data to us, your IP address is temporarily collected as part of our server logs.

    Firefox sends us data such as the position, size and placement of content we suggest, as well as basic data about your interactions with Firefox’s suggested content. This includes the number of times suggested content is displayed or clicked.

    When you choose to click on a Snippet link, we may receive data about the link you followed.

    Desktop versions of Firefox periodically check for browser updates by connecting to Mozilla servers. Your Firefox version, language, and device operating system are used to apply the correct updates. Mobile versions of Firefox may connect to another service if you used one to download and install Firefox.

    Firefox for Desktop and Android periodically connect to Mozilla to protect you and others from malicious add-ons. Your Firefox version and language, device operating system, and list of installed add-ons are needed to apply and update the add-ons blocklist.

    Firefox sends basic information about unrecognized downloads to Google's SafeBrowsing Service, including the filename and the URL it was downloaded from.

    This may involve Firefox sending certain information about the website to the Certificate Authority identified by that website.

    Firefox by default sends Mozilla HTTP data that may be included with Firefox’s installer. This enables us to determine the website domain or advertising campaign (if any) that referred you to our download page.

    Firefox by default sends mobile campaign data to Adjust, our analytics vendor, which has its own privacy policy. Mobile campaign data includes a Google advertising ID, IP address, timestamp, country, language/locale, operating system, and app version.

    Firefox by default sends data about what features you use in Firefox to Leanplum, our mobile marketing vendor, which has its own privacy policy.

    Firefox by default sends search queries to your search provider to help you discover common phrases other people have searched for and improve your search experience.

    Mozilla receives your email address and a hash of your password when you create a Firefox Account. You can choose to include a display name or profile image. Your email address is sent to our email vendor, SalesForce Marketing Cloud, which has its own privacy policy. If you use your Firefox Account to log into other websites or services (such as AMO or Pocket), we receive the timestamp of your log-in from those services.

    For security purposes, we store the IP addresses you use to access your Firefox Accoun

    1. Re:What about the data Firefox collects and sends? by GuB-42 · · Score: 1

      Well, that's irrelevant! The fact remains that data can be collected and can be sent. "Can" is just as bad as "will".

      I disagree. A privacy policy doesn't mean much, except for lawyers.
      Saying they can do something bad don't mean they will do something bad. For example, if they provide a bug report feature, they will collect some data with it, and even though the user ultimately decide to send the report or not, and that it is really only used for debugging, it has to be mentioned in the policy, and considering the amount of data that may end up in a bug report, the terms can be scary.
      OTOH, just because something isn't written in the privacy policy doesn't mean it can't be done. It just means it is illegal to do it. Most importantly, nothing in the privacy policy says that the software isn't full of exploitable bugs.

    2. Re:What about the data Firefox collects and sends? by Anonymous Coward · · Score: 1

      Way to miss the point, and more importantly, wait to miss the hypocrisy of Firefox apologists, including yourself.

      Again and again we're sold this myth by Firefox apologists that Firefox somehow "respects the privacy" of its users.

      Again and again we're told by Firefox apologists that Chrome is so awful because it might send data to Google.

      Yet even a cursory reading of Firefox's privacy policy makes it very clear that Firefox is just as capable of sending personal data to Google, along with numerous other external parties!

      Then instead of waking up to the fact that your beloved Firefox browser really isn't any better than Chrome, and may actually be worse, you Firefox apologists throw this hypocritical denialist gibberish at us!

      Firefox's privacy policy just goes to show, in my opinion, that Firefox and its creators don't give a damn about user privacy.

      If they did care about user privacy, then Firefox's privacy policy wouldn't be full of warnings about all of the data it collects and sends to various places because Firefox wouldn't even support any of this data collection and transmission to begin with!

      Firefox apologists need to wake up to the fact that their browser of choice isn't the saint that they wrongly portray it as.

      Then those Firefox apologists should do some proper apologizing by apologizing to the rest of us who have been subjected to your babble for so long!

    3. Re:What about the data Firefox collects and sends? by Anonymous Coward · · Score: 0

      Firefox would also seem to enable the streaming of your desktop screen to mobile devices on your Wi-Fi network via SSDP.

  6. Waterfox Is Better by NicknameUnavailable · · Score: 4, Informative

    This is just Firefox trying to be a source of telemetry. Waterfox is based on Firefox, but removes all the telemetry, sponsored ads, etc plus a bunch of security holes the Firefox team isn't addressing.

    1. Re:Waterfox Is Better by Anonymous Coward · · Score: 0

      Pff. "Bunch of security holes". Might as well also mention how it "doesn't ruin addons" and whatever other gobbledegook you think will attract the neophyte hivemind. Where I figured we'd only see weak shilling for Firefox, we're seeing weak shilling for every browser.

    2. Re:Waterfox Is Better by mikael · · Score: 1

      What about the security risk from: Allow running of all 64-Bit NPAPI plugins

      Those were the biggest security risk. You could have a secure browser, but one dodgy plugin allows all that spyware crud to creep back in.

      --
      Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
    3. Re:Waterfox Is Better by NicknameUnavailable · · Score: 1

      Actually, it runs any addon - it was designed that way so the Firefox team couldn't control a whitelist of approved addons. The security holes patched are literally on their site.

    4. Re:Waterfox Is Better by NicknameUnavailable · · Score: 1

      It's up to the user to decide what is and isn't safe to install on their machine. That part was put in place specifically because Firefox blocked "unapproved" AdBlockers (all the ones not sending telemetry back themselves or who blocked Firefox partner sites.)

  7. 'silently added'? Why weren't we told? by Anonymous Coward · · Score: 0

    The summary says this feature was 'silently added' to FF. Is this true? Do the FF 55 release notes really not list this change?

    If this is true, then this scares the heck out of me. I don't want my browser including new functionality unexpectedly! I thought that FF was supposed to be transparent and trustworthy. Adding features secretly is not transparent and trustworthy, if that is what has happened in this case.

    1. Re:'silently added'? Why weren't we told? by Anonymous Coward · · Score: 0

      Mozilla does this all the time. It's nothing new.

  8. Is this how it works? by sinij · · Score: 1

    Is this how it works? My understanding that tracking cookies will be a) multi-domain and b) will also include add network domain. For example, Taboola cookie would be still accessible across all sites that use Taboola. Is this not the case?

    I configure browser to wipe all my cookies on browser close, and frequently close it. I recommend others to do the same.

    1. Re:Is this how it works? by JaredOfEuropa · · Score: 1

      From what I’m reading, this change will address those multi domain cookies. One site will add a Taboola cookie and will be able to read it, but if another site attempts to access the Taboola cookie, Firefox will pretend it isn’t there, and the second site will the proceed to create its own Taboola cookie. So cookies for 3rd party domains are still allowed, but they are sandboxed per domain in the browser.

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    2. Re:Is this how it works? by Luthair · · Score: 2

      Basically the tracking network would set a cookie header on the HTTP request for a JS coming from their server, then when the user visits some other page which also includes the tracking network the original cookie would be sent back to the tracking network connecting the user across the two sites.

      I presume with FPI firefox treats the third party cookie given on site-A and the third party cookie given on site-B as distinct and will only send them in the context of those particular sites which prevents the tracker from linking the user.

    3. Re:Is this how it works? by Anonymous Coward · · Score: 0

      adblock?

    4. Re:Is this how it works? by dissy · · Score: 2

      Is this how it works? My understanding that tracking cookies will be a) multi-domain and b) will also include add network domain. For example, Taboola cookie would be still accessible across all sites that use Taboola. Is this not the case?

      That is the case in IE, but in all other browsers no, a cookie can only be set for a domain if sent by a server on that domain.

      But look at slashdot as an example. When you go to slashdot.org, you are loading content from 4 separate host/domains.

      slashdot.org can set a cookie that gets sent back to slashdot.org
      But you are also loading content from other domains:
      a.fsdn.com content is loaded and can set a cookie, which gets sent back to a.fsdn.com
      gstatic.com content is loaded and can set a cookie, which gets sent back to gstatic.com
      etc

      If you went to another website owned by FSDN but isn't slashdot, odds are that site will also load content from a.fsdn.com and thus that domains cookie will be sent back to a.fsdn.com again.

      In this way a.fsdn.com can track you over all of the websites that load its content in, be it slashdot or freshmeat or whatever.

      Now add in the fact that most websites these days load content from the google ad network, or facebook, or twitter.
      Each of those sites can set a cookie on their content and it gets sent back when visiting any other website that also loads content from them.

      This is how facebook and such track you over most of the Internet, even if you never do or have visited facebook.com directly. It's almost guaranteed however that you have loaded content from facebook.com indirectly, and your browser happily sends the facebook cookies back to facebook.

      What this feature does is tag a cookie not just with the domain of the sending web server, but also with the domain in your address bar.

      That means the facebook cookie as loaded from slashdot is stored separately from the facebook cookie from random-other-site.
      Revisiting slashdot will only send the facebook cookie set with the slashdot domain, not the facebook cookie set by the random-other-site domain.

  9. That's a nice feature by H3lldr0p · · Score: 1

    Wonder what would be the work around for the trackers and advertisers. I've already done a lot to keep my footprint as small as possible but I know I'm still getting tracked in some ways I can't stop if I want to be able to do useful things online. Like paying my bills. And I personally question the usefulness of things outside of the plain browser identifier. I don't get why any site I visit would need to probe what addons or if javascript has been executed. Maybe I don't do enough site programming to "get it". But something like this, as much as I think it's nice is just going to escalate the battle against advertisers more.

    Like forcing more websites to have signins to be useful. Or greater sharing of metacookies or whatever it's call when the server sending out the ads does the tracking itself.

    1. Re:That's a nice feature by NicknameUnavailable · · Score: 0

      Wonder what would be the work around for the trackers and advertisers.

      Dying and going to Hell is about the best option they have available.

    2. Re:That's a nice feature by Baron_Yam · · Score: 1

      >Wonder what would be the work around for the trackers and advertisers.

      You answered your own question! "or whatever it's call when the server sending out the ads does the tracking itself."

      They'll do their best to get a decent fingerprint of your system, and their tracking accuracy will be reduced (probably by far less than we'd hope or expect).

    3. Re:That's a nice feature by Anonymous Coward · · Score: 0

      Dying and going to Hell is about the best option they have available.

      Well, best for most of us but not for them. Look for an escalation in the arms race.

    4. Re:That's a nice feature by AHuxley · · Score: 1

      Re "Like forcing more websites to have signins to be useful."
      Sites will just have a members section. Pay by CC.
      Dont want to pay with a CC?
      Run some code on the gpu/cpu for some time and get a one time, a day, month, year or much longer account.
      Running a gpu/copu for some time for a site will get around the needs for ads, tracking, the policy connected to using social media ads.

      --
      Domestic spying is now "Benign Information Gathering"
    5. Re:That's a nice feature by mikael · · Score: 1

      They will go back to using whatever unique ID's are available on the system. Remember CPU-ID? Where special CPU instructions mapped onto web-browser script keywords allowed a website to know your CPU. Now they could access the UUID of your file system.

      --
      Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
  10. Editors: story is IRRELEVANT to global warming! by Anonymous Coward · · Score: 0

    Why have you bothered posting this FILLER material when there are so many more pressing stories dealing with GLOBAL WARMING!!??!!

    Please, editors, get your priorities right!

    1. Re:Editors: story is IRRELEVANT to global warming! by Anonymous Coward · · Score: 0

      At Slashdot, we already know about the global warming. All news does not need to be apocalyptic.

  11. Cookies? In 2017? by Anonymous Coward · · Score: 0

    My cookies are all deleted when the browser is closed. I haven't saved cookies to disk since the 90's. /shrug

  12. Seriously? by DontBeAMoran · · Score: 3, Insightful

    With FPI enabled, the ad tracker won't be able to see all the cookies it dropped on that user's PC, but only the cookie created for the domain the user is currently viewing.

    Why the fuck isn't that by design? Who's the moran who decided not to include that in the specifications?!

    --
    #DeleteFacebook
    1. Re:Seriously? by Actually,+I+do+RTFA · · Score: 1

      I imagine this was from before the web became a spying/ad mess. The idea back than was you were loading third-party content because it didn't make sense for everyone to have a huge copy of those images/a javascript library (probably predates JS).

      --
      Your ad here. Ask me how!
    2. Re:Seriously? by Dracos · · Score: 1

      Cookies were added in HTTP/1.1 (RFC 2068) in 1997 after two years of specification development. Lots of things about cookies were naively permissive, but it took years to realize this. HTTP/2 (in 2015) did nothing to address cookie flaws.

    3. Re:Seriously? by Anonymous Coward · · Score: 0

      Programmers from that time were a lot like bad politicians: They thought mostly about the way their inventions could better the web experience, but they failed to think about the potential for abuse. Cookies would be used to store user preferences, and why would you take that option away from third party resources? Let's say you add a video script from a third party provider to your web site. Wouldn't you want the user to have their preferred volume setting right away? The third party script must be able to recognize the user across first party domains to do that. Of course you can also use third party cookies to track users, but who would do that when they could be busy making the web better for the users?

    4. Re:Seriously? by mikael · · Score: 1

      Sometimes the cookies are used to store your username/password so that you can log in automatically in on the website, even though you have opened a new window.

      --
      Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
    5. Re:Seriously? by DontBeAMoran · · Score: 1

      But it's still the same domain name.

      --
      #DeleteFacebook
    6. Re:Seriously? by swillden · · Score: 1

      With FPI enabled, the ad tracker won't be able to see all the cookies it dropped on that user's PC, but only the cookie created for the domain the user is currently viewing.

      Why the fuck isn't that by design? Who's the moran who decided not to include that in the specifications?!

      It is by design and it is in the specification, always has been. Sites can only set cookies for the domain that serves the content.

      sexconker posted a good explanation: https://news.slashdot.org/comm...

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    7. Re:Seriously? by Anonymous Coward · · Score: 0

      It is by design and it is in the specification, always has been. Sites can only set cookies for the domain that serves the content.

      So you are saying that Firefox will be the first browser to actually implement the specification.

      Because up until now, sites have been able to set cookies for whatever domain serves the advertising scripts, NOT only the domain that serves the content.

  13. Brave is best by Anonymous Coward · · Score: 0

    All the best parts of Chromium (NOT Chrome) but hardened for additional privacy and security. Easy interface, very fast, very secure.

    1. Re:Brave is best by Anonymous Coward · · Score: 0

      lol)

    2. Re:Brave is best by Anonymous Coward · · Score: 0

      All the best parts of Chromium (NOT Chrome) but hardened for additional privacy and security. Easy interface, very fast, very secure.

      Brave also serves you ads, directly built into the browser. Amazing how its proponents always forget to mention that especially in the context of privacy and security.

    3. Re:Brave is best by NicknameUnavailable · · Score: 1

      Chromium is garbage, it freezes up on page loads for 1-2 minutes every time you hit a website.

  14. Where is he? by DontBeAMoran · · Score: 1

    I'm surprised we haven't heard about hosts files yet...

    --
    #DeleteFacebook
    1. Re:Where is he? by Anonymous Coward · · Score: 0

      this is stupid) use ad-block only

  15. Cookie isolation... by viperidaenz · · Score: 1

    They'll just link the separate cookies together with ETags. Unless you're also going to have a separate file cache for each domain too.... not a bad idea actually.

    1. Re:Cookie isolation... by Anonymous Coward · · Score: 0

      simple disable Cookie, F12 )))

  16. Make It Default by Elixon · · Score: 1

    That is a cool feature that won't break anything (except the sites tracking you across multiple domains - which is the point here).

    Why do they hide it? To don't piss off Yahoo/Yandex/Baidoo sponsors? I guess (sane/informed) people love it so make it DEFAULT!

    --
    Well, I've got to get back to work. When I stop rowing, the slave ship just goes in circles.
    1. Re:Make It Default by Luthair · · Score: 1

      It could break logins for some site, e.g. Google

    2. Re:Make It Default by Anonymous Coward · · Score: 0

      It shouldn't break them but it might interrupt single sign-on bliss, meaning you'd have to authenticate again through the google login flow once for each site. Some might consider this a repair rather than a break.

  17. Arms Race by Anonymous Coward · · Score: 0

    Oh great. I've been taking advantage of this kind of this for years courtesy of Privoxy, which can block third-party cookies. Now with a major browser doing that, the next step in the arms race will be something worse on the part of the advertisers.

  18. Awesome. Now for their next trick by Anonymous Coward · · Score: 0

    Maybe they can make a browser that actually works more than thirty percent of the time.

  19. Or Tell People How To Do It by Anonymous Coward · · Score: 0

    So folks won't need to click the linked article for instructions:

    The feature is not enabled by default, as it's known to cause some login persistence problems. To enable it users have two options.

    The first is to use a dedicated Firefox add-on. The add-on's name is "First Party Isolation," and once you install it, it immediately turns on FPI and adds a fishbowl icon on the Firefox UI.

    Users can press this button to temporarily disable FPI (for five minutes). If users want to disable FPI for good, they can either disable or remove the add-on.

    The second method of enabling FPI is by modifying parameters in the about:config settings page. To access this page, users must type about:config in the address bar and press Enter.

    Once they reached the about:config page, they can search for "firstparty," and the two FPI parameters will appear.

    To enable FPI, users must set "privacy.firstparty.isolate" to true by double-clicking it. The second parameter — "privacy.firstparty.isolate.restrict_opener_access" — works by lowering some of the "isolation" rules. Users can set this parameter to false if they're having problems logging into websites.

  20. You totally miss the point by Anonymous Coward · · Score: 0

    Again and again we're sold this myth by Firefox apologists that Firefox somehow "respects the privacy" of its users.

    No, you don't get it. The guy you're replying to is trying to elevate the conversation to beyond myth. He has this weird bias toward facts. That means he doesn't give a flying fuck what someone was "sold" nor does he give a flying fuck about what the privacy policy says. The privacy policy is irrelevant. The rumors that it "respects privacy" are irrelevant. Nobody cares about that stuff. Why would they?

    What he's trying to do is forget all this irrelevant and unimportant stuff, and instead, talk about what the software actually does.

    Do you understand, that once people get into what Firefox does, anyone who brings up a written policy or what someone was "sold," is wasting time with off-topic nonsense? The grownups are talking about how fast the car is, and you're still talking about its tail fins. Nobody cares.

    Wait ... President Trump, is that you? Do you "hear things" about Firefox?

  21. FPI add-on is poorly designed by iliketrash · · Score: 1

    The add-on, First Party Isolation, linked from the article, to

    https://www.bleepingcomputer.c...

    is something of a turd. There is no indication that it is doing anything. The preference page has no controls. The icon that is placed in the menu bar shows no state information—supposedly if you click on it, the FPI feature will be disabled for five minutes. There is absolutely no indication that anything happens when you click on it. plus, the icon is so hard to see that at first I thought there was no icon at all. The linked article mentions that you can also edit two entries in the about:config page. Nice if a little obscure. But you might think that the add-on would simply toggle these items, but installing the add-on does not affect these about:config items. So, again, the FPI add-on is poorly designed.

    1. Re:FPI add-on is poorly designed by Anonymous Coward · · Score: 0

      It works. Open your about:config and click the add-on's icon. The two settings change values.

    2. Re:FPI add-on is poorly designed by pr0nbot · · Score: 1

      Later in the article:

      The second method of enabling FPI is by modifying parameters in the about:config settings page. To access this page, users must type about:config in the address bar and press Enter.

      Once they reached the about:config page, they can search for "firstparty," and the two FPI parameters will appear.

      To enable FPI, users must set "privacy.firstparty.isolate" to true by double-clicking it. The second parameter — "privacy.firstparty.isolate.restrict_opener_access" — works by lowering some of the "isolation" rules. Users can set this parameter to false if they're having problems logging into websites.

  22. Chrome Sheeple by Anonymous Coward · · Score: 0

    Another example of Firefox leading, while Chrome is for sheeple.
    baaa baaa

    Yay Freedom.

  23. Wrong by Anonymous Coward · · Score: 0

    Brave Ads is ONE of the three methods available which allows vetted, privatized ads to be served through the Brave network. You can also choose to block all ads (period), or block all ads and donate to your preferred publishers using a crypto wallet.

    You know nothing.

  24. Not quite by Anonymous Coward · · Score: 0

    I have used Firefox for over ten years, but this comment is just sad. Firefox has been DECIMATED by Chrome. There is no comparison; the numbers do not lie.

    Mozilla really began to irritate me when they fired Brendan Eich, then partnered up with George Soros on the MITI. That is why I use Brave now as my primary browser.

  25. How to activate this: by Anonymous Coward · · Score: 0

    I think this should have been in the summary.
    Go to: about:config Search for privacy.firstparty.isolate and set it to true by double-clicking it.

  26. Ghostery by PhantomHarlock · · Score: 1

    Ghostery does basically the same thing, and probably better. It works with the new version of firefox. (it's a WebExtension)

    https://www.ghostery.com/

  27. Re:Cookies? In 2017? by Anonymous Coward · · Score: 0

    My browser is only closed when the hardware crashes.