[HN Gopher] Full third-party cookie blocking and more ___________________________________________________________________ Full third-party cookie blocking and more Author : tbodt Score : 147 points Date : 2020-03-24 18:47 UTC (4 hours ago) (HTM) web link (webkit.org) (TXT) w3m dump (webkit.org) | skrowl wrote: | Soooo... like Firefox has done be default since June 2019 then | https://blog.mozilla.org/blog/2019/09/03/todays-firefox-bloc... ? | | I guess later is better than never, but this seems like something | they could have done long ago. | detaro wrote: | The blog post you reference clearly describes a limited | blocklist. As the submission says, no other mainstream browser | has blocked _all_ third-party cookies yet. | kstrauser wrote: | From the article: | | > Safari continues to pave the way for privacy on the web, this | time as the first mainstream browser to fully block third-party | cookies by default. As far as we know, only the Tor Browser has | featured full third-party cookie blocking by default before | Safari, but Brave just has a few exceptions left in its | blocking so in practice they are in the same good place. We | know Chrome wants this behavior too and they announced that | they'll be shipping it by 2022. | [deleted] | [deleted] | nydel wrote: | I really thought Firefox did all of this already too. I have no | justification for not having truly checked. Hopefully other | browsers from Safari will not be far behind. | | I hope that there might be a way to safely auto-sync my Firefox | profile, bookmarks and history especially, to Safari iff it's | really the more secure of the available browsers for iOS. | danceparty wrote: | Still dreaming of a way to block cookies per-domain | | Edit: someone just told me you can do it with osx adguard, in the | user rules you can set "||domain.com^$cookie" to block all | cookies from domain.com | progval wrote: | You can do this with uMatrix. | cglong wrote: | Isn't this built into Chrome settings? I've configured it on | both desktop and Android to block all cookies for certain | domains. | the8472 wrote: | Cookie Master extension for firefox. | kyleee wrote: | Are there efforts to cloak third party cookies via the first | party domain? | bouk wrote: | The point of third party cookies is cross-site tracking, which | doesn't work with a first party domain. | kyleee wrote: | Thanks I think I was conflating this with the cloaking 3rd | party JS payloads in first party domains | pspeter3 wrote: | I'm confused about if this means that IndexedDB will always wipe | data after 7 days. That seems like it would prevent storage from | being used for user data in PWAs. | dfabulich wrote: | That is what it means. The only workaround is to require the | user to login and to keep a backup of the data on your server. | dillondoyle wrote: | This is what we do. Store a 1st party httponly secure cookie | jwt representing the user, then grab any extra data from the | backend. Or just something like session cookie but persist | it. | | I wouldn't be surprised if this is one of the ways ad | tracking tries to rebuild a universal identifier like the old | urchin module. Might not be as easy as a cname but those | might get blocked. It's always a game of cat and mouse. Could | place uuid as 1st party httponly cookie. maybe uuid is domain | scoped. then 'echo out' so accessible by 3rd party JS. Like a | hash, one would need to know the global pooled uuid already | and then combined with knowable domain could tie that uuid | into the 2nd party tracking pool. | dfabulich wrote: | 1st party httponly secure cookies will be erased in seven | days. | | You need the user to manually provide an identifier (i.e. | login) to avoid losing everything. | | The user's password safe is now the only non-volatile | storage mechanism on Safari. | johncolanduoni wrote: | They explicitly say 1st party httponly secure cookies are | exempt and are their first recommended alternative. | untog wrote: | > after seven days of Safari use _without user interaction on | the site_ | | If it's a PWA that's regularly used you should be fine. But if | not, yeah, that's going to be very annoying. | cageface wrote: | If this is really about protecting users and not about | kneecapping web apps shouldn't Apple also wipe user data in | native apps that haven't been used in a week? | progval wrote: | Outside privacy issues; visiting a website once shouldn't | be enough for a website to store as much data as it wants | on someone's computer. | | Installing a native app is a stronger form of opt-in than | simply clicking an URL to a new website. | jessaustin wrote: | Chromium (and derivatives such as Edge) allows users to | install _web_ apps. You 're right that such a facility | could be used as a signal for webkit that a particular | site's IDB data should be retained for longer than a | week. | zamalek wrote: | > install web apps | | That's what a PWA is :). Browsers should lift these | restrictions for installed PWAs, and probably do. | jessaustin wrote: | The browser under discussion in TFA doesn't have PWAs as | such. [0] Of course I agree with your restatement of what | I said browsers should do upthread. b^) | | [0] https://caniuse.com/#search=beforeinstallprompt | untog wrote: | Native apps don't really have the problem of third-party ad | networks storing data intermixed with app data in this way, | though. | pspeter3 wrote: | Why not though? It seems like third-party SDKs could be | included by the developer and stored on my local device. | detaro wrote: | The regular reports about tracking in random | advertising/... SDKs suggest otherwise | pspeter3 wrote: | Yeah, that seems potentially destructive for apps that want | users to have a local only copy. You would need to provide a | full import / export option in case someone goes on vacation. | quotemstr wrote: | The seven day wipe is going to encourage further adoption of | Facebook or Google centralized logins, since this flow makes | state restoration after a cookie wipe least painful. (Even | saved login-passwords combinations can become de-synchronized | between devices.) I don't think the theoretical benefits of | enhanced privacy are worth the concrete costs of internet | centralization. | progval wrote: | First-party cookies aren't on the list of affected storage, | are they? | jefftk wrote: | https://webkit.org/blog/8613/intelligent-tracking- | prevention... already limited 1st party cookies set from | JS to 7d. | | This post is about them extending it to all storage set | from JS. | jessaustin wrote: | Wow they buried the lede; I'm glad you highlighted this. This | is going to be an interesting situation for some Safari users. | "Why did your app delete my data?" "If you don't like that you | should use Chrome." | | Of course Google could do this too, if they had a reason, even | if only downstream from Chromium. It's just a commercial | decision. Apple have decided they don't want their users to | have usable anonymous web apps. Of course, since they don't | support beforeinstallprompt, we already know they don't want | their users to have web apps, period. Gotta get that sweet 30% | cut! | internalthief wrote: | I doubt that this is going to be an issue for applications | using ReactNative or other solutions to package websites as | applications. | | For applications that have you add it to your home screen | using the app icon, it may be more of an issue, but why | wouldn't you sync that data back up to the server? | jessaustin wrote: | Yes of course if you're running a business then you're | getting users logged in ASAP. There are other models of | software development, however. Even if you're in the | commercial sector, some users may be less eager than others | to sign up for your fine service. Should you preemptively | suck in their data, whoops I mean back up their data, | without telling them? It seems there could be several | responses to that question... | | It's fine that Apple don't want to support this valid mode | of app distribution and use. It _is_ a valid mode, however. | matsemann wrote: | Just FYI (If I'm reading you correctly): That's not how | react native works. It's a native app, not a wrapped | website. | CodeCube wrote: | I suspect they just meant regular react | eugeniub wrote: | Ok, that's not how React works either. React is not a | "solution to package websites as applications". | 867-5309 wrote: | so what is the modern version of PhoneGap? | WorldMaker wrote: | Ionic Capacitor | doctoboggan wrote: | My understanding was that yes, if the user doesn't interact | with the site in 7 days then the stored data (in cookies and | localStorage) will be deleted. | koolba wrote: | It's the usual " _this is why we can't have nice things_ ". | Anything persistent will be turned into a tracking cookie. So | eventually everything becomes ephemeral. | osrec wrote: | Rather than wiping indexed DB data after 7 days, could you not | just make it an opt in thing, like the camera or mic? For | example, ask users "Allow myapp.com to store app related data on | your computer?". If they allow it, then give access to indexed DB | API. That way we can still have fully local PWAs. | Animats wrote: | I've had third party cookies blocked for years in Firefox. It | doesn't break much. | driverdan wrote: | Browsers should deprecate third party cookies and remove | support entirely. | cglong wrote: | Chromium has announced their intentions to do just this in | two years! https://blog.chromium.org/2020/01/building-more- | private-web-... | idoubtit wrote: | I've been blocking third party cookies since my Opera days. I | can't remember exactly when, but at least Opera 9 (2006). | Recently, I use the same capability of Vivaldi (Chromium | based). | | The problem is that this blocking induces some failures which | are hard to diagnose. For instance, on the official site of my | city I can't use some pages because they loop on requiring my | authentication, since they use iframes with shared cookies. On | other sites, submitting a form will fail with no error | messages. I also remember a Python MOOC that failed with a | blank page because of this blocking. Fortunately, all of these | errors are uncommon. | distances wrote: | Exactly. I don't see why they should be allowed in the first | place. I also block first-party cookies and while that does | break more sites, it's still pretty manageable. | recursive wrote: | Do you use any sites which require any kind of | authentication? | distances wrote: | By "manageable" I mean I'll allow them for the sites that | need them. So yes, I do use sites with login. | bradly wrote: | Firefox users can turn on privacy.firstparty.isolate which | I believe will scope third party cookies to the top level | domain you are on. It is off by default, but I've been | using it for sometime without issue (except very persistent | re-captcha). | chance_state wrote: | >I also block first-party cookies | | This is the front loaded approach which can cause breakage. I | prefer the back loaded approach of using an extension like | Cookie Auto Delete or similar that deletes cookies once | you're away from a domain for a set amount of time (I think | mine is set to 2 minutes). | abrowne wrote: | It breaks Duo 2fa's "remember me for a week"... Which makes it | very annoying, at least at work. | tpush wrote: | I might be misremembering, but didn't Safari block third-party | cookies by default before all this tracking protection stuff | started? | fomojola wrote: | The 7-Day Cap on All Script-Writeable Storage is troublesome: if | I don't log into a computer for a week 'cause I'm on vacation | then you wipe my saved data? I have local storage based utilities | I've written that I sometimes don't touch for weeks, but whenever | I go back everything I put in there is STILL THERE. | | Seems like a great way to drive less use of local browser storage | options and promote greater use of cloud storage solutions. | Cynical me says "YAY iCloud". | quotemstr wrote: | So much for the advertisement-powered web. Congratulations, | privacy people: you win. I hope the new web is everything you | hoped. If it isn't, you have only yourselves to blame. Enjoy the | paywalls. | layoutIfNeeded wrote: | Why would you need third-party cookies for advertisements? | vntok wrote: | Because managing advertisers and selling ad space is | extremely time-consuming or expensive to set up and maintain, | and most companies being SMBs they don't have the necessary | manpower to do so? | nydel wrote: | What do you think the new web is going to be? Sincere. Not sure | what you're talking about at all and would like to. | quotemstr wrote: | I think the new web will be one made up of closed off islands | that use strict paywalls to finance themselves. I also think | the _total_ amount of content will be lower and that the | remaining platforms will more heavily skew towards "safe" | guidelines. | function_seven wrote: | "So much for the _tracking_ -advertisement-powered web" | | I'm looking forward to it. Seriously. I know you're intending | to be facetious with this, but everything you listed sounds | good to me. Either charge for your service, or include ads that | don't follow me around the Internet. | | Somehow advertising worked on radio, on TV, and in print | without correlating data about each viewer with all their other | habits. I see no reason why that can't be the same online. | lonelappde wrote: | Do you want 7 minutes of ads for every 23minutes of web | browsing, like TV? | | Did you not notice that print is dead? | function_seven wrote: | No. That's why I pay for Hulu and Netflix, and DVR other | content. | | Print as a medium may be dead, but journalism is still | here. And it's possible to provide without invasive | tracking, just like it has been for centuries. The | transition from ink to pixels doesn't rely on analytics to | succeed. | _eht wrote: | You reckon Hulu, Netflix, et al, are just sitting on all | the user data you are giving them, totally respecting | it... definitly not monetizing from it? When was the last | time you read T&C? | function_seven wrote: | Yeah, I realized I'd see this reply as soon as I | submitted the comment. Of course they're selling my data. | I wish they didn't. | | And to circle back to the original comment I replied to: | They don't _have_ to. A business can be run providing | entertainment without granular user tracking. HBO and | Showtime did it back when they were just add-ons to cable | packages. | | What OG commenter was implying, is that the Internet will | be worse without 3rd-party cookies and tracking. I can't | disagree strongly enough. | smnthermes wrote: | Do you not think it's possible to use fingerprinting to track | users? | sebastien_bois wrote: | > Safari continues to pave the way for privacy on the web, this | time as the first mainstream browser to fully block third-party | cookies by default | | Too bad Safari isn't my default browser anymore, ever since they | essentially killed it when they neutered extensions. | doctoboggan wrote: | I initially felt the same way, as I relied on ublock origin, | but the loss of that extension forced me to switch to pihole, | which I think is an overall better approach to ad blocking. It | works for all devices on your network, so you get ad blocking | on devices that you normally wouldn't like your smart tv and | the apple news app. | kodablah wrote: | Being DNS based, pi-hole cannot block specific paths of | otherwise-acceptable domains nor can it do any cosmetic | filtering. It is not necessarily a better approach for web | browsing. | bengale wrote: | I find wipr works really well. | etaioinshrdlu wrote: | Is there any legitimate reason Chrome doesn't follow suit other | than they like ad revenue? An answer from a Googler here would be | great. And a real answer, not corp-speak. | | Blocking third party cookies seems like overall a good thing for | security. Security is good right? | | Edit: 2 years is a long time to wait for a security improvement | that is literally flipping a switch. | jefftk wrote: | I'm a Googler who works in ads, speaking only for myself. | | If Chrome blocked third party cookies today we'd see something | between these two outcomes: | | a) Publishers lose about half their revenue because ads aren't | personalized anymore: | https://services.google.com/fh/files/misc/disabling_third-pa... | | b) Advertisers figure out how to keep personalizing ads through | fingerprinting (non-cookie tracking) | | Since (b) is worse than the status quo (users can't reset their | fingerprint) I think "a security improvement that is literally | flipping a switch" doesn't fit. | | Chrome's approach (as described in | https://blog.chromium.org/2020/01/building-more-private- | web-...) is: | | * Block fingerprinting | | * Figure out how to let advertisers personalize in privacy | preserving ways (https://www.chromium.org/Home/chromium- | privacy/privacy-sandb... primarily FLoC and TURTLE-DOV) | | * Then remove cookies | | I'm skeptical about the approach, since I think blocking | fingerprinting and server-side correlation of requests is very | difficult, but I think the people working on this are very good | and have thought a lot more about it than I have. | driverdan wrote: | In other words the Chrome team doesn't care about users, it | cares about ads. If it put users first, as it should, third | party cookies would have been blocked a long time ago and | they would be working on blocking other fingerprinting | techniques now. | | This is a great reason to not use Chrome. | jefftk wrote: | Users don't care about ads, but users care about the things | that ads fund. If publishers go out of business, users will | be worse off. | | Do you think the browsers should block all ads by default? | tcd wrote: | The web shouldn't block ads, it should block JS entirely. | There should be a 'global' permission system (similar to | Android) that allows me to control exactly what | information websites are allowed to access from my | browser. | | For example, I want to disable WebRTC as it can be used | to collect my IP address, or disable WebGPU APIs or | anything that can be used to finger print me. | | JS has far, far, far too much broad access to information | that might seem mundane but can be used to profile a | user. | | Android is the same - you can get the entire list of | installed packages on the system and various other pieces | of information to build a unique, persistable tracking | ID. | | There's also a lack of accountability: What information | is being sent to what servers? I want a detailed JSON | formatted breakdown of EVERY single piece of data that is | being sent from my device. | | I should be able to block anything that is outside my own | determined comfort zone. | | But most OS' just make requests to US IP's without much | thought now - just turn on Windows 10 in a VM and watch | as it sends so many requests with no insight into the | data, which many companies (including Google) don't tell | you about. | | Ask me about a recent GDPR request to Google which I just | got a generic response about (and they didn't action my | request to delete information, so now I need to complain | to the regulator because it was also late). | | So yes, blocking ALL tracking by default is sensible. | HugoDaniel wrote: | Yes. | | (i am a user; i don't presume to know what is best for | others; speaking as a user that talks to others like me; | i don't need to speak about 'users' as a third party | entity; i am a significant sample of the set) | vntok wrote: | Are you ready to pay every website you visit, then? With | actual money that you yourself own? | vanadium wrote: | Let's trot out the elephant in the room: Contextual | advertising is a thing, and I'm pretty sure that it would | be a hell of a lot smarter today than the first attempt | over a decade and some change ago. | | But there are plenty of reasons ad companies wouldn't | want to bring that up openly. I didn't say justified | reasons, but there are reasons. For instance, all this | personalization and massive targeting (and rampant cookie | abuse) would go away, figuratively overnight in terms of | time scale. But it would also massively undermine an | industry that thrives on and can't get enough per-user | data and the vast ecosystem it supports. | | Ironically, NY Times did/does that for EU visitors due to | GDPR a couple years ago and saw an increase in ad | interactions. But that's as far as that got in the | headlines. | HugoDaniel wrote: | As if ads is the only possible business model on the web. | | At best the ad revenue is taking money away from other | web business models by instituting that kind of mentality | that drives people away from donations and paid accounts. | | Please, consider a paid account/membership when you read | the guardian, the intercept, or look for the donation | page of quality content articles in wikipedia or any of | the loads of blogs written by authors with patreon | accounts. | smnthermes wrote: | Donations exist, LMAO. | jefftk wrote: | Why do you think Edge, Firefox, and Safari have chosen | not to block all ads by default? | HugoDaniel wrote: | Thus Spoke The Googler | 6gvONxR4sf7o wrote: | Maybe free newspapers go out, and free blog platforms go | out, but that means that physical local papers don't go | out of business and stop having to rely on clickbait. | Losing some things means gaining others. | etaioinshrdlu wrote: | The trouble is Apple shows this compromise is unnecessary. | They work hard to block fingerprinting (especially on iOS) | and it WORKS. iOS devices are mostly indistinguishable. | Notoriously impossible to fingerprint. | | Granted desktop fingerprinting is more of a challenge due to | differing OS's, screens, GPUs for WebGL, etc. But it doesn't | seem impossible. | | They have also blocked third party cookies for so many years. | The world did not catch on fire. | | They use an advertising ID the user can reset. | msoad wrote: | Alex Russel and friends love to bash Safari for lack of PWA | support but are mute when it comes to things Google does to | Chrome that doesn't benefit (or ever harm) the user and only | benefit $GOOG. | twiceaday wrote: | January this year Chrome committed to phasing out third party | cookies by '22. | TwoBit wrote: | Long enough from now that we'll forget, in case they conclude | they can't do it without jeopardizing ad revenue. ___________________________________________________________________ (page generated 2020-03-24 23:00 UTC)