[HN Gopher] Full third-party cookie blocking and more
___________________________________________________________________
Full third-party cookie blocking and more
Author : tbodt
Score : 147 points
Date : 2020-03-24 18:47 UTC (4 hours ago)
(HTM) web link (webkit.org)
(TXT) w3m dump (webkit.org)
| skrowl wrote:
| Soooo... like Firefox has done be default since June 2019 then
| https://blog.mozilla.org/blog/2019/09/03/todays-firefox-bloc... ?
|
| I guess later is better than never, but this seems like something
| they could have done long ago.
| detaro wrote:
| The blog post you reference clearly describes a limited
| blocklist. As the submission says, no other mainstream browser
| has blocked _all_ third-party cookies yet.
| kstrauser wrote:
| From the article:
|
| > Safari continues to pave the way for privacy on the web, this
| time as the first mainstream browser to fully block third-party
| cookies by default. As far as we know, only the Tor Browser has
| featured full third-party cookie blocking by default before
| Safari, but Brave just has a few exceptions left in its
| blocking so in practice they are in the same good place. We
| know Chrome wants this behavior too and they announced that
| they'll be shipping it by 2022.
| [deleted]
| [deleted]
| nydel wrote:
| I really thought Firefox did all of this already too. I have no
| justification for not having truly checked. Hopefully other
| browsers from Safari will not be far behind.
|
| I hope that there might be a way to safely auto-sync my Firefox
| profile, bookmarks and history especially, to Safari iff it's
| really the more secure of the available browsers for iOS.
| danceparty wrote:
| Still dreaming of a way to block cookies per-domain
|
| Edit: someone just told me you can do it with osx adguard, in the
| user rules you can set "||domain.com^$cookie" to block all
| cookies from domain.com
| progval wrote:
| You can do this with uMatrix.
| cglong wrote:
| Isn't this built into Chrome settings? I've configured it on
| both desktop and Android to block all cookies for certain
| domains.
| the8472 wrote:
| Cookie Master extension for firefox.
| kyleee wrote:
| Are there efforts to cloak third party cookies via the first
| party domain?
| bouk wrote:
| The point of third party cookies is cross-site tracking, which
| doesn't work with a first party domain.
| kyleee wrote:
| Thanks I think I was conflating this with the cloaking 3rd
| party JS payloads in first party domains
| pspeter3 wrote:
| I'm confused about if this means that IndexedDB will always wipe
| data after 7 days. That seems like it would prevent storage from
| being used for user data in PWAs.
| dfabulich wrote:
| That is what it means. The only workaround is to require the
| user to login and to keep a backup of the data on your server.
| dillondoyle wrote:
| This is what we do. Store a 1st party httponly secure cookie
| jwt representing the user, then grab any extra data from the
| backend. Or just something like session cookie but persist
| it.
|
| I wouldn't be surprised if this is one of the ways ad
| tracking tries to rebuild a universal identifier like the old
| urchin module. Might not be as easy as a cname but those
| might get blocked. It's always a game of cat and mouse. Could
| place uuid as 1st party httponly cookie. maybe uuid is domain
| scoped. then 'echo out' so accessible by 3rd party JS. Like a
| hash, one would need to know the global pooled uuid already
| and then combined with knowable domain could tie that uuid
| into the 2nd party tracking pool.
| dfabulich wrote:
| 1st party httponly secure cookies will be erased in seven
| days.
|
| You need the user to manually provide an identifier (i.e.
| login) to avoid losing everything.
|
| The user's password safe is now the only non-volatile
| storage mechanism on Safari.
| johncolanduoni wrote:
| They explicitly say 1st party httponly secure cookies are
| exempt and are their first recommended alternative.
| untog wrote:
| > after seven days of Safari use _without user interaction on
| the site_
|
| If it's a PWA that's regularly used you should be fine. But if
| not, yeah, that's going to be very annoying.
| cageface wrote:
| If this is really about protecting users and not about
| kneecapping web apps shouldn't Apple also wipe user data in
| native apps that haven't been used in a week?
| progval wrote:
| Outside privacy issues; visiting a website once shouldn't
| be enough for a website to store as much data as it wants
| on someone's computer.
|
| Installing a native app is a stronger form of opt-in than
| simply clicking an URL to a new website.
| jessaustin wrote:
| Chromium (and derivatives such as Edge) allows users to
| install _web_ apps. You 're right that such a facility
| could be used as a signal for webkit that a particular
| site's IDB data should be retained for longer than a
| week.
| zamalek wrote:
| > install web apps
|
| That's what a PWA is :). Browsers should lift these
| restrictions for installed PWAs, and probably do.
| jessaustin wrote:
| The browser under discussion in TFA doesn't have PWAs as
| such. [0] Of course I agree with your restatement of what
| I said browsers should do upthread. b^)
|
| [0] https://caniuse.com/#search=beforeinstallprompt
| untog wrote:
| Native apps don't really have the problem of third-party ad
| networks storing data intermixed with app data in this way,
| though.
| pspeter3 wrote:
| Why not though? It seems like third-party SDKs could be
| included by the developer and stored on my local device.
| detaro wrote:
| The regular reports about tracking in random
| advertising/... SDKs suggest otherwise
| pspeter3 wrote:
| Yeah, that seems potentially destructive for apps that want
| users to have a local only copy. You would need to provide a
| full import / export option in case someone goes on vacation.
| quotemstr wrote:
| The seven day wipe is going to encourage further adoption of
| Facebook or Google centralized logins, since this flow makes
| state restoration after a cookie wipe least painful. (Even
| saved login-passwords combinations can become de-synchronized
| between devices.) I don't think the theoretical benefits of
| enhanced privacy are worth the concrete costs of internet
| centralization.
| progval wrote:
| First-party cookies aren't on the list of affected storage,
| are they?
| jefftk wrote:
| https://webkit.org/blog/8613/intelligent-tracking-
| prevention... already limited 1st party cookies set from
| JS to 7d.
|
| This post is about them extending it to all storage set
| from JS.
| jessaustin wrote:
| Wow they buried the lede; I'm glad you highlighted this. This
| is going to be an interesting situation for some Safari users.
| "Why did your app delete my data?" "If you don't like that you
| should use Chrome."
|
| Of course Google could do this too, if they had a reason, even
| if only downstream from Chromium. It's just a commercial
| decision. Apple have decided they don't want their users to
| have usable anonymous web apps. Of course, since they don't
| support beforeinstallprompt, we already know they don't want
| their users to have web apps, period. Gotta get that sweet 30%
| cut!
| internalthief wrote:
| I doubt that this is going to be an issue for applications
| using ReactNative or other solutions to package websites as
| applications.
|
| For applications that have you add it to your home screen
| using the app icon, it may be more of an issue, but why
| wouldn't you sync that data back up to the server?
| jessaustin wrote:
| Yes of course if you're running a business then you're
| getting users logged in ASAP. There are other models of
| software development, however. Even if you're in the
| commercial sector, some users may be less eager than others
| to sign up for your fine service. Should you preemptively
| suck in their data, whoops I mean back up their data,
| without telling them? It seems there could be several
| responses to that question...
|
| It's fine that Apple don't want to support this valid mode
| of app distribution and use. It _is_ a valid mode, however.
| matsemann wrote:
| Just FYI (If I'm reading you correctly): That's not how
| react native works. It's a native app, not a wrapped
| website.
| CodeCube wrote:
| I suspect they just meant regular react
| eugeniub wrote:
| Ok, that's not how React works either. React is not a
| "solution to package websites as applications".
| 867-5309 wrote:
| so what is the modern version of PhoneGap?
| WorldMaker wrote:
| Ionic Capacitor
| doctoboggan wrote:
| My understanding was that yes, if the user doesn't interact
| with the site in 7 days then the stored data (in cookies and
| localStorage) will be deleted.
| koolba wrote:
| It's the usual " _this is why we can't have nice things_ ".
| Anything persistent will be turned into a tracking cookie. So
| eventually everything becomes ephemeral.
| osrec wrote:
| Rather than wiping indexed DB data after 7 days, could you not
| just make it an opt in thing, like the camera or mic? For
| example, ask users "Allow myapp.com to store app related data on
| your computer?". If they allow it, then give access to indexed DB
| API. That way we can still have fully local PWAs.
| Animats wrote:
| I've had third party cookies blocked for years in Firefox. It
| doesn't break much.
| driverdan wrote:
| Browsers should deprecate third party cookies and remove
| support entirely.
| cglong wrote:
| Chromium has announced their intentions to do just this in
| two years! https://blog.chromium.org/2020/01/building-more-
| private-web-...
| idoubtit wrote:
| I've been blocking third party cookies since my Opera days. I
| can't remember exactly when, but at least Opera 9 (2006).
| Recently, I use the same capability of Vivaldi (Chromium
| based).
|
| The problem is that this blocking induces some failures which
| are hard to diagnose. For instance, on the official site of my
| city I can't use some pages because they loop on requiring my
| authentication, since they use iframes with shared cookies. On
| other sites, submitting a form will fail with no error
| messages. I also remember a Python MOOC that failed with a
| blank page because of this blocking. Fortunately, all of these
| errors are uncommon.
| distances wrote:
| Exactly. I don't see why they should be allowed in the first
| place. I also block first-party cookies and while that does
| break more sites, it's still pretty manageable.
| recursive wrote:
| Do you use any sites which require any kind of
| authentication?
| distances wrote:
| By "manageable" I mean I'll allow them for the sites that
| need them. So yes, I do use sites with login.
| bradly wrote:
| Firefox users can turn on privacy.firstparty.isolate which
| I believe will scope third party cookies to the top level
| domain you are on. It is off by default, but I've been
| using it for sometime without issue (except very persistent
| re-captcha).
| chance_state wrote:
| >I also block first-party cookies
|
| This is the front loaded approach which can cause breakage. I
| prefer the back loaded approach of using an extension like
| Cookie Auto Delete or similar that deletes cookies once
| you're away from a domain for a set amount of time (I think
| mine is set to 2 minutes).
| abrowne wrote:
| It breaks Duo 2fa's "remember me for a week"... Which makes it
| very annoying, at least at work.
| tpush wrote:
| I might be misremembering, but didn't Safari block third-party
| cookies by default before all this tracking protection stuff
| started?
| fomojola wrote:
| The 7-Day Cap on All Script-Writeable Storage is troublesome: if
| I don't log into a computer for a week 'cause I'm on vacation
| then you wipe my saved data? I have local storage based utilities
| I've written that I sometimes don't touch for weeks, but whenever
| I go back everything I put in there is STILL THERE.
|
| Seems like a great way to drive less use of local browser storage
| options and promote greater use of cloud storage solutions.
| Cynical me says "YAY iCloud".
| quotemstr wrote:
| So much for the advertisement-powered web. Congratulations,
| privacy people: you win. I hope the new web is everything you
| hoped. If it isn't, you have only yourselves to blame. Enjoy the
| paywalls.
| layoutIfNeeded wrote:
| Why would you need third-party cookies for advertisements?
| vntok wrote:
| Because managing advertisers and selling ad space is
| extremely time-consuming or expensive to set up and maintain,
| and most companies being SMBs they don't have the necessary
| manpower to do so?
| nydel wrote:
| What do you think the new web is going to be? Sincere. Not sure
| what you're talking about at all and would like to.
| quotemstr wrote:
| I think the new web will be one made up of closed off islands
| that use strict paywalls to finance themselves. I also think
| the _total_ amount of content will be lower and that the
| remaining platforms will more heavily skew towards "safe"
| guidelines.
| function_seven wrote:
| "So much for the _tracking_ -advertisement-powered web"
|
| I'm looking forward to it. Seriously. I know you're intending
| to be facetious with this, but everything you listed sounds
| good to me. Either charge for your service, or include ads that
| don't follow me around the Internet.
|
| Somehow advertising worked on radio, on TV, and in print
| without correlating data about each viewer with all their other
| habits. I see no reason why that can't be the same online.
| lonelappde wrote:
| Do you want 7 minutes of ads for every 23minutes of web
| browsing, like TV?
|
| Did you not notice that print is dead?
| function_seven wrote:
| No. That's why I pay for Hulu and Netflix, and DVR other
| content.
|
| Print as a medium may be dead, but journalism is still
| here. And it's possible to provide without invasive
| tracking, just like it has been for centuries. The
| transition from ink to pixels doesn't rely on analytics to
| succeed.
| _eht wrote:
| You reckon Hulu, Netflix, et al, are just sitting on all
| the user data you are giving them, totally respecting
| it... definitly not monetizing from it? When was the last
| time you read T&C?
| function_seven wrote:
| Yeah, I realized I'd see this reply as soon as I
| submitted the comment. Of course they're selling my data.
| I wish they didn't.
|
| And to circle back to the original comment I replied to:
| They don't _have_ to. A business can be run providing
| entertainment without granular user tracking. HBO and
| Showtime did it back when they were just add-ons to cable
| packages.
|
| What OG commenter was implying, is that the Internet will
| be worse without 3rd-party cookies and tracking. I can't
| disagree strongly enough.
| smnthermes wrote:
| Do you not think it's possible to use fingerprinting to track
| users?
| sebastien_bois wrote:
| > Safari continues to pave the way for privacy on the web, this
| time as the first mainstream browser to fully block third-party
| cookies by default
|
| Too bad Safari isn't my default browser anymore, ever since they
| essentially killed it when they neutered extensions.
| doctoboggan wrote:
| I initially felt the same way, as I relied on ublock origin,
| but the loss of that extension forced me to switch to pihole,
| which I think is an overall better approach to ad blocking. It
| works for all devices on your network, so you get ad blocking
| on devices that you normally wouldn't like your smart tv and
| the apple news app.
| kodablah wrote:
| Being DNS based, pi-hole cannot block specific paths of
| otherwise-acceptable domains nor can it do any cosmetic
| filtering. It is not necessarily a better approach for web
| browsing.
| bengale wrote:
| I find wipr works really well.
| etaioinshrdlu wrote:
| Is there any legitimate reason Chrome doesn't follow suit other
| than they like ad revenue? An answer from a Googler here would be
| great. And a real answer, not corp-speak.
|
| Blocking third party cookies seems like overall a good thing for
| security. Security is good right?
|
| Edit: 2 years is a long time to wait for a security improvement
| that is literally flipping a switch.
| jefftk wrote:
| I'm a Googler who works in ads, speaking only for myself.
|
| If Chrome blocked third party cookies today we'd see something
| between these two outcomes:
|
| a) Publishers lose about half their revenue because ads aren't
| personalized anymore:
| https://services.google.com/fh/files/misc/disabling_third-pa...
|
| b) Advertisers figure out how to keep personalizing ads through
| fingerprinting (non-cookie tracking)
|
| Since (b) is worse than the status quo (users can't reset their
| fingerprint) I think "a security improvement that is literally
| flipping a switch" doesn't fit.
|
| Chrome's approach (as described in
| https://blog.chromium.org/2020/01/building-more-private-
| web-...) is:
|
| * Block fingerprinting
|
| * Figure out how to let advertisers personalize in privacy
| preserving ways (https://www.chromium.org/Home/chromium-
| privacy/privacy-sandb... primarily FLoC and TURTLE-DOV)
|
| * Then remove cookies
|
| I'm skeptical about the approach, since I think blocking
| fingerprinting and server-side correlation of requests is very
| difficult, but I think the people working on this are very good
| and have thought a lot more about it than I have.
| driverdan wrote:
| In other words the Chrome team doesn't care about users, it
| cares about ads. If it put users first, as it should, third
| party cookies would have been blocked a long time ago and
| they would be working on blocking other fingerprinting
| techniques now.
|
| This is a great reason to not use Chrome.
| jefftk wrote:
| Users don't care about ads, but users care about the things
| that ads fund. If publishers go out of business, users will
| be worse off.
|
| Do you think the browsers should block all ads by default?
| tcd wrote:
| The web shouldn't block ads, it should block JS entirely.
| There should be a 'global' permission system (similar to
| Android) that allows me to control exactly what
| information websites are allowed to access from my
| browser.
|
| For example, I want to disable WebRTC as it can be used
| to collect my IP address, or disable WebGPU APIs or
| anything that can be used to finger print me.
|
| JS has far, far, far too much broad access to information
| that might seem mundane but can be used to profile a
| user.
|
| Android is the same - you can get the entire list of
| installed packages on the system and various other pieces
| of information to build a unique, persistable tracking
| ID.
|
| There's also a lack of accountability: What information
| is being sent to what servers? I want a detailed JSON
| formatted breakdown of EVERY single piece of data that is
| being sent from my device.
|
| I should be able to block anything that is outside my own
| determined comfort zone.
|
| But most OS' just make requests to US IP's without much
| thought now - just turn on Windows 10 in a VM and watch
| as it sends so many requests with no insight into the
| data, which many companies (including Google) don't tell
| you about.
|
| Ask me about a recent GDPR request to Google which I just
| got a generic response about (and they didn't action my
| request to delete information, so now I need to complain
| to the regulator because it was also late).
|
| So yes, blocking ALL tracking by default is sensible.
| HugoDaniel wrote:
| Yes.
|
| (i am a user; i don't presume to know what is best for
| others; speaking as a user that talks to others like me;
| i don't need to speak about 'users' as a third party
| entity; i am a significant sample of the set)
| vntok wrote:
| Are you ready to pay every website you visit, then? With
| actual money that you yourself own?
| vanadium wrote:
| Let's trot out the elephant in the room: Contextual
| advertising is a thing, and I'm pretty sure that it would
| be a hell of a lot smarter today than the first attempt
| over a decade and some change ago.
|
| But there are plenty of reasons ad companies wouldn't
| want to bring that up openly. I didn't say justified
| reasons, but there are reasons. For instance, all this
| personalization and massive targeting (and rampant cookie
| abuse) would go away, figuratively overnight in terms of
| time scale. But it would also massively undermine an
| industry that thrives on and can't get enough per-user
| data and the vast ecosystem it supports.
|
| Ironically, NY Times did/does that for EU visitors due to
| GDPR a couple years ago and saw an increase in ad
| interactions. But that's as far as that got in the
| headlines.
| HugoDaniel wrote:
| As if ads is the only possible business model on the web.
|
| At best the ad revenue is taking money away from other
| web business models by instituting that kind of mentality
| that drives people away from donations and paid accounts.
|
| Please, consider a paid account/membership when you read
| the guardian, the intercept, or look for the donation
| page of quality content articles in wikipedia or any of
| the loads of blogs written by authors with patreon
| accounts.
| smnthermes wrote:
| Donations exist, LMAO.
| jefftk wrote:
| Why do you think Edge, Firefox, and Safari have chosen
| not to block all ads by default?
| HugoDaniel wrote:
| Thus Spoke The Googler
| 6gvONxR4sf7o wrote:
| Maybe free newspapers go out, and free blog platforms go
| out, but that means that physical local papers don't go
| out of business and stop having to rely on clickbait.
| Losing some things means gaining others.
| etaioinshrdlu wrote:
| The trouble is Apple shows this compromise is unnecessary.
| They work hard to block fingerprinting (especially on iOS)
| and it WORKS. iOS devices are mostly indistinguishable.
| Notoriously impossible to fingerprint.
|
| Granted desktop fingerprinting is more of a challenge due to
| differing OS's, screens, GPUs for WebGL, etc. But it doesn't
| seem impossible.
|
| They have also blocked third party cookies for so many years.
| The world did not catch on fire.
|
| They use an advertising ID the user can reset.
| msoad wrote:
| Alex Russel and friends love to bash Safari for lack of PWA
| support but are mute when it comes to things Google does to
| Chrome that doesn't benefit (or ever harm) the user and only
| benefit $GOOG.
| twiceaday wrote:
| January this year Chrome committed to phasing out third party
| cookies by '22.
| TwoBit wrote:
| Long enough from now that we'll forget, in case they conclude
| they can't do it without jeopardizing ad revenue.
___________________________________________________________________
(page generated 2020-03-24 23:00 UTC)