[HN Gopher] Total Cookie Protection ___________________________________________________________________ Total Cookie Protection Author : todsacerdoti Score : 1088 points Date : 2021-02-23 14:11 UTC (8 hours ago) (HTM) web link (blog.mozilla.org) (TXT) w3m dump (blog.mozilla.org) | andrewmcwatters wrote: | They don't spell it out here, but I wonder if this means that | third-party embedded web software requires the Storage Access API | now. | | It's not particularly fun to implement. It's not hard, but the | heuristics are enough of a nudge that it can create weird | experiences for users. | | "I thought I already signed in, but after I navigate, I have to | click sign in again, and a window pops up and then I'm | automatically signed in? Why?" | | Edit: Yeah, seems so. | | https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Pri... | | See also: https://webkit.org/blog/8124/introducing-storage- | access-api/ | andrewmcwatters wrote: | There's a lot of comments in here about how it's bad that cookies | haven't always worked this way, but a significant amount of web | content to this day still requires third-party cookies to work. | And I'm not talking about cookies that are designed for analytics | purposes; the discussions here where concern is raised revolve | around simple things like logins breaking. | | For greenhorn web developers, you could say the same thing about | TLS certificates. Why weren't they always free? | | Well, another reason is because TLS (and formerly SSL) wasn't | (weren't) just about encryption, but about a "web of trust." | Encryption alone isn't trust. | | Many things about web technologies have changed over time; and | it's easy to say that any individual piece of functionality | should have worked this or that way all along, but the original | intent of many web features and how those features are used today | can be very different. | | One day industry standards may dictate that we don't even process | HTTPS requests in a way where the client's IP address is fully | exposed to the server. Someone along the way might decide that a | trusted agent should serve pages back on behalf of a client, for | all clients. | | After all, why should a third-party pixel.png request expose me | browsing another website?! How absurd. Don't you think? And yet, | we do it every day. | colinclerk wrote: | Great privacy-focused launch, Firefox! | | If anyone wants to see these protections in action, www.clerk.dev | leverages the Storage Access API in development mode - where we | need to share session data across localhost and a clerk-owned | domain. | | With this launch, developers are now prompted to explicitly allow | third-party cookie access in Firefox. | | (In production mode, the prompt isn't thrown because our cookies | are set in a first party context.) | MikusR wrote: | Does it also work with Google (company that pays hundreds of | millions to Mozilla) cookies? | pulse7 wrote: | Psssssst... don't talk loud about this... | oblio wrote: | It's open source, you can literally check it and drop (or | not) the tinfoil hat. | qwerty456127 wrote: | > Total Cookie Protection creates a separate cookie jar for each | website you visit. | | This should have always been the only way it worked. Every | website should run like if it was opened in a separate browser. | | > third-party login providers | | Don't use these, it's a trap. | cj wrote: | > Don't use these, it's a trap. | | Except if you're setting up SSO for your company's employees. | Using a 3rd party login provider is a necessity. You shouldn't | trust employees to create unique / strong passwords for every | individual service they login to. | Frondo wrote: | Or if you're setting up a SaaS application where some of your | customers will want integration with their own SSO. We don't | have developer time to spare implementing that sort of thing | but Auth0 lets us do it as one of its built-in integrations. | | It lets us offer SSO with whatever Auth0 supports as a | freebie add-on, instead of "well, we could work with your | platform but it's gonna cost you." | | I don't see how it's a trap, except that we have to pay auth0 | a monthly fee to handle our authentications instead of having | some number of hours a month spent maintaining and securing | our customers' logins and integrations. | sintaxi wrote: | I don't see why OAuth doesn't solve this problem for you. | randomsearch wrote: | Would a password manager solve that problem? | hellcow wrote: | If you can enforce that they use the password manager, it | solves that one problem. | | But SSO centralizes access management. For instance, with | one switch I can set password requirements, require 2FA, | and grant/revoke access to all of an employee's services | when they join the company or leave. | petre wrote: | I'm sure there are ways to use 2FA or OTP without | externalising access management to Facebook, Google or | another SSO provoder, unless you want to pick convenience | over privacy and security. | cratermoon wrote: | There are, but writing your own authn/authz is about as | wise as writing your own cipher. | https://www.schneier.com/crypto- | gram/archives/1998/1015.html... | petre wrote: | I'm talking about using a library like privacyID3A or | something else, not writing your own. | SilverRed wrote: | How do you enforce it over a bunch of 3rd party software | which either doesn't support 2FA or doesn't support | enforcing it? If they support SSO which they usually do, | its a non issue. | koheripbal wrote: | No because you want to be able to offboard/disable those | accounts without having to manually do it for each one. | adrr wrote: | SSO is more than password management. It is instant | provisioning and deprovisioning of users. Role management | and auditing. Enforcement of security standards like 2FA in | a central place. | samstave wrote: | Who is the best SSO provider? | | Where can I learn about best SSO practice/implementation? | comprev wrote: | I've used Okta to provide gateway access to physical | devices and AWS roles in the same deployment. Very | impressive when every endpoint and SaaS product is behind | a single 2FA login. | adrr wrote: | Okta is my favorite. One Login is cheaper but have never | used it. | yladiz wrote: | Not really relevant for the specific topic, but to be | more precise, SSO is only the sign on part. Usually the | provisioning/de-provisioning is handled by SCIM, which is | related but distinct. You have some SaaS products that | offer SSO but not SCIM, for example. | adrr wrote: | Curious what IDP service doesn't provide SCIM and just | SSO. Doesn't SAML 2.0 have SCIM support? | yladiz wrote: | Sorry, I should have been more clear. When I typed SaaS | products I meant more about a non-IDP product. They might | support SSO but not SCIM-based account provisioning, | especially if it's in-house auth (not using something | like Auth0). I worked on a product that supported SSO but | not SCIM for a long time and not all SCIM features were | supported. | folbec wrote: | Not really, at scale. | | SSO is a must in any big organisation, there are tens or | hundred of applications. | | People are incredibly and consistently bad with security. | You really need a way to be able to cancel all accesses in | one swoop for any individual. | foepys wrote: | Not only that. As a user it's incredibly frustrating | entering a password 5 or more times each morning. This | results in users using extremely weak passwords. | | The same is true for forcing users to reset their | password every 50 days or so, by the way. This outdated | password guideline doesn't seem to die. I know way to | many cases where people are using a weak base password | with a number attached to it because they got sick of | trying to remember a new password every month. | baq wrote: | > The same is true for forcing users to reset their | password every 50 days or so, by the way. This outdated | password guideline doesn't seem to die. I know way to | many cases where people are using a weak base password | with a number attached to it because they got sick of | trying to remember a new password every month. | | there are people who actually invent a new password every | time instead of cycling numbers? | | also, change password a few times until history is | flushed and switch back to the same password you started | with is a thing. | amitparikh wrote: | For what it's worth, I find third-party logins (e.g. Spotify | via Facebook) to be a nice convenience feature that I use quite | often. | randomsearch wrote: | a good password manager beats this hands down, for | convenience, privacy, and security. | cakoose wrote: | I use 1Password (and the browser extension) for all my | passwords, but I still choose "Sign-in with Google" when | that's an option. | | The "Sign-in with Google" button is makes it much quicker | to create an account and slightly quicker to log in. | | Also, I can rely on my Google 2FA rather than setting up | and filling in a different TOTP for each site. Something | like U2F or WebAuthn would make the filling-in part more | convenient, but even sites that offer 2FA usually don't | offer those. (And many sites don't even offer 2FA.) | | Using 1Password's 2FA feature would make TOTP more | convenient, but I'm a little nervous about putting 2FA in | 1Password. This might be overly-conservative thinking, | though. | mNovak wrote: | I agree it can be super convenient, though 'Sign in with | Google' is totally broken for me, because I've | accumulated a handful of google accounts. | | Every time I log in to a service, I have to guess which | account it's associated with (bearing in mind I may have | signed up years ago). And if I'm wrong, half the time it | immediately attempts to create a new account, and then | I'm stuck with a bunch of empty dummy accounts on various | services. | cortesoft wrote: | It doesn't for corporate usage... having to create accounts | for every new employee on every service you use, and then | remove those accounts when someone leaves is not scalable. | Having SSO is needed. | woodrowbarlow wrote: | i don't think anyone would deny that third party logins are | convenient -- either from the user perspective or from the | developer perspective. but they are also a huge vector for | privacy-invasive ad-profiling, if that's the login provider's | business model. | saddlerustle wrote: | I'd bet for the average user privacy impact of tracking is | much less significant that the privacy impact of constant | account compromises. | woodrowbarlow wrote: | that is true, but that is virtually always because of | password re-use. if you use a password manager and | randomly-generated passwords unique to each service, this | is almost entirely mitigated. | | with a single third party login for all services, though, | if that third party account gets compromised the results | are catastrophic. | haberman wrote: | > with a single third party login for all services, | though, if that third party account gets compromised the | results are catastrophic. | | The same can be said of the password manager account. | It's turtles all the way down. | | The fact that we rely on users to not reuse passwords, | the fact that using a password manager is all but | required to get reasonable security despite being far | from convenient, these indicate a major failure to serve | the actual needs of users, in my view. | | Users have head space for 1-3 strong passwords. They can | tolerate carrying maybe 1 security token with them. They | can tolerate a little bit of security setup when using a | new device for the first time, and they can tolerate a | touch or fingerprint scan at authentication time. All | authentication systems can and should operate within | these parameters. | | No web site or app outside of an authentication provider | should ever present a user a screen asking them to pick a | strong password that they have never used before. That is | asking a user to do something that the human brain cannot | reasonably do for 99% of the population. At best, a | browser or password manager will intervene at that point | and pick the password for them. At worst, the user | ignores the warning and picks the same password they use | for everything else. | stiray wrote: | > The same can be said of the password manager account. | It's turtles all the way down. | | What password manager account, what are you talking | about? There is never any password manager account, yes, | I have heard that some weird people are synchronizing | their passwords to some strange 3rd party services but | those don't matter. You have one password. Encryption | password for login database and that one is local and | never transmitted over the internet. If you know a | password manager that provides this decryption password | to their servers, please open the topic here and they | will be bashed to hell for this. | | I am a tad more strange, my password manager is | synchronized with my sftp server using private key and I | am not only randomizing the passwords for each site but | also the email address (imagine sha(user+salt) + | delimiter + sha(domain + master password)@mydomain.com). | And I will never in my life use any SSO as they are | mostly spyware designed for tracking users across the | sites and certainly not for what they are advertised for. | They will break with firefox latest addition? FINE! At | least people will stop using them. | | One thing are companies self hosted SSOs. Sure, I can | trust those for company services. For anything else, like | "login with google" or "login with facebook"? Yeah right, | my hearth is jumping out of joy and barely waits to use | it. It actually works in reverse, if you dont allow me to | register using non SSO account (email, password) I wont | use your service/webpage/whatever. | xyzal wrote: | With all respect, did you think of the consequences of you | losing access to your login account? | vntok wrote: | This is a feature in corporate contexts. | llarsson wrote: | > Don't use [third-party login providers], it's a trap. | | Pretty hard to avoid in many cases. Logging in to your | Microsoft account for Office (Teams, Outlook, et al.) uses a | login service, as does Google, and practically all services | that span across multiple domains. Which includes all of the | major ones, at this point. | | Good that Firefox gives us this option, given how the web has | evolved! | sudosysgen wrote: | I have no choice but to. The school services I must use are all | tied into O365. | DavideNL wrote: | >> Total Cookie Protection creates a separate cookie jar for | each website you visit. | | > This should have always been the only way it worked. Every | website should run like if it was opened in a separate browser. | | FYI: Extension "Temporary Containers" does this: | https://addons.mozilla.org/en-US/firefox/addon/temporary-con... | jackewiehose wrote: | And what about fingerprinting? What is this good for if you can | be tracked so easily anyway? | | At least cookies give you some control. The alternative seems | worse. | MR4D wrote: | I've heard the whole name for this is Total Cookie | Protection/Identity Protection, or TCP/IP for short. | | /j | stylemilzy111 wrote: | I wan't to connect my account but I can't do it i don't have the | screen to tap the verificator code of apple I'd help me | anotheryou wrote: | It's the same thing chrome wants to roll out, right? | | Doesn't this push advertisers towards fingerprinting which we | absolutely don't have any good countermeasures against yet? | flerchin wrote: | Don't we? We can reduce the amount of info that the browser | provides. Done. | anotheryou wrote: | Not sure, how does the tor browser score in these | fingerprinting tests? | | Looked like you loose quite a bit of functionality. Would be | nice to have tor-browser like safety and a permission for | "use advanced browser stuff that might enable fingerprinting" | so you can trust certain sites where you need it. | | edit: watching this now :) | tannhaeuser wrote: | Wondering if we can get our sane olde Web back by piecemeal | subtraction of all the stuff of the 2010's, and starting over. | Makes browsers much simpler, too. | andrewmcwatters wrote: | There's an opportunity for this to happen by taking some time | to just read through CSS 2.1 and implement the renderer. So | much of the web is driven by that portion of spec alone. Then, | you could tack on whatever other programming language you | wanted to play around with. It doesn't even necessarily have to | be JavaScript. | | Most people don't even succeed implementing CSS 2.1, though. It | takes a non-neglible amount of time. | [deleted] | AbuAssar wrote: | _Total Cookie Protection creates a separate cookie jar for each | website you visit._ | | why this is not the default behavior already? | SamWhited wrote: | Because it breaks a lot of things like SSO providers (although | I completely agree with you, screw that, make it the default | and add exceptions as necessary like Mozilla is doing now). | ratherbefuddled wrote: | I've had third party cookies completely disabled for years, | and first party cookies only allowed by exception. It works | fine on everything I use except for whatever it was Atlassian | were (are?) doing with their very odd collection of about two | dozen domains they round tripped through on authentication. | | To be honest though, browser fingerprinting makes this mostly | irrelevant unless you carefully use a script blocker with a | whitelist too. Any domain that includes trackers that drop | third party cookies almost certainly includes scripts that | can fingerprint you and send results to a server without | using a third party cookie. | dastx wrote: | Weirdly for me Atlassian doesn't work when I have the spoof | referrer enabled in about:config. Like why does referrer, a | property that is a header, define whether my login is valid | or not? | roywiggins wrote: | I had the same problem and tracked it down to uMatrix's | quite reasonable spoof-referrer default, which breaks | _nothing else_. Just Atlassian 's sign-in, which seems to | bounce you around to several domains before it lets you | in. | codezero wrote: | This is just my hunch as I work in analytics and deal with | cookies a lot but both Salesforce and Atlassian appear to | intentionally trade off the third party inconvenience | because their products are enterprise (you have to log in | for work) and they rely on upsell/cross sell across their | products which they host on different top level domains. So | forcing the third party cookie helps immensely with their | sales and retention, and doesn't hurt usage because it's | often required for work and if you need to work around it, | you usually can find a way if you are so inclined. | | If they had used the same domain for their products | historically and just separate subdomains they wouldn't | have to make this trade off, but it probably also helps | with third-party ad networks/segmentation to get folks to | turn it on anyways. | stilisstuk wrote: | (A bit of OT)... which is why I am considering SPAs to be | complicit in 'evilness'. All these webpages that require js | for no real reason is generally making the web insecure and | implicitly hostile and difficulty to navigate. Very few | have the mental overhead to evaluate each site, so most | just let any page do what ever it wants. Tracking and | miners be damned. | zxcvbn4038 wrote: | Not a huge loss, if you depend on federated logins its just a | matter of time until Google or Facebook's algorithms decide | to ban your account without explanation or recourse and then | how do your users access your site? All you'll be able to do | is try to shame the companies on social media and hope enough | people are outraged that the company takes notice. | LinuxBender wrote: | Could a site fix this by delegating a subdomain or CNAME to | the SSO provider like sso-company.example.com so that the | cookie is still using the same domain, but pointing the IP to | the SSO provider? Assuming the SSO provider supports this, | that is. I believe OKTA supports this method. | ficklepickle wrote: | I regularly use nginx to reverse proxy third-party API | calls. I use it to protect API keys. | | In my case, I strip all cookies and sensitive headers. One | must keep in mind that the browser will treat it as a | first-party request and the security implications that has. | You may have to filter or modify cookies/headers. | | https://jeremypoole.ca/posts/protecting_api_keys_on_the_fro | n... | cratermoon wrote: | That is the preferred solution if you're using cookies | across a company. | hinkley wrote: | I mean effectively today hardware you or your boss owns is | doing most of the work of tracking yourself. | | This is making them have to allocate resources to achieve | the same effect. Like taking lojack off of your car and | phone, and making 'Them' have to tail you and scour | security footage like in the old days. It's more expensive. | Expensive things do not scale, so you have to prioritize | who is worth the cost. People who are under legitimate | suspicion of causing harm. Less 'by-catch' to use a | commercial fishing concept. | | When it's cheap to harass everyone, nobody is 'safe'. But | when terrorists can't be tracked at all, nobody is 'safe' | either. So we have checks and balances. | lancesells wrote: | I believe so. That is what ad tech companies are now doing | to get past the improved privacy measures. | merb wrote: | well sso providers would still work, if it was made | correctly? sso works without cookies. if I implement google | sso I would not login via the google supercookie | wdb wrote: | Most seem to require a cookie to the pin the session or to | match the passed state | merb wrote: | there is a state parameter? so If I want to have a cookie | that passes stuff, I can just store my stuff inside a | cookie and pass the stuff inside the state param, there | are so many possibilites via openid (which is super | easy), I do not know how saml2 works, which might be | different tough. | wdb wrote: | yes, but the solutions I have seen they seem to store the | state also in a cookie and then check against it on the | redirect that it didn't change | worstenbrood wrote: | saml also has a relaystate parameter | hinkley wrote: | I know of a token system that some questionable engineers | started pushing session state into and since it shipped | before anyone noticed, walking that back turned out to be | quite a chore. What was supposed to be a couple hundred | byte cookie started hitting max cookie length warnings in | other parts of the system. | | When people need to keep a door open, if they don't see a | doorstop in the immediate vicinity after two seconds of | looking, some will just use whatever heavy object that is | closest and consider the problem 'solved' instead of | managed. | | I needed data, I didn't know where to put it, this thing | can give me data, boom, solved. | andor wrote: | At least based on my usage, it breaks very few sites. | | SSO via OAuth still works fine, because OAuth uses redirects | instead of cookies. | koolba wrote: | Not only does redirect based login work, it's an inherently | better model than sharing cookies. | | With shared cookies nothing stops site A from taking a copy | of your cookie and using it to impersonate you on site B. | With redirect based login the identity provider has to | authorize each application that is being accessed and each | site has its own session cookies. | | The main problem is dealing with globally revoking access | but that's usually solved with shorter termed session | cookies that periodically need to be refreshed from the | identity provider. | adrr wrote: | Site A can't access 3rd party cookies. Cookies only can | be accessed by the domain they are created on. Otherwise | any site could toss a 1x1 image pointing to any website | and steal the cookies. | sodality2 wrote: | Disabling cross site cookies breaks many sites. | marshmallow_12 wrote: | why? | sodality2 wrote: | Good question. third party login sites mostly don't keep me | logged in, kick me out, doesn't let me log in, etc. | kiwijamo wrote: | Give us some real concrete examples. This does not match | my experience at all so I'm dubious. | sodality2 wrote: | I have trouble with google login (url must be copied into | a google tab) and oracle cloud loses my tenancy home | region every few minutes | (https://i.imgur.com/ZCsepq3.png). Several other examples | like LMS's that use O365 to log in must be manually | logged in every time | driverdan wrote: | No it does not. I've had 3rd party cookies disabled for as | long as I can remember. I've found less than five sites that | had issues. | sodality2 wrote: | I guess we use different sites then. I should specify I | mean it doesn't keep me logged in. I consider this breaking | because if I click a link to that site, it loses the | original context once logged in. | adrr wrote: | It's going to break all 3rd party social layer providers. | Most news sites don't have native comments and rely on a | 3rd party like a Disqus. Login in state is stored as a | cookie. It also going to break all the openID stuff that is | heavily used in organizations like Walmart. OpenID is all | based around cookies. I remember having to rebuild our | provider when Safari released an update that you can't set | 3rd party cookies without user interaction. | kreeben wrote: | >> It's going to break all 3rd party social layer | providers | | Good. Disqus had it too easy. | | >> It also going to break [..] | | Good. They had it too easy. | | I'm absolutely loving the fact that my switch to Firefox | is paying off. Finally! | adrr wrote: | That type of attitude toward the millions of users that | use discus just shows why Firefox is a dying browser with | ever decreasing install base. Funding will keep | decreasing as it is tied to search engine deals which is | based in active users. | kreeben wrote: | Anything that shields me to some extent from the "grab | money fast, before anyone notices we're fucking them | over" companies out there is a champion, as far as I'm | concerned. | aczerepinski wrote: | What did you do instead? Redirects? | enriquto wrote: | sounds like a desirable feature to me | sodality2 wrote: | Agreed, that's why I use it! | candiddevmike wrote: | It's a shame because local storage and friends aren't quite | as secure (no way to block all JS from accessing it like you | can with cookies). | mvolfik wrote: | What would be the point of localstorage if JS couldn't | access it? Cookies can be set and get via http headers, but | is localstorage available by other means than JS? | ficklepickle wrote: | No, it is only accessible from JS. Parent comment does | not make sense. | | By that logic, we should turn off our computers to | improve security. | gruez wrote: | Is this really an issue? If the attacker has XSS on your | site you're already screwed because they can manipulate the | DOM to simulate user actions. | staticassertion wrote: | It means they can't exfiltrate the cookie, which I think | is a pretty nice win, even if they can still perform | requests to the domain with that cookie. | | For one thing it means they're locked to my session. | isbvhodnvemrwvn wrote: | How would they steal HTTP-only cookies this way? | minitech wrote: | They wouldn't steal the cookie, they'd just have the | script send the requests as the user directly. | abdullahkhalids wrote: | The only sites that really break are organizational websites, | which you can whitelist anyway. | arbitrage wrote: | People have been asking that question for twenty-five years. | NikolaeVarius wrote: | No one but idiots like me wants to figure out how to unbreak | every other site they go to. | happymellon wrote: | What sites does it break for you? | atomicson wrote: | Why now? I guess the guys at Mozilla already found another | sophisticated way to track their users. Please don't believe what | they said. Some clever guys out there could inject a unique | identification number to your established tcp/ip connection. Game | over! | urza wrote: | This should have always been the only way it worked. Plus it | should be easier to create white lists of allowed websites and | all other cookies delete with every broswer restart. I know it is | possible with Firefox but you need to add websites to whitelist | manually in deep settings. At least there are some extensions | that make it easier, like CookieAutoDelete | https://addons.mozilla.org/en-US/firefox/addon/cookie-autode... | deugtniet wrote: | Mozilla is really fighting the good fight for the users privacy. | I've been using Firefox for as long as I can remember, even when | there were faster and more fancy alternatives available. Their | ideology and service to the user is what makes me loyal to them | pastrami_panda wrote: | > even when there were faster and more fancy alternatives | available | | This seems to indicates there's not faster alternatives around | anymore, but the last time I tried FF (4-6 months ago) I | couldn't make the transition because the lag was pretty obvious | when coming from Chrome based browsers. Is this not the case | anymore? | DangerousPie wrote: | I use Firefox and Chrome at the same time and I don't really | notice any difference. Maybe a bit for Google apps (Hangouts, | Docs, Meet, etc) but I just see that as a symptom of Google's | attempts at using their market dominance to harm competitors, | which makes me want to use Firefox even more. | samstave wrote: | What is your opinion of Brave Browser. | | I use Brave + Ublock exclusively. | DangerousPie wrote: | I haven't tried Brave, never understood the point of it. | What does Brave + uBlock offer you that Firefox + uBlock | doesn't? | jk7tarYZAQNpTQa wrote: | It seems to me that Google is always trying to make their | products run much slower on browsers that aren't Chrome. | cratermoon wrote: | It's unlikely they put any effort into intentionally make | them run slower, it's just that they are written to work | optimally on Chrome and minor differences in the behavior | of things like the V8 vs. SpiderMonkey and Blink vs | Gecko. Given that each one is written with different | tradeoffs, it's not surprising things perform | differently. | | Whether or not the Google programmers use specific | proprietary knowledge about the behavior of Chrome to | optimize performance is different. If they do, that would | be similar to the things that got Microsoft in trouble. | clankyclanker wrote: | I'd agree with you, except for Google's long and sordid | history of doing exactly that, time and time again (found | with a 30-second search): | | https://tech.co/news/google-slowed-youtube-firefox- | edge-2019... | | https://www.techspot.com/news/79672-google-accused- | sabotagin... | | https://www.zdnet.com/article/former-mozilla-exec-google- | has... | | Google knows that every time they release a Firefox bug, | FF's user percentage goes down a tiny bit. Repeat over | dozens of bugs, for years, and you have a strategy. | | There's one blog post from another Mozillian that I can't | find anywhere that came out within the last year with | other examples, I think it was on HN. | ficklepickle wrote: | I read that post. It was enough to convince me of malice | at the time. I don't have the link though. | bscphil wrote: | > There's one blog post from another Mozillian that I | can't find anywhere | | You are looking for https://web.archive.org/web/201807281 | 22724if_/https://twitte... | ptato wrote: | How much faster is it for you guys? I legitimately can not | tell the difference. | tempest_ wrote: | I find them to be close enough to imperceptible for just | normal html and css etc. | | The stumbling block for me as FireFox user is I am | increasingly bumping into web apps that preform poorly in | FF but are fine in Chrome for one reason or another. One | instance I bump into a lot is ElasticSearches Kibana runs | like trash in FF for some reason. | StavrosK wrote: | It sounds like the old "nobody uses Firefox because | nobody tests on Firefox because nobody uses Firefox" | vicious cycle, unfortunately. | cortesoft wrote: | I am guessing performance differences might be masked by | good hardware? Sometimes performance differences don't show | up until you use an underpowered machine. | foerbert wrote: | I don't think it's just that. I have a half-dead | Chromebook with linux, and I use Firefox on it. Some | years back I ran Chrome on it because it worked better, | but at some point I started seeing issues with Chrome and | tried Firefox again. I've been using Firefox since. | bartvk wrote: | Did you see lag on all websites? Or in specific instances? | Which platform and on what kind of hardware? | Abishek_Muthian wrote: | It also depends upon the operating system among several other | variables, | | I didn't find noticeable difference between FF and Chrome | based browsers(Vivaldi, Edge) on macOS(although Safari runs | circles around them) after using them extensively. I used | each of them for a separate project with several common | websites loaded in them, there were different quirks for each | browser(especially reg tab hibernation) but latency was not | one of them. | | On Linux FF seems definitely faster than Chromium, although | there are occasional DNS errors which stops loading the web | pages altogether(likely result of my own doing). I've stopped | having different browsers for different projects and just use | FF for all. | | On Android with Chrome, not just Chrome but even WebView | using it is astonishingly fast(e.g. DDG browser), I presume | it's because of data saver feature. On de-googled android | like LineageOS, FF/Fennec seems to be on same level as | Chromium and DDG is faster here as well. | | On iOS, everything is Safari. | | I don't use Windows much, but I've seen others mentioning | Edge seems to be faster than Chrome recently. | [deleted] | moritonal wrote: | No. I still use Firefox, but when I use Edge or Chrome it | hurts a bit just how much snappier they are. | hiq wrote: | Did you have ublock origin installed on Firefox? | | I feel that most people complaining about slow browsers have | no blocker installed. | kiwijamo wrote: | Interesting, I have uBlock Origin and indeed I can't tell | the difference between Chrome and Firefox. | sodality2 wrote: | My CPU immediately pumps to 100% usage after opening google | docs. Granted, it's on my old laptop, but I can use | electron apps and they run far _better_ than gdocs. | Sohcahtoa82 wrote: | I switched from Chrome to Firefox about a year and a half | ago. Chrome definitely felt more snappy, but the difference | wasn't that much. | | Except on Facebook. My Facebook tab is incredibly laggy, and | gets more and more laggy the longer I leave it open. I'm one | of those users that tends to keep 50+ tabs open, and I have | to close and reopen the Facebook tab at least once a day to | keep it from becoming a nearly frozen mess. Even then, if a | video is playing and I click it to make it fill the window, | it takes several seconds for it to happen. And with an | i9-9900K, 32 GB of RAM, RTX 3080, and a 1 TB NVMe drive, my | computer is definitely no slouch. | mFixman wrote: | I think this might be more about perception than anything | else. | | I've used Firefox since 2006, and Chrome always seemed | heavier, laggier and uglier. Maybe it's the snappy iOS-like | animation when you scroll to the bottom of the page that | makes it seem snappier? | jan_g wrote: | It's not imaginary - for years Firefox drained battery on | macbooks really fast. Then there is this pesky issue of | randomly freezing whole laptop for a minute or so, usually | associated with file uploads or locking screen [1], [2], | [3], ... Fixed in one version, then appears again in the | next version. | | I still used Firefox a lot for various reasons (and still | do), but I'm not blind to how it performed. | | [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1595998 | [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1415923 | [3] https://bugzilla.mozilla.org/show_bug.cgi?id=1489785 | Sodman wrote: | Firefox is fine and quick as long as you don't need to use | any heavy Google apps. Some people might even consider this a | plus. For me, between work and personal use I'm effectively | married to Gmail, Google Calendar, Google Docs, and Google | Hangouts. Unfortunately that makes Firefox a non-starter for | me. Not to mention Firefox's privacy settings trigger | countless reCAPTCHA gates across most of GSuite. I get that | this is not Firefox's "fault" and it's done intentionally by | Google, but as a user it becomes my problem. | | I really want Firefox to work for me and I'd love to drop | Chrome, but last time FF made big noise about performance | improvements I tried it out and Gmail was still unusably | slow. | neogodless wrote: | I use Google Calendar and Google Docs without any issues in | Firefox. I agree Gmail is coded terribly and do not use the | web site! I stick to using Thunderbird on the computer, and | checking email on my phone. Have not been using Hangouts | for a couple years, though. | | For me, the way Google is keeping Gmail terrible for other | browsers is exactly the reason to _not use Chrome_. No way | I 'm OK with that. | koningrobot wrote: | I switched back to Firefox last week and I had the same | experience -- Google apps and Slack were dog slow. But | after a day or so they were working fine, I imagine it's a | matter of populating the cache. YMMV. | chociej wrote: | Have not ever noticed any performance problems using FF for | Google products, personally. Works great. | jakemal wrote: | FWIW I use all of those apps on a daily basis with Firefox | and have not noticed any performance issues. It may be | worth giving it another try if you haven't in a while. | kiwijamo wrote: | Indeed. Hangouts is one I find works better in Firefox | even! But I observe it seems to vary. Perhaps Intel Macs | has some quirks that makes it more peformant and reliable | in Firefox. | hojjat12000 wrote: | I switched to FF when Quantum came out. I use it | exclusively. Not because I hate Chrome, but because I don't | see any need for chrome. Once in a while I see a website | that forces me to use something other than FF. But it | happens rarely, and it is mostly some webgl-based under- | development demo website. | | I even use it on my phone. The mobile version is definitely | worse than Chrome, but it has plugins (or it used to! | nowadays it only support a few popular ones which is a | shame) and also I can send tabs from my phone to my | computer (which is a better place to read articles | anyways). | Nextgrid wrote: | Keep in mind that Firefox opens their website on first run and | on every update and that includes Google Analytics. | | I find the majority of their privacy claims dubious and | dangerously misleading for those that don't know any better. If | they were serious about privacy they'd offer uBlock Origin (or | equivalent functionality) preinstalled by default. | | Their current countermeasures such as containers, tracking | protection and this cookie thing is trivial to bypass with | browser fingerprinting and IP address tracking if you have a | global view of the Internet (which Facebook and Google do | have). | chungy wrote: | > Keep in mind that Firefox opens their website [...] on | every update | | I haven't experienced this since the rapid release schedule | started. They're pretty silent now. | igobyterry wrote: | Not only that, but Firefox for US users will track what | websites you visit to target their discover campaign content. | | https://discover.buysellads.com/firefox-new-tab | cpeterso wrote: | From Mozilla's Firefox New Tab FAQ: | | "neither Mozilla nor Pocket ever receives a copy of your | browser history. When personalization does occur, | recommendations rely on a process of story sorting and | filtering that happens locally in your personal copy of | Firefox." | | https://help.getpocket.com/article/1142-firefox-new-tab- | reco... | godshatter wrote: | I modified the settings long ago to come up with a blank tab | on startup. I use NoScript and do not allow google analytics | through. No facebook domains make it through NoScript as far | as javascript is concerned, very few google ones do. | | I get you about the updates. It's a risk-reward ratio I | accept because firefox + noscript + always starting in a | private session is way more helpful than the update problem | is harmful. Using a VPN a lot of the time helps, too. There | is no solution I know of that is perfect. My threat model is | pretty relaxed, though, so what I do is mostly for my peace | of mind. You have reminded me that I should start spoofing my | user agent again. | koheripbal wrote: | What do you think of enabling letterboxing, uBlock, and DoH | to prevent fingerprinting? | | Are there any other config changes you would recommend to | Firefox to harden it? | behnamoh wrote: | I've noticed that Firefox has become even snappier than Chrome. | | One big advantage is that I now have way more addons installed | on Firefox that would otherwise make Chrome utterly slow and | unusable. | FlashBlaze wrote: | I have tried regular as well as the developer version of | Firefox, but no matter what I use, YouTube videos always skip | frames after every 10-15 seconds or so. So I use Brave for | YouTube and other WebGL heavy stuff and Firefox developer | version for daily browsing. | kiwijamo wrote: | That sounds very strange. Certainly don't see that in | Firefox on Mac (work laptop) and both Linux and Windows | (personal laptop). Try adding the h.264 extension. That | forces YouTube to provide h.264 videos which is hardware | accelerated on pretty much any hardware. | behnamoh wrote: | Adding that extension disables 4k video on YouTube. | hojjat12000 wrote: | I don't know if you're on Linux. But I had issues with | Youtube as well. Two things helped me an updated graphics | driver and Wayland. | deagle50 wrote: | Amazing, thank you. Does this also isolate cache, IndexDB, | LocalStorage, plugin data, and service workers? | tuxone wrote: | Http cached assets are already isolated as part of Firefox | First-Party Isolation. | njdullea wrote: | I thought TCP was a pretty common thing? | njdullea wrote: | It's official: hacker news has no sense of humor | IMTDb wrote: | Great ! Can we now remove all these cookie banners that have been | plaguing the web since a pencil pusher in the EU thought it would | a great idea to force every single website to display an annoying | popup. | jefftk wrote: | This change is about blocking third-party cookies, while cookie | banners also include notification around first party cookies. | | For example, first-party cookies used to implement analytics | are included. See | https://en.wikipedia.org/wiki/Privacy_and_Electronic_Communi... | SamuelAdams wrote: | https://www.i-dont-care-about-cookies.eu/ | kleiba wrote: | The better way to do this would be if you could configure your | preferences once and for all in the client which then | transparently communicates it to the website providers. | tcit wrote: | The DoNotTrack header didn't work. | kleiba wrote: | But there is a difference between a volunteer action by | some browser developers, and the law. I think the bigger | problem is that there are different policies in place in | different legislation, so it would be very challenging to | implement something that satisfies the needs. | jx47 wrote: | These banners are there to fool you into accepting all cookies. | They are basically a dark pattern at this point. The GDPR and | the so called cookie law state that strictly functional cookies | have implicit consent by the visitor. Even selfhosted tracking | via cookies is considered functional. The GDPR/cookie law also | does not enforce those banners. They only state that the user | has to consent to every form of tracking. | | So every time you see one of these huge banners it is the | deliberate effort by the website owner to trick you into | accepting the tracking. | | https://gdpr.eu/cookies/ | marshray wrote: | Nobody wants to argue with GDPR regulators which cookies are | "strictly necessary" and they certainly don't want to pay | lawyers to review the purpose and use of every cookie. | | It's not a trick, it's just that the easiest path for all | sites to comply is to obtain blanket consent for everything. | | Classic perverse incentive. | belorn wrote: | Simple, make a law that makes consent via banners invalid. | thitcanh wrote: | I just imagined that video of a cat in zero-gravity | Nextgrid wrote: | Spoiler alert: we have that law. The GDPR as it stands | outlaws annoying/misleading consent banners. | | Next step: fire the incompetent people staffing the various | data protection agencies and replace them with someone that | would actually enforce said law. | andrewmcwatters wrote: | This is guaranteed to break old software out there. Not in a | minor way, but in a large amount of billable work type of way. | | This is almost the type of change in a browser that should | require browser vendors to start providing a backwards | compatibility mode. | metalliqaz wrote: | more good stuff from Firefox. I'd be more excited if so many of | the sites I visit didn't break on a non-Chromium browser. | falcolas wrote: | Sigh. Yeah. | | My company only officially supports Chrome. Why? Because most | users only browse via chrome. Why? Because my company only | officially supports chrome... | nerdponx wrote: | I just hope Mozilla Corp doesn't do any further harm to Mozilla | Foundation and Firefox keeps getting better. | heywire wrote: | Do you have any good examples of sites that don't work on | Firefox? I hear this a lot, but I don't seem to experience it. | I exclusively use Firefox on the desktop, while I use Safari on | mobile. | metalliqaz wrote: | most of the time the sites "work". Issues are usually in one | of two categories: (1) bad/ugly layout, (2) failure to login | properly. Occasionally, web apps for smaller organizations | will just stop me at the door due to my User Agent string. | Nextgrid wrote: | Is there a reason why uBlock Origin is still not included in the | browser? In this day and age, you can't have privacy online | without it, and claiming otherwise is misleading at best and | maliciously deceptive at worst. | Jerry2 wrote: | > _Is there a reason why uBlock Origin is still not included in | the browser?_ | | Once you look into where Mozilla gets their money from, you'll | find millions of reasons. | | And in the past, Mozilla has stated that bundling ad blocking | with the browser would 'hurt the Internet'. | hertzrat wrote: | Maliciously deceptive is pretty strong wording | Nextgrid wrote: | I'd argue that this is justified when it comes to misleading | non-technical users about their privacy. | | Mozilla plasters the word "privacy" everywhere and yet opens | their own website on first run and after every update which | includes Google Analytics, from the same company that's known | to violate people's privacy on a large scale and profit from | it. | | Browser fingerprinting and IP-based tracking is reliable | enough that blocking cookies is absolutely useless in this | day and age against an omnipresent adversary such as Google & | Facebook. Blocking their request uBlock Origin-style is the | only way to go and claiming to protect your privacy otherwise | is very misleading. | SilverRed wrote: | They may find that websites, along with their adblock blockers, | will just add the firefox useragent to the block list. | Wxc2jjJmST9XWWL wrote: | Not affiliated with Mozilla, nor do I know, but my thoughts: | | A quick check reveals that while ublock origin seems to be the | most popular, it's by far not the only popular add-on to block | ads https://addons.mozilla.org/en-US/firefox/search/?q=adblock | ; so why include ublock origin specifically? Especially since | it has become much more than a simple adblocker (script | blocking capabilities for example), why not something else? Why | not integrate an ad-blocker developed completely by mozilla? | | Why not include NoScript + Containers by default? And some | UserAgent Switch capability? And more fine grained cookie | storage options (currently available via add-ons), et cetera? | | When you start integrating capabilities currently being offered | by add-ons, the questions are : | | - where to stop | | - how to discriminate what to include, what not | | - how will users and developers feel (for example the user who | wants to use his favorite add-on, which now is not developed | anymore because almost no one bothers to install it since | functionality X has become part of the browser) | | - how to deal with edge cases (the one site which breaks | because of ad-block is the reason a non-technical person might | simply install chrome and move on with their life) | | - is the increasing complexity worth it? to what degree is it? | Nextgrid wrote: | > why include ublock origin specifically | | A lot of the other ad blocking extensions are malicious and | collude with the advertising industry through some kind of | whitelist program. Their license might also not be permissive | enough to allow this. | | > Why not include NoScript + Containers by default? | | NoScript requires lots of manual intervention, uBlock Origin | with the default lists is still seamless and rarely causes | breakage thus very little need for manual intervention. | | I am not convinced that Containers does anything at all. | Browser fingerprinting & IP address tracking defeats it very | easily. | | > And some UserAgent Switch capability | | This is absolutely needed and I'm baffled this isn't offered | natively, though this would be less for privacy and more as a | developer tool. | | > And more fine grained cookie storage options (currently | available via add-ons), et cetera? | | I find the whole craze around cookies overblown. Your IP | address is a relatively persistent cookie you can't clear. | The only way is to prevent requests made to the malicious | actors to begin with, with some kind of blacklist like what | uBlock Origin provides. | | > how to discriminate what to include, what not | | I'd argue that if your mission is to make the web better and | protect people's privacy then including a proper ad blocker | is a no brainer. | | > does it do any good | | That is up to discussion with the add-on author (the author | of UBO has repeatedly declined donations and seems to be | doing his efforts out of passion and/or hatred for ads, so he | should be onboard), but otherwise, the secret sauce isn't | really the blocker per-se but the blocklists such as | EasyList/Fanboy's lists, and Mozilla has enough resources to | reimplement a compatible client from scratch if needed. | | > how to deal with edge cases | | Contribute back to the lists to fix any edge-cases by | adjusting an over-reaching blocking rule, and offer an easy | way for users to temporarily disable the blocking on a per- | site basis. | godshatter wrote: | > I find the whole craze around cookies overblown. Your IP | address is a relatively persistent cookie you can't clear. | The only way is to prevent requests made to the malicious | actors to begin with, with some kind of blacklist like what | uBlock Origin provides. | | In my personal opinion, no one should be connecting to the | internet in this day and age without using a VPN service | wherever possible. | _-david-_ wrote: | My preference would be to include the functionality of ad | blockers but not include any of the actual lists. You would | then be able to pull down the same lists that ublock origin | provides by default and add any additional lists you want. | 1vuio0pswjnm7 wrote: | I control cookies outside the browser, in a forward proxy. I can | allow/deny any cookie based on rules I set. I value privacy | protection against a browser vendor just as much as privacy | protection against advertisers (who keep browser vendors in | business). I do not trust the browser. I trust the proxy. That's | how I get "Total Cookie Protection". | eMGm4D0zgUAVXc7 wrote: | What's the difference to setting "privacy.firstparty.isolate = | true"? | | And what's the migration path for users who have been using that | setting previously? | | Can I now disable it? Do I have to disable it? | 4cao wrote: | > Total Cookie Protection makes a limited exception for cross- | site cookies when they are needed for non-tracking purposes, such | as those used by popular third-party login providers. | | Would be great to have some more details about it: in particular, | how do I turn it off if I prefer to add any exceptions manually. | | Edit 1: Mozilla Hacks blog [1] has a bit more but still doesn't | answer the question: | | > In order to resolve these compatibility issues of State | Partitioning, we allow the state to be unpartitioned in certain | cases. When unpartitioning is taking effect, we will stop using | double-keying and revert the ordinary (first-party) key. | | What are these "certain cases?" | | Edit 2: Reading on, there's this bit about storage access grants | heuristics [2] linked from the blog. But is that really it, or is | there a hardcoded whitelist as well? If so, it'd be great to see | it. | | This bit in particular is ambiguous in how it's supposed to work | exactly (who's "we" here): | | > If we discover that an origin is abusing this heuristic to gain | tracking access, that origin will have the additional requirement | that it must have received user interaction as a first party | within the past 30 days. | | 1. https://hacks.mozilla.org/2021/02/introducing-state- | partitio... | | 2. https://developer.mozilla.org/en- | US/docs/Mozilla/Firefox/Pri... | Caligatio wrote: | I agree I wish they had more detail about the exceptions. | | I've been a FPI user for years as a best-effort to reign in | tracking but there are a common few sites that just break with | FPI (50% of the time PayPal checkout doesn't work). Even if | "Total Cookie Protection" is only 98% as effective as FPI, I'm | making the switch. | | EDIT: FPI = first-party isolation | lentil_soup wrote: | FPI? | iruoy wrote: | First-Party Isolation | | https://www.ctrl.blog/entry/firefox-fpi.html | johannh wrote: | Yes, it's essentially that, FPI with workarounds for common | breakage. You should switch from FPI, this is essentially | another take on FPI by some of its original developers, so it | should have fewer issues overall, not just site breakage. | mrweasel wrote: | It will be interesting to see how many sites break with | "Total Cookie Protection". Currently I use what I consider | are bare minimum of anti-tracking, that is what I can make | Firefox provide on its own, plus the DuckDuckGo browser | extention. Those two things alone break an alarming number of | sites. The DDG extention is pretty regularly mistaken for an | ad-blocker. | | Given Firefoxs low adoption, I fear that website owner will | just ignore that their excessive tracking breaks their site | in Firefox... "Works in Chrome... good enough" | kiwijamo wrote: | I have strict tracking enabled in Firefox as well as uBlock | Origin and I've yet to see a site broken. The only "broken" | ones I've seen are badly coded ones that also fail to work | in Chrome. Reputable sites tend to be just fine. YMMV. | ficklepickle wrote: | FF blocked fingerprinting by visa during a transaction. | To my surprise, even that did not break. | [deleted] | johannh wrote: | (I'm one of the developers of this feature and co-author of the | blog posts) | | This is a great question and I'm glad you found the answer, you | probably understand that for many blog posts we avoid going | into too much technical detail. | | To answer your final question, there is no hardcoded allow-list | for State Partitioning. The heuristics as described on MDN are | accurate. | heleninboodler wrote: | Have you considered that "Total Cookie Protection / Isolation | Partition" would be a much better name? :D | appleflaxen wrote: | > you probably understand that for many blog posts we avoid | going into too much technical detail. | | Not really... for a highly technical issue like this, at a | minimum you should link to the technical details. | | There really is no excuse for making every reader of your | blog who wants to know the details dig for them | independently. | | imo, at least. | johannh wrote: | Both the more technical blog post as well as the MDN page | are linked shortly after that paragraph. | urza wrote: | This should have always been the only way it worked. Plus it | should be easier to create white lists of allowed websites | and all other cookies delete with every broswer restart. I | know it is possible with Firefox but you need to add websites | to whitelist manually in deep settings. At least there are | some extensions that make it easier, like CookieAutoDelete | https://addons.mozilla.org/en-US/firefox/addon/cookie- | autode... | StavrosK wrote: | Have you considered using something like Expounder | (https://skorokithakis.github.io/expounder/) in your posts? | (Disclosure, I made it but it's a small open source lib). | | I don't see why we can have full-blown web apps but our text | needs to be very specifically just text these days. | dmix wrote: | I feel like the inserted text should be highlighted with a | light yellow background or some indicator. Just appearing | like that inline seems a bit funky or unexpected. | | But I see there is a css class which is nice. | | Just a simple rgba(x,x,x,0.5) where the x's are the usual | yellow height. | StavrosK wrote: | I prefer to leave the styling to the user, the library is | intentionally minimally invasive there... | wikibob wrote: | I agree with this. It would be helpful. | tannhaeuser wrote: | Hasn't HTML the summary and details elements for this | specifically, or am I overlooking something? | StavrosK wrote: | As far as I know, those work quite differently. | gwern wrote: | <abbr>/<defn> are also quite relevant, and would fit a | number of the example uses better (like the definition of | 'atoms'). | tpoacher wrote: | Not the author, but presumably you're overlooking the | fact that the expounded term doesn't necessarily have to | be "inside" or even "neighbouring" to the details | element. | | The author's intent here is to have terms explained in | the text explicitly in such a way that it would 'augment' | the text with an explanation somewhere further down the | line, but not necessarily "in-place". | | It is also intended for text specifically, rather than | replacing one element with another. | | I agree that display/summary are similar in spirit | though, I had not come across those before. | prox wrote: | I wonder what this does to SEO, does the hidden text get | indexed, and is it not picked up as a dark pattern by | crawlers? | wonder_er wrote: | This is super cool! | | I've only recently discovered that Markdown has footnotes, | and I've gone to down adding footnotes everywhere. | | I use Jekyll + markdown on my website, and I now have lots | of fun adding footnotes to my writing. | | I added a "footnote tutorial" for readers on | https://josh.works/turing-backend-prep-01-intro#why-this- | rub..., to help them learn how to navigate the footnotes. | | I _love_ your library, and I love the problem that you're | solving with it. | | Along the way, I've looked at Gwern's sidenotes[0] and Nate | Berkapec's "footnotes"/sidenotes [1]. | | I eventually want to do something more "in-line", like what | you've down with Expounder, but I've been satiated with | markdown footnotes for now. | | [0]: https://www.gwern.net/Sidenotes# [1]: | https://www.nateberkopec.com/blog/2017/03/10/how-i-made- | self... | gknoy wrote: | Oh, wow. The Sidenotes discussion from Gwern that you | linked is _phenomenal_. Thank you for sharing these. | iFreilicht wrote: | What I dislike about footnotes like that is that they | pollute the browser history. If you want to leave the | page but clicked on a few footnotes and their backlinks, | you have to go "back" through all of them. | | Thank you so much for posting gwern's sidenote article! I | want to use sidenotes on my site and this was a very | valuable resource! | StavrosK wrote: | Thank you! I used to use footnotes too, but I didn't like | how they took you out of the flow of the text. Expounder | aims to specifically let users stay in the flow of | reading, which is why one of the core instructions is | that the text should work in context, as if it were never | hidden. | mrec wrote: | It's good to see experiments along these lines. I really | like Wikipedia's recent-ish rich tooltips on link | mouseover, and the HTML <summary>/<details> elements | deserve to be more widely known. | | From the demo it look as if Expounder is one-way - once | you've expanded something, you can't collapse it again. | Is that correct? | StavrosK wrote: | Yes and no, see this comment: | | https://news.ycombinator.com/item?id=26238717 | ghaff wrote: | I miss footnotes on the printed page because, in addition | to references (where they're probably better as endnotes | to be honest) I find they're great to use for | parentheticals that bulletproof a point, add some | background that's not essential to a point being made, | etc. But these latter uses work significantly less well | in a blog post or ebook. | withinboredom wrote: | This looks amazing. Would you mind if I packaged this in a | WordPress plugin? | StavrosK wrote: | Not at all, go for it! | withinboredom wrote: | Awesome. Just a heads up, I've already finished it and | just submitted it. HOWEVER, the plugin has to be licensed | as GPLv2, but it shouldn't affect your license (since | it's just using your code as a library). I'd feel better | about it (and it will probably be smoother sailing during | the review process) if I could submit your names as | authors on the plugin. | | If you want to be listed as an author, just drop over to | https://github.com/withinboredom/expounder- | wordpress/tree/ma... and let me know your wordpress.org | user names in an issue. | StavrosK wrote: | Thanks! I don't think either of us have a Wordpress | username, but it'd be great if you could include a link | to the repo in the description. | | Thanks again for your help! | withinboredom wrote: | Will do! | accounted wrote: | I would like this as well, please share once you do. | withinboredom wrote: | I've submitted it to the WordPress.org plugins directory, | but you can download it right now from the repo in the | sibling comment. | samstave wrote: | That is FN DOPE. Wikipedia should adopt it in full. | clankyclanker wrote: | Is there support for an expound-all button on a page? I | definitely have days where I just want to also read the | details and don't want to click a dozen times while I'm | reading. | StavrosK wrote: | Not currently, but it shouldn't be hard to add a button | with one line of JS to add the required CSS class to all | the elements. This might defeat the purpose, though, as | it's kind of intended to save you from reading things you | already know. | chrisweekly wrote: | Yes, this! Your lib looks awesome. Thanks for publishing it | and sharing here! | StavrosK wrote: | Thank you! | tpoacher wrote: | I love this, but I'm a bit surprised that you do not | include the ability to "unexpound" an "expounded" term. Is | that intentional? | | If I were reading a technical text, I would definitely end | up reading most paragraphs at least twice. It would make no | sense to keep the expounded terms in the second time; I'd | be tempted to hide them back as soon as I was finished with | them the first time. | StavrosK wrote: | Yes, it is intentional. The functionality actually | exists, it's just not mentioned: | | https://github.com/skorokithakis/expounder/blob/master/ex | amp... | | It's because, once clicked, the new text should become | part of the old, and that's it. Presumably you've already | read it, and I don't want to make the viewer have to re- | collapse the links every time. | | Your use case makes sense, though, which is why the | feature was included. Maybe I should mention it in the | README. | mkl wrote: | I think collapsing would also be useful when all you need | is a quick reminder, not a full explanation. Like "What's | that again? [click to expand] Oh that's right [click to | collapse]". That's easier than finding the place to skip | to. | StavrosK wrote: | Hmm, true, I've added it to the README! | atleta wrote: | Cool! I've been thinking of a similar solution to add to my | (planned ;) ) longer blog posts. I'm guilty of going into | the details too much sometimes. | StavrosK wrote: | Same here, and I didn't like the tradeoff, so I figured | I'd solve it with the power of T E C H N O L O G Y. | gostsamo wrote: | Hi, can you consider adding some accessibility to the | library? Currently, I don't have a way to know that a term | could be expanded, because the signal seems to be visual | only and not detectable via a screen reader. Adding aria- | pressed might be the solution, but I'm not an expert, just | an user. | StavrosK wrote: | Oh, that's a good point! I didn't realize it wouldn't be | discoverable, you're right. | gostsamo wrote: | Thanks! | rock_artist wrote: | What I wonder/concern is how can one decide for legit use. | This also sounds like a possibility for discriminating small | players with legit use. (similar to Microsoft's SmartScreen) | | Would be great to know how are those concerns handled? | 4cao wrote: | Thank you for your clarification, and your work on Firefox. | | I guess that clears it up. | kome wrote: | > Would be great to have some more details about it: in | particular, how do I turn it off if I prefer to add any | exceptions manually. | | (on mac) Firefox > Preferences > Privacy & Security > Custom | 4cao wrote: | The question is how to use "Total Cookie Protection" without | any hardcoded or heuristics-based exceptions. | | Your answer seems to be about how to turn off "Enhanced | Tracking Protection"/"Total Cookie Protection" or parts of it | (resulting in weaker protection). I want to keep it enabled | and disable the exceptions (for stronger protection), i.e. | the opposite. | | I haven't installed the new version yet, so can't say for | sure, but as far as I know there is no setting for this in | that menu. [1] | | If I misunderstood what you meant, please elaborate. | | 1. https://support.mozilla.org/en-US/kb/enhanced-tracking- | prote... | laurensr wrote: | So if I happen to run a less popular third-party login | provider, my fate is sealed? | johannh wrote: | No, there's no allow-list, you get the same heuristics as | described on that MDN page. | orblivion wrote: | Maybe I don't know enough about cookies but it's kind of shocking | that that this wasn't the behavior from day one. I suppose it's | one of many things designed for a simpler time, but so many of | those have been fixed by now. | bscphil wrote: | Kind of an important point: this appears to be an attempt to | make third party cookies useless, without actually disabling | them since many sites depend on them. This is achieved in two | ways: | | 1. By allowing third party cookies, but compartmentalizing them | by the first-party site that sent the request (a much better | name for this feature would be "per-site cookie containers", | "total cookie protection" is completely uninformative). | | 2. By using a heuristic to selectively allow cookies to be | accessed across the container boundary if they are actually | needed, e.g. for logins. | | To answer your question, this doesn't make sense as "day one | behavior" because it's basically a patch to work around a | historical problem with as little breakage as possible. If you | were setting up cookie permissions on day one, knowing what we | know now, you wouldn't kneecap third party cookies, you'd | disable them entirely. Mozilla is trying to make third party | cookies useless for 99% of what they're used for: if that's how | you feel about third party cookies, you'd just _not implement_ | them. | | Incidentally, I do block all third party cookies by default and | have for years. That's a much stronger approach than the | compartmentalization that Mozilla is attempting. I can count on | one hand the number of sites I've seen break because of this, | most of them are happy to let these cookies fail silently. | foepys wrote: | There is so much legacy tech out there that is still working on | the trust level from back when DNS was a hosts file you | manually copied to your system once in a while. | | BGP and SS7 are other famous examples. | FalconSensei wrote: | That's kinda nice, maybe someday I'll try FF again. | | Unfortunately, every time I try, the usability and flows are - | for me - lacking. Like, not being able to easily add and edit | search engines (adding search for amazon, youtube, etc), history | and bookmarks not opening in full tab by default, closed tabs and | windows being separated on history... | baggy_trough wrote: | The main thing I don't like about FF is that the UI is kind of | blocky and clunky looking compared to Safari or Chrome. (This | is on macOS.) | | A trivial example of missing UI polish - when you open "About | Firefox" after restarting the browser, the window always | appears in the top left for a split second, then moves to the | center. | djschnei wrote: | It's too bad Mozilla supports internet censorship... Some good | alternatives if there stance on deplatforming is unacceptable to | you: https://librewolf-community.gitlab.io/ https://brave.com/ | Nextgrid wrote: | Can you elaborate? Why do you think they support censorship? | koheripbal wrote: | I suspect he is referring to this blog post... | | https://blog.mozilla.org/blog/2021/01/08/we-need-more- | than-d... | djschnei wrote: | Correct! Relevant thread: | https://news.ycombinator.com/item?id=25690941 | BiteCode_dev wrote: | Is Total Cookie Protection a Mozilla Intellectual Property ? | | In short, should I say we are talking about TCP/IP ? | anderspitman wrote: | So is Mozilla going to start gatekeeping which login providers | are considered big/reputable enough? What if I want to make my | own login provider? | fay59 wrote: | It sounds like you can design a login provider around that: | direct to login site with a return address, confirm with user | they want to log in, post back to return address with token | that allows site to query login provider. | grishka wrote: | Why not just do away with third-party cookies altogether already? | agildehaus wrote: | We're on the road to that. | grishka wrote: | I mean, why are all these lengthy intermediate steps | necessary? It's only a matter of changing the default value | of _one damn setting_. I 've had third-party cookies disabled | for more than a year and the only websites I've had problems | with were ridiculously poorly-made ones -- like AliExpress, | that for some reason has a zillion subdomains and relies on | third-party cookies for authentication. | bzbarsky wrote: | I have third-party cookies disabled, and have for years. A | non-exhaustive list of sites where I have login or other | problems as a result: | | 1) One of my local banks (who use weird third-party hosted | modules for some of their functionality). | | 2) Verizon. | | 3) T-Mobile | | If I were a normal user, any one of these ("I have to do | _what_ to see my FIOS bill?") could be a show-stopper. | | Which is what makes it hard to turn this on by default | without driving away users. | grishka wrote: | On the other hand, if third-party cookies were going away | for real, this would force website developers to finally | fix their crap. | Karunamon wrote: | Leads to a prisoner's dilemma situation. A move like that | has to be done by everyone in concert (example: killing | Flash), or it's harmful to the one browser that blinks | first. | | This thread contains plenty of examples of legitimate | uses for third-party cookies. If FF instantly and | immediately broke those, users would be cursing, not | praising Firefox, and switching to a browser that doesn't | break what they use. | bzbarsky wrote: | If they were going away for real across all browsers, | yes. | | Historically getting some browsers on board with that | program has been very difficult. | | Concretely: a large fraction of website developers would | much rather put up "only works in Chrome" notices than | fix their crap. | | [Disclaimer: I used to work at Mozilla, and have done my | share of trying to push for turning off third-party | cookies.] | faitswulff wrote: | It's funny you note that the only website that had issues | was a top 50 website (https://www.alexa.com/siteinfo/aliexp | ress.com#section_traffi...) that no doubt has a lot of | ordinary non-technical folk on it. Breaking sites like | these would likely kill an already relatively niche | browser. | behringer wrote: | because you're fighting the ad industry. The ad industry | which also has their own browser and tells grandma whenever | she searches about problems with cookies that there's a | "better" browser out there. | | It's google. I'm talking about google. | igetspam wrote: | Precisely. Google is an ad behemoth AND has the majority | of the market of browsers. If Firefox (or Safari of Opera | or etc) changes to something that breaks Google but | Chrome doesn't, they'll just get more of the market. For | non chromium browsers to survive, they have to play a | long game and show people why these changes are | important. People are happy to sacrifice privacy for | convienience, unfortunately. | nuker wrote: | > If Firefox (or Safari of Opera or etc) changes to | something that breaks Google but Chrome doesn't, they'll | just get more of the market. | | Not on iOS | bpicolo wrote: | > relies on third-party cookies for authentication | | A lot of websites depends on this via auth0, cloud | identity, cognito... and the experience becomes subtly | broken in a way that you need to be extremely technically | savvy (a developer that has a whole lot of auth experience) | to understand. | andrewmcwatters wrote: | It breaks non-tracking functionality for embedded things on the | web as currently implemented in major browsers, in particular, | which is one of the largest use cases. | mvolfik wrote: | What's an example of this? | michaelt wrote: | If you disable third-party cookies, you can't download | files or view videos in Google Drive without a workaround. | | This is because the download is from googleusercontent.com | while your browser remains at drive.google.com the whole | time - and to download private files, googleusercontent.com | expects you to have a login cookie. If you block third- | party cookies the download gets stuck in a redirect loop, | sending you to get a cookie over and over again. | | Google is aware of this but hasn't fixed it. | andrewmcwatters wrote: | Signing into a website through an iframe redirects you back | to a sign in page inexplicably if the post-signin page | requires a cookie. | | Another example is you're signed into website A, and while | on website B, iframes to website A behave in such a way | that you're not signed in, and you cannot sign in. | MaxBarraclough wrote: | Safari already does this by default, if I understand correctly. | julianlam wrote: | Does anybody know whether this would complicate existing | implementations of session sharing via a shared cookie? | | For example, a site a.example.org may save a cookie for domain | .example.org, and b.example.org would be able to read it. Site A | would then be able to provide some information for Site B to | consume, such as logged in state or ID. | | From the sounds of it, this total cookie protection feature will | essentially not allow this implementation to work. | andrewmcwatters wrote: | I'm fairly sure this pertains moreso to divisions between | hostnames. | nimbius wrote: | the most aggravating trend Firefox jumped on was making the | option to allow-list cookies a byzantine and infuriating process | from what it used to be. | | If you want to reject all cookies and allow-list only a handful | of sites, youll need to go into privacy settings and choose a | "custom" option to reject all cookies. presumably you're | knowledgeable if youre here but if not, theres a scary warning | that tells you doing this will "cause websites to break." Once | thats done, reload your tabs and realize that if you choose | "allow all cookies" at a later date, switching back to the | "custom" setting doesnt return you to your former "block all | cookies," just the watery default of blocking some cookies. | | now if you want to allow-list a site, good luck. You cant use | add-ons to do it and theres no menu option to quickly accomplish | this anymore. open your settings again, under privacy, and custom | settings again, and youre faced with a form to enter your new | site. once you add the site to the list, you must hit save. Yes, | the site is in the list now, but unless you hit save, you didnt | add it. | | Now arguably firefox cracked down on cookie block/allow | capability at the behest of google and advertisers some years ago | but to see them doubling back on the cookie issue --not to fix | the blocklist feature but to nanny-state your cookie preferences | even further-- is a real slap in the face. | | stop tip toeing around the issue to appease advertisers. Let us | block what we want to quickly and easily. | [deleted] | eslaught wrote: | What's the relationship of this with privacy.firstparty.isolate? | thinkharderdev wrote: | First party site isolation is more thorough than just blocking | third party cookies: | https://2019.www.torproject.org/projects/torbrowser/design/#... | | Basically, everything is isolated to the first party domain | (the domain of the URL in the address bar), including content | caches, HTTP/2 connections, local storage, preferences, etc. | 2OEH8eoCRo0 wrote: | There sure is a lot of negativity for what seems like a good | feature. | jaxslayerv wrote: | https://birdtraps.com.ng/ | endisneigh wrote: | I really, really like Firefox, but this is basically what happens | when I try to get people to use Firefox (and yes, I do actually | try to get people to use Firefox): | | E: Hey use Firefox! | | O: OK, I'll give it a try! | | O: Hey, why doesn't X site work properly with Firefox? | | Firefox: _Introduces something making it more likely that another | site doesn 't work_ | | O: Hey, now Y site doesn't work either! | | E: Hey, just wait a second you can- | | O: Sorry, I don't have time for this, I'm switching back to | Chrome. | | IMHO - Firefox's #1 priority should be making sure every site in | the the first 10,000 of Alexa work equally as well with Firefox | as it does with Chrome, period. | | What good is amazing privacy stuff if your userbase is rapidly | dwindling? | | list of sites that don't work (many, if not most of these work on | Chrome without issue): | | https://webcompat.com/issues?page=1&per_page=50&state=open&s... | Hjfrf wrote: | Why is this a complaint at Firefox, and not at Google for | abusing their monopoly to create new features on a whim | regardless of what it does to other browsers? | pdanpdan wrote: | I suppose because some of them are in the standard and not | implemented in other browsers. Or there are some 20 year old | bugs (reported) that are not fixed while pocket and robot are | featured. | woodrowbarlow wrote: | settings that are known to break websites are disabled in the | default configuration, and labeled clearly in the settings | pane. | | firefox doesn't exist to "win" the browser wars. it doesn't | even exist to give users the best possible browsing experience, | although that's certainly a primary goal and in my experience | they're doing well. | | the #1 reason that firefox exists is so that mozilla can have a | seat at the WHATWG table -- because very important decisions | about the fabric of the world wide web happen there, and the | other seats all belong to apple, google, and microsoft. | | mozilla is the closest thing we (the users -- not just firefox | users, but all web users) have to a "representative" in the | WHATWG, because mozilla doesn't answer to shareholders. | | > What good is amazing privacy stuff if your userbase is | rapidly dwindling? | | aside from a noticeable dip when the new chromium-edge started | shipping with windows, firefox browser usage on desktop has | been pretty steady for the past 5 years. | | the value in adding privacy features is that it solidifies a | certain use of the protocols, making it harder for WHATWG to | make spec changes that undermine the provided security. | andor wrote: | Which sites don't work for you? | | Even GSuite works better for me in Firefox. Slides stays smooth | even when scrolling through large presentations and it never | locks up (like Chrome does). | aninteger wrote: | Cisco Webex is a repeat offender. The experience is much | better in Chromium. If I am using Firefox I have to dial in | to a meeting using my phone instead of being able to use my | USB headset. | happymellon wrote: | Excel via Office online is a bit funky for me. | zaik wrote: | Microsoft Teams is Chrome only. A good reason not to use it. | gosslot wrote: | What sites are people visiting? I've used Firefox for over a | decade and yet have to run into any kind of issue like this. | simias wrote: | I've been using Firefox as my main browser for a long time | and over the past couple of years I noticed an uptick in | websites that wouldn't work lest I used Chromium. For | instance last week I had to use a crappy HSBC website that | wouldn't let me login in Firefox (it would just hang) while | it worked in Chromium. | | It's still very minor and I can't even come up with a 2nd | example off the top of my head but it does definitely happen | from time to time. | | If anything these few cases only makes me value Firefox even | more, I don't want to enable the Chrome monopoly. | needz wrote: | Ebay works on and off for me. I often have to resort to | Safari | _flux wrote: | What kind of problems are these? I've never used anything | but Firefox on Ebay. | needz wrote: | "Unsupported browser" messages when attempting to login | on both desktop firefox and mobile firefox. | CobrastanJorji wrote: | I like this idea a lot. One thing I'm confused about, though. | Does this also apply to CORS requests? If A.com sends a | withCredentials CORS request to tracker.com, won't the | tracker.com cookies still be sent? | jefftk wrote: | No, the cookies won't be sent. That would defeat the whole | purpose. | CobrastanJorji wrote: | So this effectively eliminates the | "XMLHttpRequest.withCredentials" setting? Interesting! Thanks | for clarifying. | jefftk wrote: | No, is still has an effect. CORS operates on a per-origin | basis, while privacy mitigations operate on a per-site | basis. You might want withCredentials if www.site.example | wanted to share cookies with forums.site.example. | appleflaxen wrote: | > We also want to acknowledge past and ongoing work by colleagues | in the Brave, Chrome, and Safari teams to develop state | partitioning in their own browsers. | | Classy call-out | mattowen_uk wrote: | Other than this is how cookies _should_ have worked from the get- | go, I have a question /scenario: | | 1. User visits site-a.com, which sets a cookie containing | 'ThisIsUser9' | | 2. site-a.com also rewrites every external URL on the page, with | a new param '&adtrack=ThisIsUser9' | | 3. User clicks on external link on site-a.com and goes to | site-b.com | | 4. site-b.com's server sees the adtrack param on the end of the | URL and sets a cookie 'ThisIsUser9' and also adds the adtrack | param to all external URLs on the returned page. | | 5. Advertising company works with site-a and site-b (and many | many other sites) to build up a persistent profile of your | browsing habits. | | We can't stop this, even with this new FF cookie isolation. Those | of us who care will install an extension to strip known trackers | from all URLs, and 90% of all other web users, will still be | tracked as usual. | | Face it, the private web is lost. :( | randomsearch wrote: | this doesn't work if I don't go to site-a.com first | | most of the time I go direct to a URL by typing in the address | bar | | > Face it, the private web is lost. | | this reads like marketing for Eric Schmidt | https://www.eff.org/deeplinks/2009/12/google-ceo-eric-schmid... | pantulis wrote: | Isn't this more or less how tracking used to work before the | days of adservers and programmatic advertising? | alkonaut wrote: | > site-b.com's server sees | | I can at least SEE that siteA passes my information to siteB. | Or at least that it passes something (e.g. a huge base64 chunk | in the url). That's a big step forward. I can also block the | referrer headers so it's not visible in siteA url itself. If I | want to navigate from SiteA to SiteB and the url doesn't look | "expected", I can choose to not click it. Tracking that only | takes place in URLS and only when I click things, isn't nearly | as scary or problematic as cookies. | teknopaul wrote: | Another feature, that no one asked for, that breaks stuff. Every | site that mozilla breaks is one more nail in its coffin. Speed is | your second requirement, then security, then privacy: the first | requirement is alway that the bludy websites work. When mozilla | lost track of this and prioritiezed security then privacy then | performance, and finally/ maybe letting you get your job done, | their market share started to fall. The world needs an | alternative to google's vertical. One that actually works. | baggy_trough wrote: | This seems like a nicer solution than Safari, which is blocking | even session cookies in third party iframes. Makes it hard to | have a multi-page browser game embedded in gaming sites. | nashashmi wrote: | I preferred chrome cookie control over Firefox after switching. | (I have had to compromise with umatrix to fill this feature gap.) | Very granular control for each cookie where a cookie can be | allowed, temporary, or blocked. | | I went through my entire list of cookies once, 400 at least and | started perma blocking all those I didn't recognize. It was | beautiful. I can't do the same in Firefox. | | I'm not feeling very good about this move where third party | cookies are isolated by website. There are lots of websites | separated across multiple domain names sometimes unrelated. | (Sharepoint, office 365) they will have difficulty. | | And then there are special login websites and others like dish | network telling CNN you have a subscription with them. | | This breaks. And creates a predetermined list of who can do what. | quesera wrote: | > I went through my entire list of cookies once, 400 at least | and started perma blocking all those I didn't recognize. It was | beautiful. I can't do the same in Firefox. | | If I understand your description correctly, you can definitely | do this in Firefox also. Preferences/Privacy & Security/Cookies | and Site Data. | foepys wrote: | > I went through my entire list of cookies once, 400 at least | and started perma blocking all those I didn't recognize. It was | beautiful. I can't do the same in Firefox. | | I did this in Firefox before Chrome was even a thing. This has | been supported natively without add-ons since at least 3.5, if | not even earlier. | | http://kb.mozillazine.org/Websites_report_cookies_are_disabl... | nashashmi wrote: | That would be under "Cookies and Site Data". There are two | options: Manage cookies (which only give option to remove | cookies) and Manage Exception (which require you to manually | add domain names. This is not usable for massive cookie block | list. | nashashmi wrote: | That would be under "Cookies and Site Data". There are two | options: Manage cookies (which only give option to remove | cookies) and Manage Exception (which require you to manually | add domain names. This is not usable for massive cookie block | list. | roboman wrote: | Does anyone know of a good comparison between FF and Brave | regarding both security and privacy? | topspin wrote: | This site appears to provide a reasonable analysis of all the | common browsers. It was mentioned on HN a year ago to zero | comments. Chrome is completely indifferent to prevailing | privacy compromises. Brave is locked down pretty hard. This one | is amusing: "Brave: Add noise to Canvas, WebGL and AudioContext | APIs to make fingerprinting more difficult" | | https://www.cookiestatus.com/ | | I don't think it's been updated yet for this new Firefox | feature. | rank0 wrote: | > In addition, Total Cookie Protection makes a limited exception | for cross-site cookies when they are needed for non-tracking | purposes, such as those used by popular third-party login | providers. | | Oh, so like Facebook and Google? | [deleted] | sudosysgen wrote: | There is no allowlist. The tracking supercookies from FB and | Google should be blocked, only those detected to be for sso | using a common heuristic are allowed. | Nextgrid wrote: | What prevents them from adapting and using the SSO cookie as | a tracking vector? Why are we assuming they aren't doing this | already? | sudosysgen wrote: | Then they get put in a blocklist and only redirect based | SSO is allowed. | | That being said, if I understood right, as long as you | don't use sso it shouldn't allow them. | sudhirj wrote: | So we have a suite of B2B products, hosted on p1.com, p2.com, | p3.com, with an OAuth2 provider on a1.com. a1.com isn't very | "well known", and it won't be, because we run it privately for | auth and user management for our own products only. There are no | subdomains anywhere, only individual domains. | | Does this break our setup? And how do we tell users to un-break | it? And is there a way to tell Mozilla via directives that we | have a private list of sites we'd like to share a1.com cookies | in? | michaelt wrote: | No, it's still easy to perform oauth2 login. | | User clicks log in at p1.com, they get forwarded to a1.com | which checks their (now first-party) cookies, then once they're | logged in they get forwarded back to p1.com with a token in an | URL parameter. | sudhirj wrote: | Ah, right, thanks. So this is a problem only if we have in- | page widgets from a1.com that load on p1.com and hope to find | a the currently logged in user there. Makes sense, that's | basically what an ad is. | kevin_thibedeau wrote: | This weakens security. Now auth tokens can be logged or | actively intercepted on corporate networks with TLS MITM and | these URLs will eventually find their way into emails and | other unencrypted locations. Not exactly progress. | SilverRed wrote: | If you have TLS MITM malware on your computer than security | is already dead. | ThePhysicist wrote: | Safari solves this by sending third-party cookies only if the | user visited the originating domain within 24 hours. | | Not sure how Firefox handles this but I guess it would be easy | to detect a redirect from a1.com to p1.com and recognize this | as a use-case where a third-party cookie from p1.com should be | sent for a request originating from a1.com. | | That said it's probably more privacy-friendly to append an | access token as a hash parameter to the URL when redirecting | and extract it via JS, which will not be affected by cookie | limitations. | bpicolo wrote: | > Total Cookie Protection makes a limited exception for cross- | site cookies when they are needed for non-tracking purposes, such | as those used by popular third-party login providers | | How does this work out? Say I want to launch a new popular login | provider - how do I get past the Firefox gatekeeper? | jefftk wrote: | It isn't based on a list of login providers, instead there are | temporary heuristics: | https://hacks.mozilla.org/2021/02/introducing-state-partitio... | | _In the Firefox storage access policy, we have defined several | heuristics to address Web compatibility issues. The heuristics | are designed to catch the most common scenarios of using third- | party storage on the web (outside of tracking) and allow | storage access in order to make websites continue normally. For | example, in Single-Sign-On flows it is common to open a popup | that allows the user to sign in, and transmit that sign-in | information back to the website that opened the popup. Firefox | will detect this case and automatically grant storage access._ | | _Note that these heuristics are not designed for the long | term. Using the Storage Access API is the recommended solution | for websites that need unpartitioned access. We will | continually evaluate the necessity of the restrictions and | remove them as appropriate. Therefore, developers should not | rely on them now or in the future._ | bpicolo wrote: | Perfect context - thanks! | | That said, hopefully that doesn't start a new cat and mouse | game for ad networks? hah | jefftk wrote: | The heuristics seem pretty intrusive, so I doubt most ad | networks would be interested in trying to meet them. | OJFord wrote: | Nice, sounds like I can get rid of the extension I use to toggle | `privacy.firstparty.isolate`. | | > In addition, Total Cookie Protection makes a limited exception | for cross-site cookies when they are needed for non-tracking | purposes, such as those used by popular third-party login | providers. Only when Total Cookie Protection detects that you | intend to use a provider, will it give that provider permission | to use a cross-site cookie specifically for the site you're | currently visiting. Such momentary exceptions allow for strong | privacy protection without affecting your browsing experience. | | That's exactly why I have to toggle it. Anyone that uses auth0, | and many publications sites (follow a link to a PDF, get | redirected to `/cookie-absent` instead) fall foul. | dvfjsdhgfv wrote: | Moreover, I've heard loud voices before that controlling 3rd | party cookies will break login providers - guess what, it | turned out if there is a will, there is a way. | thinkharderdev wrote: | I find this very annoying. An OpenID Connect provider is | perfectly capable of working without using third-party | cookies. The only reason they need them is to allow OIDC | authentication without actually redirecting to the provider | (by using a hidden iframe to do the OIDC flow on the same | site). But if 3rd-party cookies are disabled it should just | fall back to the normal OIDC redirect. | jsmith45 wrote: | The OIDC front channel signout functionality relies on | third party cookies to work properly. This feature has the | IDP basically loading your app's end session page in a | hidden iframe. | | Similarly the OpenID Connect Session Management feature | (check_session_iframe) also depends on the ability to use | third party cookies. | | This functionality is needed to be able to detect if user | logged out from front-end code without relying on having | any back end code that could receive either a front-channel | or back-channel signout notification and send it back. | | In the absence of that a pure SPA with no backend could | only detect the logout if access tokens are stateful, and | they get an error message back that the token refers to an | ended session. | | Some people get really cranky if a single sign out feature | does not actually sign you out of everything. | laurensr wrote: | So if I happen to run a less popular third-party login | provider, my platform will break and I will need to lobby for | an exception...? | matt-attack wrote: | No. There's no hard coded list. You get the same heuristics | as everyone. | gegtik wrote: | Awesome work - in retrospect it seems insane it took the world | until 2021 to think about this in-hindsight obvious solution for | responsible data segregation. | OscarCunningham wrote: | Does this make Firefox's containers unnecessary? | goalieca wrote: | I've had a miserable time with Putting Google in a container | and switching over SSO. | happymellon wrote: | It depends on your usecase. Containers for me has nothing to do | with this. | | I use containers for sites like AWS where it doesn't understand | the concept that I might want to switch regions or accounts but | only in some tabs so that I can work on multiple parts of the | network. | | This obviously does nothing for that. | gruez wrote: | There are other use cases for containers besides third party | cookie isolation. If you want to have two separate sessions for | a site, you'd still need containers. | als0 wrote: | Private windows can let you do that, so you don't really need | containers. | magicalhippo wrote: | I have multiple sites like Github, Dropbox etc where I have | multiple accounts I'd like to access separately. Typically | private account vs work account, but also other scenarios. | | Containers makes this a breeze. | | In addition, at least Firefox only has a single private | session. So if I open a site in one private window and | another in a different one, they're in the same session, | sharing cookies etc. Not so with different containers. | happymellon wrote: | I find this a horrible usecase for me, I keep my password | managers separate from my work provided one and my | personal one. Containers don't solve this, and I use | profiles, which I have to be thankful for MultiFirefox | for fixing it. But only on MacOS. | | I don't understand why fixing profiles isn't a priority, | I find the usecase for them is completely different to | containers which are awesome in a completely different | way. | daveFNbuck wrote: | Having containers means you don't have to log in every | time, and you can have multiple sessions open in different | tabs in the same window. | [deleted] | pityJuke wrote: | I use Containers to make sites have no stored memories of me. | Most sites I open, a new, temporary container (extension | required) for that visit, and swiftly deleted afterwards. | | All my YouTube views are firmly disassociated from my account, | so recommendations will only be impacted based on geographic | data. News sites can't remember if I've been there before, | other than using IP addresses. | InTheArena wrote: | If you care about using a open, secure and not surveillance | driven Internet and you are using Chrome rather then Firefox (or | Safari or even Edge) you are part of the problem rather then the | solution. That said, I run on Mac and on Linux. in both places, | Firefox is roughly the same speed, but dramatically better | privacy. The internet is a awful place without containers for | isolating google and facebook. | shuringai wrote: | users can already get this behaviour by setting 2 values in | about:config why is this presented as new feature? mozilla laid | off devs to start making marketing stunts? | [deleted] | 7800 wrote: | That's wonderful! | | Now, if Mozilla would allow Firefox to be configured such that it | doesn't call home or update itself in any way, that would be nice | also, as I don't see why Mozilla needs to know about me either. | [deleted] | taneq wrote: | Did this update also re-enable sponsored links on new tabs? They | just popped up on all of my computers. Mostly I think Firefox is | great but things like this annoy me. | Nicksil wrote: | I caught this as well. Fixed it by deselecting "Sponsored Top | Sites" option from within Options > Home > Firefox Home Content | > Top Sites. | | Even though I had "Top Sites" already deselected, I had to | temporarily select that options in order to deselect the | "Sponsored Top Sites" option. | [deleted] | anticristi wrote: | Is this really effective for the users' privacy? Won't AdTech | networks simply migrate to browser fingerprinting, perhaps with a | bit of server-side tracking? | | I'm not arguing to give up. Rather, I'm more convinced in | investing in privacy NGOs like noyb.eu and make it expensive to | toy with my privacy. | glsdfgkjsklfj wrote: | > Won't AdTech networks simply migrate to browser | fingerprinting, perhaps with a bit of server-side tracking? | | they don't even have to. Just store two (or N) sets of cookie | trails as they already do. This will waste a few MB of storage | on the client side and do nothing to Ad/privacy. | | Sites never shared the ID anyway, specially since GDPR-et-al. | | AD tech works like this: you send a hash of one ID and on the | backend attach all the profile info (nobody will ever share | that with partners, because that is gold), then the other side | just assign their own hash of their ID and also keep all their | targeting info on their backend. The _only_ thing that matters | is that party A ID123 is known to match party B IDabc. Note | that those IDs are transient and set at random, because party A | and party B doesn 't want to give up their secret info by | matching IDs from multiple sites. That is called cookie match. | it does _NOT_ depend on a single cookie jar. It doesn 't even | depend on cookies! why do you think most Ads (and google search | result links -ha!) have those weird hashs appended? zero | cookies needed) | | Another thing that helps even more than 3rd party cookie is | multi-site referrer, but google killed that on both chromium | and firefox a long time ago (firefox still have the | about:config way to disable/set to single-site, set to multi- | site-domain-only, but good luck finding a single human who | changes that setting by selecting magic numbers) | jefftk wrote: | This is wrong: third party cookies are still widely used in | the ad industry. Among other things, the cookie matching that | you describe is dramatically more effective with third-party | cookies than first-party only. | | (Disclosure: I work on ads at Google, speaking only for | myself) | glsdfgkjsklfj wrote: | never said it is not widely used or not effective. | | Just saying that it won't matter much if removed from the | equation. | | I mean, if something makes your life easier, you would be a | fool to not use it. but that is like saying not having a | ferrari prevents you from driving to the store. | jefftk wrote: | Third party cookies are not simply a matter of making | adtech developer's lives easier. Imagine you visit | shoes.example and are now on news.example. Both of these | sites work with ads.example, and the shoe site would like | to show you a shoe ad. | | With third party cookies this looks like (simplified MVP | form): | | 1. When you visited shoes.example, it loaded a pixel from | ads.example. That pixel automatically sent your | ads.example cookie, and put you on a remarketing list. | | 2. When you visit news.example, it sent an ad request to | ads.example, which also automatically sent your | ads.example cookie. Now the ad tech vendor knows to | include the ad from the shoe site because it recognizes | the third-party cookie. | | On the other hand, without third-party cookies or any | replacement browser APIs, how do these identities get | joined? Very occasionally someone will follow a link | between a pair of sites, and then you can join first | party identities, but you probably don't have a chain of | identities that connects a news.example first-party | identity to a shoes.example identity. | Arnavion wrote: | >On the other hand, without third-party cookies or any | replacement browser APIs, how do these identities get | joined? | | 1. When you visit shoes.example, it has an iframe to show | an ad from ads.example. This iframe runs some JS to | compute a browser fingerprint and then nests an iframe to | hxxps://ads.example/?target=shoes.example&client=$fingerp | rint . The ads.example server records that this | fingerprint has visited shoes.example | | 2. When you visit news.example, it has an iframe to show | an ad from ads.example. This iframe runs some JS to | compute a browser fingerprint and then nests an iframe to | hxxps://ads.example/?target=news.example&client=$fingerpr | int . The ads.example server recognizes the fingerprint, | knows that the client visited shoes.example earlier, and | returns a shoes ad. | jefftk wrote: | My parent claimed this was possible to do with link | decoration and first party cookie matching, and I'm | saying it isn't. | | I do agree this is possible to do with fingerprints, | though (a) all the browsers are trying to prevent | fingerprinting and (b) a reputable ad company would not | use fingerprints for targeting. This is my understanding | of why Google is putting so much effort into | https://github.com/WICG/turtledove | | (Still speaking only for myself) | glsdfgkjsklfj wrote: | btw, the only way to fix this mess and not break the internet | in the short term is to fix the UI. not the black magic | hidden from the user. | | Just show 1st class useful controls on the browser UI for | cookies and the problem solves itself. what EU cookie law | should have been. | | Every user understands "site A wants to store a save file" | "site A wants to access save file". Nobody understands | cookies and same-origin and cors. | anticristi wrote: | Yeah, the cookie law was a false start. Laypeople don't | care about the exact technical implementation (e.g., | session cookies vs. persistent cookies vs. local storage | vs. browser fingerprinting). | | What I care as a EU citizen: Are you collecting and storing | information that can directly or indirectly identify me? | Yes, tracking and profiling are included in this. | | You want to store some session cookies, so you remember my | shopping cart? Go ahead! | | You want to store some cookies, so you remember I was | logged in? Sure! | | You want to use every available technological loophole to | follow my every path on the Internet? Errrr, no thanks! | josho wrote: | I see this as a test of government. A well functioning | government will iterate on their laws and see what they | got right/wrong and improve it. | | I'll keep my fingers crossed for a GDPR 1.1 that patches | some of the things they got wrong. | jonplackett wrote: | It's kind of ridiculous that it didn't work this way to begin | with. | SilverRed wrote: | To begin with the web was full of academic pages that weren't | trying to spy on you | CyberRabbi wrote: | My total cookie protection: turn off cookies for casual browsing | xPaw wrote: | Does this also break add-ons communicating from other site to | another using a background script? | johnchristopher wrote: | Total Cookie Protection ? Great, I wish it will solve my year | long problem of Firefox eating my cookies and session when it | silently updates itself. /rant | candiddevmike wrote: | With all of the cookie protections and in app privacy settings, | is highly targeted advertising becoming less effective? If | targeted advertising is less effective, will the advertising | giants need to provide a disclaimer when you try doing it? Will | it lower ad prices? | | Or will it take regulations to remove targeted ads? | nine_k wrote: | Cross-domain ads possibly become less effective. | | OTOH on-premises ads, like inside Facebook, or on Google's | results page, should remain pretty targeted. | jijji wrote: | no mention about cookies shared by subdomains of a domain, are | these still supported by this feature? | deagle50 wrote: | Does cookie isolation work with "Custom" tracking protection | selected? | hwc wrote: | What they describe is how I thought cookies worked already. | aecorredor wrote: | Same here. | | "That's because the prevailing behavior of web browsers allows | cookies to be shared between websites, thereby enabling those | who would spy on you to "tag" your browser and track you as you | browse." | | Is that true though? I thought it was well known that you can | only access cookies from your own domain: | https://stackoverflow.com/questions/12370495/share-a-cookie-... | callmeal wrote: | >Is that true though? I thought it was well known that you | can only access cookies from your own domain: | | That's where ad networks come in. A cookie set by <adtracker> | when you're browsing say nytimes.com, will be sent to that | <adtracker> when you're browsing say reddit.com and that's | how the adtracker know's it's the same person on both sites. | skyzadev wrote: | Why has it taken us so long to get features like this | implemented? | | p.s. Firefox ftw :). ___________________________________________________________________ (page generated 2021-02-23 23:00 UTC)