How to enable First-Party Isolation in Firefox

Martin Brinkmann
Nov 22, 2017
Updated • Aug 11, 2019
Firefox
|
29

First-Party Isolation is a new privacy feature of the Firefox web browser that Mozilla implemented in Firefox 55 for the first time.

The feature restricts cookies, cache and other data access to the domain level so that only the domain that dropped the cookie or file on the user system can access it.

This is a stark contrast to how cookies work normally, as marketing companies tend to drop cookies with their ads on sites, so that they may track users across all properties that the ads or scripts run on.

With First-Party Isolation enabled, tracking ends at the domain level which means that advertisers cannot use cookies anymore to create user profiles by dropping and reading cookies across the Internet.

First-Party Isolation is another Tor feature that Mozilla implemented in Firefox directly. The browser got several already as part of a Tor Uplift initiative. Mozilla did implement anti-fingerprinting for system fonts in Firefox 52 for instance already, and plans to block sites from using HTML5 Canvas from fingerprinting users in Firefox 58.

Tor calls the feature Cross-Origin Identifier Unlinkable.

The Cross-Origin Identifier Unlinkability design requirement is satisfied through first party isolation of all browser identifier sources. First party isolation means that all identifier sources and browser state are scoped (isolated) using the URL bar domain.

The following items are affected by First-Party Isolation: cookies, cache, HTTP Authentication, DOM Storage, Flash cookies, SSL and TLS session resumption, Shared Workers, blob URIs, SPDY and HTTP/2, automated cross-origin redirects, window.name, auto-form fill, HSTS and HPKP supercookies, broadcast channels, OCSP, favicons, mediasource URIs and Mediastream, speculative and prefetched connections. 

How to enable First-Party Isolation in Firefox

privacy firstparty isolate firefox

First-Party Isolation is not enabled by default in Firefox right now. One reason for that may be that the feature may interfere with the authentication system on some sites.

I suggest you try this out, and see if that is the case on your end. You can disable the security feature at any time to restore the status quo.

  1. Load the URL about:config in the Firefox address bar.
  2. Confirm that you will be careful.
  3. Search for privacy.firstparty.isolate.
  4. Double-click on privacy.firstparty.isolate to set the preference to true.

This is all that needs to be done. There is also the Firefox add-on First Party Isolation which you can install instead. It does the same thing, but comes with an option to disable the functionality temporarily. (via Bleeping Computer)

Summary
How to enable First-Party Isolation in Firefox
Article Name
How to enable First-Party Isolation in Firefox
Description
First-Party Isolation is a new privacy feature of the Firefox web browser that Mozilla implemented in Firefox 55 for the first time.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. Chris Wells said on September 25, 2020 at 6:56 am
    Reply

    I notice that first party isolate breaks teams.microsoft.com
    It sends the tab into a reload loop.

  2. FF4LIFE said on March 3, 2020 at 3:06 pm
    Reply

    Firefox is still 1039857193587293587235892375 times better than Chrome.

  3. Rick A. said on January 22, 2018 at 1:45 am
    Reply

    Martin or anyone, what does privacy.firstparty.isolate.restrict_opener_access do ?

    1. leanon said on March 11, 2018 at 8:15 pm
      Reply

      To enable FPI, users must set “privacy.firstparty.isolate” to true by double-clicking it. The second parameter — “privacy.firstparty.isolate.restrict_opener_access” — works by lowering some of the “isolation” rules. Users can set this parameter to false if they’re having problems logging into websites.

      https://www.bleepingcomputer.com/news/software/another-tor-browser-feature-makes-it-into-firefox-first-party-isolation/

      Doesnt quite answer your question but may help.

      1. Rick A. said on March 12, 2018 at 6:50 am
        Reply

        @leanon – Crazy how i deleted the bookmark to this question just yesterday after nobody answered it. But yeah i had researched it further.

        Thank you for taking the time to answer my question.

  4. Ron said on January 11, 2018 at 3:16 pm
    Reply

    Making this change prevents hotmail from downloading attachments. Get this error

    440 login timeout

    The error seems to be about authenticating to IIS, which fits with your caveat.

  5. superlupo said on November 26, 2017 at 11:29 am
    Reply

    The Addon will only start working with FF58, in FF57 you need to set the pref manually:
    https://github.com/mozfreddyb/webext-firstpartyisolation/issues/1

  6. Pants said on November 24, 2017 at 5:08 am
    Reply

    FPI covers window.name – source? Doesn’t sound legit – windows.name is at least still enumerable when I last checked a few days ago

  7. Dave said on November 22, 2017 at 6:45 pm
    Reply

    Martin,

    I have an ever expanding text file of firefox tweaks. Is there a “simple” way to apply all these tweaks to a fresh install of the browser instead of doing them one by one?

    1. Martin Brinkmann said on November 22, 2017 at 7:07 pm
      Reply

      You can use a user.js file for that: https://github.com/ghacksuserjs/ghacks-user.js

  8. bugsy said on November 22, 2017 at 3:43 pm
    Reply

    I manually delete cookies.sqlite in my profile directory as needed because cookie management doesn’t seem to be effective in either blocking their creation or removing them on browser close.

    1. SimonAlberta said on November 25, 2017 at 4:33 pm
      Reply

      Thank you for confirming that my experience of FF cookies management is not unique, but that is a sledghammer solution that doesn’t work for me because i want to be able to permanently keep cookies from a small handful of sites.

      What really annoys me about all of this is that what you might call “normal people” will happily set their Firefox options to reject cookies and never be aware that it is not working for them.

      Whatever happened to things actually working as advertised?

  9. Ben said on November 22, 2017 at 3:15 pm
    Reply

    There is still a bug with this and some addons that delete cookies – they will not work as the API is bugged (remember the good old times, when you just programmed the “API” yourself and this would not have been a problem?)

    Anyway since I use Waterfox now: “that Mozilla implemented in Firefox 55 for the first time.” Anyone got experience with this and Waterfox?

    1. jan said on November 23, 2017 at 11:14 am
      Reply

      SimonAlberta
      YES, I have noticed similar things as you described to happen in my W7 anf FF some time ago. I could not comprehend what was going on and I concluded it all was due to my own mistakes and incompetence. I remember that I spend quite a lot of time until I gave up and decided that I can not continue as I felt I was running in circles. I concluded finally it was not me and that I was still sane!

      What makes me wonder is that the deficiencies in the API are not yet fixed as per today (see the repy from Ben November 22, 2017 at 3:15 p} That looks like the problem with the IndexedDB; that was known for YEARS but the gurus elected to do nothing about it. Only (bad) publicity made them take action and voila(!) in a short time it was fixed.

      I do not believe in conspiracies but at the same time I think it is quite well possible that for instance The Guardian has some knowledge how to circumvent “public knowledge” about cookies or tracking with the aim to follow its visitors.

      Anyway, I do not have the ambition to get a PhD on FireFox. I like the Ghacks site and its information but the enormous attention it gives to FireFox makes me wonder; are we dealing with a cult?

      A last comment: you mention that you got a cookie from Ghacks as well. Why is Martin Brinkmann now so silent about it?

      1. Anonymous said on November 23, 2017 at 6:10 pm
        Reply

        It works for me. Go ask on Reddit’s Firefox sub, you have more chances to get a proper answer.

      2. Anonymous said on November 23, 2017 at 6:06 pm
        Reply

        > are we dealing with a cult?

        A hate cult then.

      3. SimonAlberta said on November 23, 2017 at 3:40 pm
        Reply

        Jan,

        Thank you for your kind response. I had been starting to think I was losing my mind and that I must be “wrong” in what I am saying.

        Yes, in spite of having my FF set to reject all cookies, THIS SITE (and many others) STILL PLACES ONE (and FF is oblivious to them) and, as you say, the owner of this site, Martin Brinkmann, doesn’t have the courtesy to explain why or how he manages to do that.

        I am not much for conspiracy theories but I do get the feeling that I am being duped and manipulated.

        Again I will ask the question; why does the “no cookies” setting in FF not work?

        Any more suggestions anyone?

      4. Tim2 said on January 5, 2018 at 8:19 pm
        Reply

        I use Seamonkey with the CookieKeeper extension and this site has TWO entries to deal with. The first is the http://www.ghacks.net and the second is ghacks.net The second plants the cloudspy tracker cookie before releasing the user to this site. Because of this behaviour I won’t allow cookies here since I have no use whatsoever for cloudspy or their finding agents.

    2. Barret said on November 22, 2017 at 5:49 pm
      Reply

      > (remember the good old times, when you just programmed the “API” yourself and this would not have been a problem?)

      You mean back when it was impossible to clear IndexedDB for all sites ? Or back when it was impossible to allow or forbid IndexedDB based on origin ?

  10. SimonAlberta said on November 22, 2017 at 2:57 pm
    Reply

    I must say that I am getting totally fed up with trying to manage cookies in Firefox and the various offshoots.

    I have tried every “cookie manager/deleter” add-on I can find and, even with FF set to reject all cookies, when I run CCleaner to check there is always a bunch of cookies that have slipped through the net.

    I also tried using no add-on cookie manager, setting FF to reject all cookies and only “white listing” a few sites I need to allow cookies but still loads get through from other sites and trackers, etc.

    So then I tried creating my own specific “black list” but some still get through (e.g “theguardian.com” Guardian newspaper lays a bunch of cookies despite being specifically set to be rejected).

    Many times the cookies showing in CCleaner are NOT listed in Firefox so presumably there is a mechanism that sites/trackers use to somehow bypass Firefox settings.

    The problem is massively increased if I use a feed reader (currently using Feedbro since Live Click, my preferred option, hasn’t been updated) because almost all sites it checks leave cookies and neither the add-on cookie manager nor FF seems aware of them.

    I flip-flop between aggressively manually deleting cookies throughout the day and just giving in to being inundated with them and accepting my fate.

    This is all very annoying. Why can’t “no cookies” mean exactly that?

    1. Barret said on November 22, 2017 at 5:45 pm
      Reply

      I don’t have any such issue… Firefox is aware of all cookies and when it says no it means no. The cookie manager displays cookies, but there are other sorts of storage and I guess that’s what CCleaner marks as cookies. You don’t need a third party tool to delete cookies though, the CTRL+SHIFT+DEL interface can clear everything, except maybe IndexedDB although that might have been fixed since Firefox 56, if not then 58 for sure.

      You can check if a given website has any kind of storage by first enabling the storage tool. Press F12, click on the cogwheel on the right, tick the Storage checkbox from the dev tools list. The Storage tab is what you’re looking for, and from now on you can access it quickly with SHIFT+F9. It doesn’t show all websites, only the current one, but it may help you understand what’s going on. (It can also delete data of course)

      Finally, it’s possible that some cookie add-on bugs are responsible for your issues, those should be fixed in Firefox 58 which is in beta right now.

      1. Pants said on November 24, 2017 at 5:05 am
        Reply

        These “10 cookies” may be items in your SiteSecurityServiceState.txt – I know CCleaner reads those and lists them under “cookies”

        – Clear all your cookies – have look under Options>Privacy&Security>History>..>Show Cookies – make sure it is empty.
        – Close FF. Run CCleaner – clear what ccleaner calls “cookies”
        – Go to your profile and open SiteSecurityServiceState.txt – it should be blank. Set that file to READ ONLY
        – Now do your test

      2. SimonAlberta said on November 22, 2017 at 9:41 pm
        Reply

        OK, so the plot thickens.

        I went to http://www.theguardian.com then shut down FF, checked with CCleaner and it had left 10 cookies. So I cleaned them out.

        Re-opened FF, went to theguardian again, set all its’ permissions to block all storage options, checked the Security tab and it confirmed that the site was NOT placing any cookies on my system.

        Checked in CCleaner, same 10 cookies. Cleaned them out again.

        Repeated process to check my Permissions changes had held, which they had, but still the cookies are getting placed.

        Not only that, but GHACKS has placed a cookie too….so Martin, how is THAT happening?

        This is doing my head in. Again I ask….why does FF reject cookies just NOT WORK?

        Anyone else got any ideas? Similar experience?

        Thanks for any input.

        PS – I have experimented with having FF delete cookies on exit and it manages to delete cookies I want to KEEP but still misses these Guardian ones (and others) because FF just doesn’t seem to know they exist. I am no techie but it seems to me there must be some kind of hack that websites can use to get around FF permissions.

      3. SimonAlberta said on November 22, 2017 at 9:12 pm
        Reply

        Barret,

        Thank you for your response. You seem very sure of what you are saying but I am not convinced. The list of items in CCleaner sure look like cookies. Some are clearly 3rd party trackers (FUN FACT – UBlock Origin is showing that it is blocking 26 elements on this very page!) and some seem to be just normal cookies placed “behind the scenes” so to speak when Feedbro checks for new posts on various blogs.

        Besides, I have also tried the various add-ons designed to clear Flash cookies, persistent cookies, etc. etc. and the problem still persists.

        I am having difficulty experimenting with your instructions above as my laptop F keys have different functions but I think there must be a way around that. I’ll figure it out no doubt.(OK, RT Click – View Page Info works so I’ll experiment with that)

        Now, to go off on a bit of a tangent, I have also occasionally noticed that CCleaner finds cookies identified as belonging to Internet Explorer which I NEVER use. Research tells me that this is considered a normal part of the Win10 experience. What joy!

  11. Tom Hawack said on November 22, 2017 at 9:52 am
    Reply

    If no cookie policy/management is in place then first-party isolation is the right thing to do. As the article mention cookies will remain in per-site “cocoons”, in other words sites may still use cookies with tracking intentions but they cannot share the cookie data with other sites (other sites then those of the domain which sets the cookie cannot access that cookie).

    Fine. But if a user’s wish is to allow cookies on a per-site basis then first-party isolation will bump into an extension such as ‘Cookie Autodelete’. I don’t know if there is a “structural” (“logical” so to say) incompatibility between first-party isolation and extensions managing cookies or if compatibility is a work in progress, but at this time I’ll prefer the ‘Cookie Autodelete’ policy to first-party isolation.

    1. Brainfart said on November 22, 2017 at 5:19 pm
      Reply

      First party isolation is much wider than cookies, it’s about everything. As the implementation of one of Tor Browser’s core design principles it’s a huge feature, it’s hard to evaluate all the things that it thwarts.

      Cookie add-ons don’t fully support the double keying thing because the feature is not quite ready for prime time.

      Meta FPI bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1299996
      Cookie add-ons bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1381197

      FPI will not be ready for prime time until the cookie add-ons bug and several others are fixed.

      1. Tom Hawack said on March 5, 2018 at 2:57 pm
        Reply

        @Brainfart,
        > First party isolation is much wider than cookies, it’s about everything.

        Three months after this comment I realize now how true your statement is.
        I’ve opted for FPI whatever the cost (at this time) of incompatible extensions; I no longer use the ‘Cookie Autodelete’ extension, I block cookies and allow session exceptions when necessary (as user ‘Pants’ does, he’s right as well). No authentication issues on my side considering I avoid domains requiring another to login (i.e. Youtube-Google). One and one only regret is that the ‘WebApi Manager’ extension won’t make it (at this time) with FPI enabled. There’s a choice, I keep FPI. As you write it, “it’s a huge feature, it’s hard to evaluate all the things that it thwarts.”. Really worth it.

  12. Gondola said on November 22, 2017 at 9:34 am
    Reply

    btw there is a bug with the previously fixed “delete offline data on close”
    This does not work if you are using Multi-Containers.
    For the time being i just disabled write-permissions for the “permanent storage” folder

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.