Firefox 65: New Cookie Jar Policy to block tracking
Mozilla plans to launch a new anti-tracking method in Firefox 65 that blocks tracking resources from accessing storage on all desktop platforms. The new policy is designed specifically to limit cross-site tracking while minimizing site access and rendering issues.
The actual implementation depends largely on tests in pre-release versions of the Firefox web browser. Mozilla runs a Shield study in Firefox Beta 63 at the moment.
Firefox users may have a couple of questions when it comes to the new "Cookie Jar Policy" and how it differs from using the built-in Tracking Protection feature or third-party extensions to block certain types of connections or content in the browser by default.
Firefox's Tracking Protection feature uses a list of known trackers that is maintained by Disconnect. Mozilla uses the "basic protection" list by default but Firefox users may switch to the strict protection list onÂ about:preferences#privacy to block more trackers even if they may cause websites to render incorrectly or function properly.
Firefox won't classify domains as trackers when they are loaded as top-level sites owned by the same organization.
The Storage Policy
The new feature that is undergoing tests right now uses the same Disconnect list that Firefox's Tracking Protection feature uses. The main change that it introduces comes in form of a new policy that blocks access to cookies and site storage for identified tracker resources.
In particular, the following happens when the feature is enabled:
- Cookie request headers are blocked and Set-Cookie response headers are ignored.
- Empty strings are returned for Document.cookie and set cookies request using Document.cookie are ignored.
- Read and write attempts to localStorage and IndexedDB are blocked.
- Read and write attempts to sessionStorage are permitted.
- BroadcastChannel, SharedWorder and ServiceWorker creation attempts are blocked.
- CacheStorage calls are blocked.
- HTTP cache and Image cache are partitioned for tracking resources.
Enable the new Cookie Jar Policy
Firefox users can enable the new policy in pre-release versions of Firefox. We will update the article if the feature is available in Stable versions of Firefox as well. If tests go well, it may be included in Firefox 65 Stable.
Mozilla added a new value to theÂ network.cookie.cookieBehavior of the browser. The preference supports value 4 now which enables the new behavior.
- Load about:config?filter=network.cookie.cookieBehavior in the Firefox address bar.
- Confirm that you will be careful.
- Set the value to 4.
- Value of 1 -- Block all third-party cookies.
- Value of 2 -- Block all cookies.
- Value of 3 -- Block cookies from unvisited sites.
- Value of 4 -- New Cookie Jar policy (prevent storage access to trackers)
Mozilla notes that the blocking of some tracking resources would break functionality on some websites. To limit breakage, Firefox allows access to storage for trackers if the user interacts with third-party resources.
Currently, Firefox includes some web compatibility heuristics that grant storage access to third-party resources classified as trackers when a user interacts with those third parties. We do this when we expect that not granting access would result in the web page to break.
Access to storage may be granted "when a user gesture triggers a pop-up window that has opener access to the originating document".
Granted storage access expires after 30 days automatically on a per-site basis. If a tracker is granted access on multiple sites, expiration dates are handled independently from one another.
The new Cookie Jar Policy improves user privacy when enabled. While some users may argue that it is not going far enough, others may find it useful enough to use it in favor of other anti-tracking methods.
The feature is a work in progress and subject to change. Firefox users and webmasters interested in the feature can check out the feature's entry on the Mozilla Developer website for additional information.
Webmasters find information on how to test their websites to make sure that the new policy does not break functionality.
Now You: What is your take on the new feature?Advertisement