Firefox 65: New Cookie Jar Policy to block tracking
Mozilla plans to launch a new anti-tracking method in Firefox 65 that blocks tracking resources from accessing storage on all desktop platforms. The new policy is designed specifically to limit cross-site tracking while minimizing site access and rendering issues.
The actual implementation depends largely on tests in pre-release versions of the Firefox web browser. Mozilla runs a Shield study in Firefox Beta 63 at the moment.
Firefox users may have a couple of questions when it comes to the new "Cookie Jar Policy" and how it differs from using the built-in Tracking Protection feature or third-party extensions to block certain types of connections or content in the browser by default.
Tracking Protection
Firefox's Tracking Protection feature uses a list of known trackers that is maintained by Disconnect. Mozilla uses the "basic protection" list by default but Firefox users may switch to the strict protection list on about:preferences#privacy to block more trackers even if they may cause websites to render incorrectly or function properly.
Firefox won't classify domains as trackers when they are loaded as top-level sites owned by the same organization.
The Storage Policy
The new feature that is undergoing tests right now uses the same Disconnect list that Firefox's Tracking Protection feature uses. The main change that it introduces comes in form of a new policy that blocks access to cookies and site storage for identified tracker resources.
In particular, the following happens when the feature is enabled:
- Cookie request headers are blocked and Set-Cookie response headers are ignored.
- Empty strings are returned for Document.cookie and set cookies request using Document.cookie are ignored.
- Read and write attempts to localStorage and IndexedDB are blocked.
- Read and write attempts to sessionStorage are permitted.
- BroadcastChannel, SharedWorder and ServiceWorker creation attempts are blocked.
- CacheStorage calls are blocked.
- HTTP cache and Image cache are partitioned for tracking resources.
Enable the new Cookie Jar Policy
Firefox users can enable the new policy in pre-release versions of Firefox. We will update the article if the feature is available in Stable versions of Firefox as well. If tests go well, it may be included in Firefox 65 Stable.
Mozilla added a new value to the network.cookie.cookieBehavior of the browser. The preference supports value 4 now which enables the new behavior.
- Load about:config?filter=network.cookie.cookieBehavior in the Firefox address bar.
- Confirm that you will be careful.
- Set the value to 4.
Values explained:
- Value of 1 -- Block all third-party cookies.
- Value of 2 -- Block all cookies.
- Value of 3 -- Block cookies from unvisited sites.
- Value of 4 -- New Cookie Jar policy (prevent storage access to trackers)
Limitations
Mozilla notes that the blocking of some tracking resources would break functionality on some websites. To limit breakage, Firefox allows access to storage for trackers if the user interacts with third-party resources.
Currently, Firefox includes some web compatibility heuristics that grant storage access to third-party resources classified as trackers when a user interacts with those third parties. We do this when we expect that not granting access would result in the web page to break.
Access to storage may be granted "when a user gesture triggers a pop-up window that has opener access to the originating document".
Granted storage access expires after 30 days automatically on a per-site basis. If a tracker is granted access on multiple sites, expiration dates are handled independently from one another.
Closing words
The new Cookie Jar Policy improves user privacy when enabled. While some users may argue that it is not going far enough, others may find it useful enough to use it in favor of other anti-tracking methods.
The feature is a work in progress and subject to change. Firefox users and webmasters interested in the feature can check out the feature's entry on the Mozilla Developer website for additional information.
Webmasters find information on how to test their websites to make sure that the new policy does not break functionality.
Now You: What is your take on the new feature?
That’s better than nothing, but still inferior to tracker blocking with uBlock Origin + blocking cookies by default with a whitelist (or at least blocking third-party cookies which requires much less maintenance). Also, their system allows sessionStorage which is similar to allowing session cookies, allowing tracking for the session.
Now there’s some hypocrisy from Mozilla wanting to prevent tracker storage like here, and on the other hand totally removing the ability for webextensions to modify or even visualize site cookie permissions.
I don’t understand either why Mozilla hasn’t simply blocked third party cookies/storage already while allowing exemptions for non-tracking (mostly auth) services. This could be done with machine-learning.
The new protection based on a list will make players such as Google and Facebook even more powerful, because they can create workarounds or aren’t even on the list.
Either way, the only market where Firefox is still structurally relevant for ad-tech is Germany [1], and it will be interesting to see how german ad-tech corporations react to being on the disconnect list.
[1] http://gs.statcounter.com/browser-market-share/all/germany
@Anonymous: “That’s better than nothing”
But barely. In my opinion, blocking that depends on a list of known bad actors is woefully inadequate. I want all trackers that I haven’t added to a whitelist to be blocked, not just some that are found on a list. A list implies that there are “good” trackers and “bad” trackers, when, in my view, all trackers that I haven’t knowingly and overtly consented to are bad trackers.
@Martin: just out of interest I accessed the about:config setting, which I currently have at set at 1. I changed it to 4, and Firefox 62.0.2 did not object. Does that mean that with the setting at 4 current FF defaults to another value?
Personly I think that anything that not only limits cross-site tracking while minimizing site access and rendering issues” is more than a good thing. So improving it is even better than the standard situation we’re in right now.
That the improved cross-site tracking and minimizing rendering issues will be from Firefox 65 standard onboard is also an improvement than the situation I am in right now being, that I am using WebExtension / Add-ons for those purposes.
Martin (Or anybody else) do you think with this improvement that I can get rid of WebExtensions like Privacy badger?
Martin (Or anybody else) would you be so kind as to inform me ( Maybe even everybody with a new article, a sideline in a new article or update from this article ! ) which WebExtensions / Add-ons will have no more use when this improvement in Firefox 65 will be installed?
This will be ferry much appreciated by me at least
@ Paul(us)
I wouldn’t rely on a Mozilla list alone to block trackers. I don’t think that it will ever trustfully replace a good tracker blocker like uBlock Origin.
About Privacy Badger I tried it a long time ago and found it had lots of serious issues from bad design decisions, including for example
https://github.com/EFForg/privacybadgerfirefox-legacy/issues/103
https://github.com/EFForg/privacybadger/issues/1064
At that time I would have advised against using it but maybe it got better since then… And anyway I don’t think it can replace uBlock Origin either.
Thanks, Anonymous, For addressing the question I have put for you!
Your answer is ferry explanatory and convincing.
I am also like you convinced that uBlock Origin is on the moment the most sophisticated tracker blocker (content-filtering, including ad-blocking).
I am therefore using uBlock Orgin for almost 3 years in consultation together with Privacy badger.
But right now I am not so convinced anymore that that Is wise to use also together with Privacy badger? Schould I remove Privacy badger? And If I remove Privacy badger schould I compliment uBlock Orgin with something else?
Do you Anonymous (Or anybody else) have any thoughts about that?
I’ve been running both uBO and PB together as well, probably since PB was released. It is not unwise to use them together–I’ve never heard of a single conflict. In fact I think running the two was even specifically mentioned before in discussions on here in the last year or two, discussions which included the uBO creator himself, iirc. Why right now are you not so convinced anymore that it is wise to run them together?
I wouldn’t remove PB. I like several things about PB: it gives more detailed domain info at a glance than uBO, it has very clear and straightforward settings, including to block social widgets and to prevent WebRTC from leaking IP, and I can make quick, easy manual adjustments to its blocking with the sliders. I like the “allow domain but block cookies†or “block both domain and cookies†features in PB. Also, sometimes uBO allows things which surprise me, like some Google stuff, Doubleclick stuff or things like that, but I can make sure that stuff is blocked in PB. Finally, sometimes a site tells me it recognizes that I’m using an adblocker and asks me to disable it to continue; I just disable uBO and continue, and PB is still there blocking! :)
In terms of complementing blockers like uBO and PB with something else, I block tons of ad and tracking domains browser-wide and system-wide in Emsisoft, in my VPN, and in my firewall.
my thoughts:
1) deactivate privacy bagger (you can also uninstall it after your tests).
2) only run ublock origin alone.
3) which also implies disabling firefox tracking protection.
you do not need everything twice or three times. ublock origin contains more than enough lists and other defense mechanisms.
4) take a look at the loading times of the page views. you will notice that they are considerably faster resp. more performant than with activated privacy bagger.
5) download a small tool from the ublock origin developer and use it for a short test period:
https://addons.mozilla.org/en-US/firefox/addon/ubo-scope/
6) look at the results.
7) use ublock origin now in medium mode (advanced user; block 3rd party scripts & 3rd party frames): https://github.com/gorhill/uBlock/wiki/Blocking-mode:-medium-mode (if the respective page is not usable, you can then switch to “easy mode” or make more granular settings relative to the respective page.
8) after some time and a few looks at scope it becomes obvious that there is no need for an additional slowing down addon like privacy bagger.
9) uninstall privacy bagger & scope.
10) alternative to ublock origin: https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/?src=hotness .
11) it’s a beta and the cpu is more busy in comparison to ublock origin. furthermore it is not so strict and there are still no granular adjustment possibilities. but i think this addon has a big future. at least the loading times are already perfect now (in contrast to “privacy bagger” or the data-sniffer “ghostery”)
12) choose only one solution. everything else puffs up the browser and is uselessly double.
13) make important entries in the firefox config and observe the development of the browser in terms of content blocking. maybe it will replace an installed addon sometime. because the less installed addons, the better the performance of the browser. but this will take some time (if at all).
ps: to the first point in the last paragraph: best create a user.js . for a better overview and with explanations you can also use this page for it: https://ffprofile.com/#start .
pps: but forget their default settings. they are completely nonsense and much too bloated: partly absurd, partly pathological, partly dangerous for the stability of the system (especially regarding future developments, too short a thought), partly obsolete. things that would be necessary are opt out, things that wouldn’t be necessary are opt in. this site should only be considered as a small overview. i also believe that less is more here. be careful with these settings. of course there is still a user.js from ghacks, but it is too conservative for me. imho. everyone as he wants.
ppps: settings that can/should definitely be made (imho again):
user_pref(“dom.battery.enabled”, false);
user_pref(“media.peerconnection.enabled”, false);
user_pref(“dom.event.contextmenu.enabled”, false);
user_pref(“browser.tabs.closeTabByDblclick”, true);
user_pref(“beacon.enabled”, false);
user_pref(“browser.send_pings”, false);
user_pref(“security.mixed_content.upgrade_display_content”, true);
user_pref(“network.http.referer.XOriginPolicy”, 2);
user_pref(“network.http.referer.trimmingPolicy”, 2);
user_pref(“network.http.referer.XOriginTrimmingPolicy”, 2);
user_pref(“webgl.disabled”, true);
user_pref(“webgl.enable-webgl2”, false);
user_pref(“browser.link.open_newwindow.restriction”, 0);
user_pref(“network.IDN_show_punycode”, true);
user_pref(“privacy.firstparty.isolate”, true);
user_pref(“privacy.resistFingerprinting”, true);
user_pref(“security.cert_pinning.enforcement_level”, 2);
user_pref(“network.allow-experiments”, false);
user_pref(“browser.safebrowsing.malware.enabled”, false);
user_pref(“browser.meta_refresh_when_inactive.disabled”, true);
user_pref(“datareporting.policy.dataSubmissionEnabled”, false);
user_pref(“browser.crashReports.unsubmittedCheck.autoSubmit2”, false);
user_pref(“datareporting.healthreport.uploadEnabled”, false);
user_pref(“toolkit.telemetry.archive.enabled”, false);
user_pref(“toolkit.telemetry.unified”, false);
user_pref(“toolkit.telemetry.coverage.opt-out”, true);
user_pref(“browser.sessionstore.cleanup.forget_closed_after”, 86400000);
user_pref(“browser.sessionstore.interval”, 30000);
user_pref(“browser.sessionstore.max_serialize_back”, 5);
user_pref(“browser.sessionstore.max_serialize_forward”, 5);
user_pref(“browser.sessionstore.max_tabs_undo”, 5);
user_pref(“browser.sessionstore.max_windows_undo”, 1);
user_pref(“browser.sessionstore.resume_from_crash”, false);
but more tailored to my personal needs and only in the context of something else:
user_pref(“browser.cache.disk.smart_size.enabled”, false);
user_pref(“browser.cache.disk.capacity”, 350000);
user_pref(“security.OCSP.enabled”, 0);
user_pref(“network.trr.mode”, 2);
..
..
user_pref(“media.peerconnection.enabled”, false);
user_pref(“network.prefetch-next”, true);
(right, even the last two, because: umatrix changes these values without permission & :
https://translate.google.com/translate?sl=de&tl=en&js=y&prev=_t&hl=de&ie=UTF-8&u=https%3A%2F%2Fwww.privacy-handbuch.de%2Fdiskussion.htm&edit-text=&act=url
(reply from 08/05/2018)
pppps: not to forget: anonymous is right with the cookie – whitelist approach (see also my post below).
@ noemata
The Malwarebytes Firefox addon collects too much data in my opinion :
https://addons.mozilla.org/fr/firefox/addon/malwarebytes/privacy/
About user_pref(“network.trr.modeâ€, 2); I think that this is the setting to enable the Cloudflare DNS ? I’m not going to enter a debate here but let’s just say that it does not hide anything from your ISP (this is just lies from Cloudflare and Mozilla) because domain names still appear in clear text during TLS handshakes, and that in addition sending all your browsing domain name resolutions to Cloudflare is absolutely insane from the privacy point of view (but much more justified for Cloudflare from a commercial and surveillance point of view).
@Anonymous
i don’t think it’s a big deal. but mwb – browser – extension is still a beta. therefore, share your privacy – issues with malewarebytes here:
https://forums.malwarebytes.com/forum/242-malwarebytes-for-firefox/
sometimes you have to make compromises & sometimes you have to trust _someone_.
in this point we are very different, which the previous cloudflare/DoH – discussion has already shown.
to “user_pref(“network.trr.modeâ€, 2)” .. which again points to our last cloudflare/DoH – discussion) :
i wrote before that: “but more tailored to my personal needs and only in the context of something else” .
so this was not a general recommendation (that is why the network.trr.uri is deliberately missing), because i know how differently this “feature” is seen.
so, let’s keep it that way: i’m using DoH, i’m using cloudflare DNS.
for me, you are too subjective in this context. “fefe’ism”:
https://translate.google.com/translate?sl=de&tl=en&js=y&prev=_t&hl=de&ie=UTF-8&u=https%3A%2F%2Fwww.privacy-handbuch.de%2Fdiskussion.htm&edit-text=&act=url
so, in the related ghacks – topic everything has already been said. we don’t have to warm that up here again. give me another dns – provider with such an infrastructure and i’ll change immediately. that’s even mozilla’s plan in the meantime. they want to offer the user more possibilities. it was somewhere on a mozilla – page on this DoH – topic. wait and see.
at least in the “cookie – whitelisting – approach we agree. that’s something.
@ noemata
Your link to the Malwarebytes forum shows something I had not noticed before about this browser extension : their “clickbait” blocking seems to be used as a variant of the “fake news” blocking, which means political blocking which pretends not to be political :
https://forums.malwarebytes.com/topic/233742-malwarebytes-blocking-centerconservative-sites-as-clickbait/
This is something I’ll have to be more careful about when trying content blockers.
@Anonymous
yeah, but i do not care about the clickbait protection. i have only enabled maleware protection (especially as 1st-party – script defense mechanism against cryptocurrency mining) & the advertising/tracker protection. sometimes i tried the scam protection, but it’s not necessary (imho). the less, the better (especially for my cpu). “send anonymous telemetry to malwarebytes” is also opt out ( = already the “factory setting”).
to their clickbait protection: you don’t know if they’re just pretending, i don’t know if they’re just pretending. they say: it’s based on “academic researchers” & “it is not politically motivated at all”.
well, to trust or not to trust this “academic researchers”, a contradiction in itself or not, i consider the (& every) clickbait function/protection per se to be bollocks. we will see how the beta develops in this respect. i simply enable what’s important for me. and that did the job well.
at the moment i have returned to ublock origin, because the mwb – beta development for firefox is too sluggish and the cpu load is slightly higher than with ublock origin at the moment.
nevertheless i keep an eye on the addon because (as already mentioned) it has done it’s job and i trust malewarebytes more than for example burda & co . the malewarebytes – experience – values of their other products are positive and very helpful.
so i will stick to the fact that this addon has a big future – if they continue to work on it even more intensively (in cooperation with the users).
ps: ah, i found it (DoH)
https://blog.mozilla.org/futurereleases/2018/09/13/dns-over-https-doh-testing-on-beta/ .
“moving forward, we are working to build a larger ecosystem of trusted DoH providers that live up to this high standard of data handling, and we hope to be able to experiment with other providers soon.”
well, let’s hope, see and wait. in both cases.
“to their clickbait protection: you don’t know if they’re just pretending, i don’t know if they’re just pretending. they say: it’s based on “academic researchers†& “it is not politically motivated at allâ€.”
News classification as clickbait or not is inherently political, objectivity doesn’t exist in that matter, academics or not, even with the best intentions. They may even sincerely believe that their choices are neutral, but this is at best naive and illusory.
“i consider the (& every) clickbait function/protection per se to be bollocks”
We agree.
@Anonymous
we agree. how to deal with it: opt out “clickbait protection” (if you use the addon). that’s all. simple.
listen: i do not care about this module. if _you_ care about this module, ok, “get politically involved” .. “as objectively as possible” ;) . or make non-contradictory conclusions and stay out of it .. and simply opt out “clickbait protection” (if you use the addon). that’s all. simple.
as long there is a choice (of course). no choice = disappear from my system.
sry, a mistake has crept in. “the last two” :
user_pref(“network.prefetch-next”, true);
user_pref(“network.dns.disablePrefetch”, false);
user_pref(“media.peerconnection.enabledâ€, false); = has been mentioned _before_ and has nothing to do with the linked context. over and out on this topic.
first of all: about:config?filter=privacy.firstparty.isolate . set value to true.
whitelist approach: about:config?filter=network.cookie.cookieBehavior , set value to 2 . whitelist sites percontext menu: view page info – permissions – set cookies.
i have _only_ 10 pages with which it was necessary. build your “cookie – web – of – trust” . that’s not much work.
i would much prefer it, if firefox offers a more direct access to cookie – handling when cookies and site date are generally disabled (like in chrome).
mozilla’s approach described in the article is bullshit. imho. is the old pre-quantum mozilla team (i thought many old braids were cut off ; which also applies to some developers) coming back to power or why i have been reading so much nonsense from mozilla lately?
@mozilla, please pick up where you started with ff57 (that also implies really thought-out solutions like “privacy.firstparty.isolate”).
I’d prefer if they take it up a notch and disallow all third-party domains from setting any form of data. Until that’s a thing I’ll continue to keep them disabled even if it breaks some browser addons.
This is in Nightly in about:preferences#privacy -> Third-Party Cookies -> Trackers
Chrome-related, but on the topic of privacy and, from what I can understand, major news (bad for Chrome, good for Firefox — by implication) :
Why I’m done with Chrome
https://blog.cryptographyengineering.com/2018/09/23/why-im-leaving-chrome/
Using Gmail ? You will be force-logged into Chrome
https://news.ycombinator.com/item?id=17942252
From the first link :
“I think It’s entirely possible for a company like Google to make good, usable open source software that doesn’t massively violate user privacy. For ten years I believe Google Chrome did just this.”
I hope that his blog is not about privacy because this guy makes very, very false assumptions about Google and Google software.
“This guy” is a professional cryptographer, so he might know a thing or two about privacy. He also teaches his trade at university level. Maybe you could put the question to him on his own blog (there are already 100 comments below that post), although it’s possible he requires his readers to be so kind as to provide an alias. But be prepared to support your views with something more than “you’re very wrong”. I doubt this will cut the mustard on his blog.
Matthew D. Green : “I am an Assistant Professor at the Johns Hopkins Information Security Institute. My research includes techniques for privacy-enhanced information storage, anonymous payment systems, and bilinear map-based cryptography. I am one of the creators of the Zerocash protocol, which is used by the ZCash cryptocurrency, and a founder of an encryption startup Zeutro. I was formerly a partner in Independent Security Evaluators, a custom security evaluation and design consultancy and I currently consult independently. From 1999-2003, I served as a senior technical staff member at AT&T Laboratories/Research in Florham Park, NJ.”
Alternatively, you might tell us why you think he’s wrong.
“Alternatively, you might tell us why you think he’s wrong.”
A few examples :
https://8ch.net/tech/chrome.html
I think the emphasis is on “massively”.
“I think the emphasis is on “massivelyâ€.”
I know. I maintain that this while this change is another bad one from Google for privacy, it is still less bad than what Chrome was already doing before, so that everybody starts to panic now and change browser because of this seems strange to me.
This article, along with the recent article about google chrome auto logging into the chrome website, are just 2 more reasons why I still use FF. As much as some corporate tools at mozilla try to destroy FF, there are enough devs remaining who still carry the flame that make FF a great browser, warts and all.
OTOH, use a browser from an ad agency? An ad agency that has a very long and well documented history of abhorrently invasive behaviour? bleepingcomputer correctly has a cynical blog entry into google chrome’s latest potentially privacy destroying shenanigans.
https://www.bleepingcomputer.com/news/security/users-forcibly-being-logged-into-chrome-when-signing-into-a-google-service/
PS: @Clairvaux – Agree, when Matt Green speaks, take it to the bank: Matt’s analysis is always 24K pure.
Does enabling 4 auto enables 3.
Re the DOH comments, my understanding is that in a DOH/ESNI environment, the only part of a connection that is visible to an observer is the IP address, and given that a single IP address can refer to more than one domain, any observer, ISP or otherwise, would appear to have less ability to track a users browsing.
For private/home users, this seems to be a good thing. Perhaps not so much for enterprises who need to know if an employee is accessing a known bad website, accidentally or otherwise.
Firefox users can set the ‘network.security.esni.enabled’ pref to true in conjunction with the TRR settings to ensure the server name indication is encrypted.
My network.cookie.cookieBehavior is set to 5 in Firefox 89. I don’t know which version made it change from 4 to 5.