How to enable Redirect Tracking Protection in Firefox
Mozilla released Firefox 79.0 to the stable channel recently and one of the main changes of that release improved the browser's tracking protection feature.
Enhanced Tracking Protection 2.0 introduced support for preventing an advanced tracking technique called redirect tracking. Redirect Tracking is used to bypass a browser's mechanisms to block online tracking. While browser's may block third-party cookies, redirect tracking basically adds the tracker's site to the navigational event to make it first party in the context.
So, instead of visiting Site B from Site A right away, you would be taken to Site T as well (Site A > Site T > Site B) with T being the tracker site. Site T would just load briefly and then redirect to the actual target.
Mozilla notes on its developer site:
Redirect trackers work by forcing you to make an imperceptible and momentary stopover to their website as part of that journey. So instead of navigating directly from the review website to the retailer, you'll end up navigating to the redirect tracker first rather than to the retailer. This means that the tracker is loaded as a first party. The redirect tracker associates tracking data with the identifiers they have stored in their first-party cookies and then forwards you to the retailer.
Firefox's redirect tracking protection clears cookies and site data from trackers regularly provided that the preference network.cookie.cookieBehavior is set to the value 4 or 5.
You can check the value of the preference by loading about:config in the browser's address bar and searching for the preference. Mozilla will introduce support for the values 1 and 3 in Firefox 80. Firefox users may configure the browser's tracking protection feature on about:preferences#privacy.
Firefox will clear the following data associated with the tracking attempt:
- Network cache and image cache
- DOM Quota Storage (localStorage, IndexedDB, ServiceWorkers, DOM Cache, etc.)
- DOM Push notifications
- Reporting API Reports
- Security Settings (i.e. HSTS)
- EME Media Plugin Data
- Plugin Data (e.g. Flash)
- Media Devices
- Storage Access permissions granted to the origin
- HTTP Authentication Tokens
- HTTP Authentication Cache
Origins will only be cleared if they met the following conditions:
- If it stored or accessed site storage within the last 72 hours.
- The origin is classified as a tracker by Mozilla's Tracking Protection list.
- No origin with the same base domain has a user-interaction permission.
- Permissions are granted for 45 days if a user interacts with the top-level document, e.g. by scrolling.
Data is cleared when the user has been idle for 1 minute (>48 hours after the last purge) or 3 minutes (24-48 hours after the last purge).
Manage Redirect Tracking Protection in Firefox
Redirect tracking protection is rolled out over the next two weeks to all Firefox users. The feature is controlled by a preference that Firefox users may set right away to enable the protection.
Enable Redirect Tracking Protection in Firefox:
- Load about:config in the browser's address bar.
- Search for privacy.purge_trackers.enabled.
- Set the preference to TRUE to enable it, or FALSE to disable it.
- Search for network.cookie.cookieBehavior.
- Make sure it is set to 4 or 5 in Firefox 79, and 1,3,4 or 5 in Firefox 80).
- Restart the web browser.
Check out the post on Mozilla's developer site for additional information.
Now You: If you are a Firefox user, do you use the Tracking Protection feature? (via Techdows)
Thank you for the article, Martin!
I have a question: is it possible to have this new feature enabled along with blocking 3rd-party cookies? Changing the value of network.cookie.cookieBehavior from 1 to 4/5 opens the gate for 3rd party-cookies right now, if I understand things correctly.
I think you need to wait until Firefox 80 is released for that to work.
So basically the same thing the â€žSkip Redirectâ€œ extension already does? Any deadline for a built-in adblocker, and for using more blocklists than weak Disconnect? To show their commitment…
I think the behavior of the extension is different (not 100% sure as I did not look at the code of the add-on), but it appears to skip URL redirects only and not this type of tracking redirects.
@Iron Heart: see my comment to you on this page https://www.ghacks.net/2020/08/05/libreoffice-7-0-is-now-available/#comment-4470023
@Iron Heart, Skip Redirect is only useful when the destination is included in the redirection URL, unfortunately.
All right, thanks for the quick reply! Guess I’ll have to wait until 80 comes out or perhaps find another way to block 3rd-party cookies, so I can enable the redirect tracking protection :D
totally unclear what all the numbers/options mean for
googling doesn’t really help as the articles are really old or have no details.
says 3 is for old browsers….
seems to suggest 3 works with another setting… network.cookie.p3plevel which no longers exist.
yet if i were to go via the gui… and select custom->block cookies from unvisited sites.. it set it to 3 (whereas strict or custom ->cross media and social tracker is 4)…. what does block cookies from unvisited sites mean? is it stricter than just block cross media and social tracker?
0 = Nothing (accept everything)
1 = All third-party cookies
2 = All cookies
3 = Cookies from unvisited websites
4 = Cross-site and social media trackers (less strict than 1, less breakage, uses Disconnect list, I think)
5 = Cross-site and social media trackers, isolate remaining cookies (Dynamic First Party Isolation)
Cookies from unvisited websites blocks all 3rd party cookies except for those from sites you have visited before, e.g: mysite.com contains cookies from unvisited.com and visited.net, firefox will block all cookies from unvisited.com but allow those from visited.net because you have visited it before (as first party).
It’s unclear what numbers mean for network.cookie.cookieBehavior.
so in terms of strictness (most to least), it’ll go something like 2, 1, 3, 5, 4, 0? or is it 2,1,5,4,3,0?
Forget about doing the blocking with Firefox itself. It could be a job for uMatrix.
Now, the bad part of forbidding 1st-party cookies as default in uMatrix is that then you need to allow 1st-party cookies in a case by case basis.
Other solution: maybe a good samaritan makes a full list of these POS companies so you can block them via HOSTS or uBlock.
This is awesome. Seems so many sites these days intercept links. Google search results, facebook messenger, etc – it actually slows down your browsing a lot!