Forgot your password?
typodupeerror
Firefox Advertising Mozilla Privacy Your Rights Online IT

Firefox Will Soon Block Third-Party Cookies 369

Posted by timothy
from the accept-only-genuine-chocolate-chip dept.
An anonymous reader writes "Stanford researcher Jonathan Mayer has contributed a Firefox patch that will block third-party cookies by default. It's now on track to land in version 22. Kudos to Mozilla for protecting their users and being so open to community submissions. The initial response from the online advertising industry is unsurprisingly hostile and blustering, calling the move 'a nuclear first strike.'"
This discussion has been archived. No new comments can be posted.

Firefox Will Soon Block Third-Party Cookies

Comments Filter:
  • by FSWKU (551325) on Saturday February 23, 2013 @05:33PM (#42991465)

    The initial response from the online advertising industry is unsurprisingly hostile and blustering, calling the move 'a nuclear first strike.'

    Translation: Boo-fucking-hoo. Online marketing scum have been abusing users for years, making this a retaliatory measure. Let them cry all they want, because nobody gives a shit.

    • by CheshireDragon (1183095) on Saturday February 23, 2013 @05:38PM (#42991495) Homepage
      I have always turned of the third party cookies, but good move for making it a default.
      And to hell with marketers, they can cry all they want. They have already stripped most television show of a title sequence and forced shows to start rolling credits while still running. Ihave always wondered why I pay for a ton of cable channels when all I am really doing it watching commercials. Good thought to the creator of the DVR.
      • "I have always turned of the third party cookies, but good move for making it a default. And to hell with marketers, they can cry all they want."

        Agreed. Pretty much by definition, third-party cookies are "stealth" information gathering. They have no right to be tracking me. I keep them turned off, too.

        But I do not see why this is news-worthy. It's just a checkbox. The so-called "patch" is probably one line of code, and an exceedingly short one at that.

      • by Anonymous Coward on Saturday February 23, 2013 @06:36PM (#42991881)

        Sites will start blocking Firefox browsers. If enough popular sites do this, people will be switching to other browsers. Or people will start making Firefox masquerade as a different browser, which (if it becomes popular) will subsequently be made illegal. That is assuming that third-party cookie blocking won't just be made illegal.

        It is appropriate to describe this as a first-strike, because there will be a retaliatory salvo, and much of our Internet freedom will get caught in the crossfire.

        • Re:Consequences (Score:5, Interesting)

          by Mashiki (184564) <mashiki AT gmail DOT com> on Saturday February 23, 2013 @07:32PM (#42992221) Homepage

          Sites will start blocking Firefox browsers...

          Considering anyone with 3 firing neurons already blocks advertising to begin with, this is pretty much moot. The reality is advertisers have been abusing cookies for decades, the worst of advertisers have been abusing advertising itself, and allowing malware into their networks and taking a 'cut' of the scam.

          Personally? Until advertisers man up, and stop acting like the guy standing on the corner of a shady neighborhood going "hey, wanna buy some shit..." they can simply suck it.

        • by tibman (623933)

          Oh man that sounds great! Ads that block themselves.

      • by Mitreya (579078) <(mitreya) (at) (gmail.com)> on Saturday February 23, 2013 @06:36PM (#42991883)

        And to hell with marketers, they can cry all they want. They have already stripped most television show of a title sequence and forced shows to start rolling credits while still running.

        If they only stopped at that!
        Are you not getting the damn characters running across your show, in the middle of the show? It superimposes over the current show I am actually watching, just like a popup ad online

        Also, a simple comparison of show length, demonstrates that in the 60s/70s shows ran for 26.5 minutes, while current sitcoms are around 22.5 minutes per half hour. And you get to see pop-ads in the middle of some of those three 7-minute long pieces.

        • by TheGratefulNet (143330) on Saturday February 23, 2013 @08:51PM (#42992659)

          I have not watched network/premium tv for quite a while, now (3 yrs, maybe longer).

          recently, I was staying in some hotels and wanted to see what 'was on'. realize, I have not seen the state of 'current tv' for years.

          the moving ads at the bottom and all the rest that you and parent posters have said really turned me off. enough that I will still not consider paying for satellite, cable or anything else 'pay tv'.

          really gross and hard for me to accept. I'm over 50 and I do remember when tv was watchable. (yes, goml, etc). but if you have not been desensitized by it gradually, the jump in annoyance factor is too great. I think they have lost me, forever now, as a customer.

          tv was always an ad medium, but now its just too absurd!

          I can fully, fully understand why the youth culture is all about capturing shows, editing the BS out of them and reuploading them. I fully understand that and I can't blame anyone for wanting to get around the crap.

          sorry, industry; you pissed off your customers and many have rebelled and won't ever come back.

      • by egarland (120202) on Saturday February 23, 2013 @09:50PM (#42992931)

        > I have always wondered why I pay for a ton of cable channels when all I am really doing it watching commercials.

        Because, half the cost of the programming you are watching comes from commercials. The average TV watcher watches about $80 worth of adds per month. (That's assuming about $0.02 per commercial watched, 30 commercials per hour, and 130 hours of TV watched per month which, as far as I know, are roughly accurate averages.) Would you pay $80 more for all that content without the commercials?

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      I think the advertisers have a legitimate point, and should retaliate. How about trying to pay web site owners to alter their sites so they refuse to load on FireFox? I bet that would be a hilarious and very short negotiation.

      In all seriousness, advertisers are simply the worst form of corporatism: All they want is more of everything, regardless of what they already have. They don't like being blocked like this, let them invent their own Internet with its own bizarre, user-hostile set of rule. They coul

    • by bhagwad (1426855) on Saturday February 23, 2013 @06:01PM (#42991647) Homepage

      I would much rather pay by seeing ads instead of paying actual cash. Websites are free to advertise to me as much as they want. If I don't like the ads, I stop using them. There's no need for browsers to protect me.

      • by Anonymous Coward on Saturday February 23, 2013 @06:31PM (#42991857)

        blocking third party cookies doesn't, in any way, prevent a website from displaying ads on a website. This isn't an either/or situation. The third-party cookies are used to track users.

      • Re: (Score:3, Insightful)

        by MrEricSir (398214)

        If I don't like the ads, I stop using them. There's no need for browsers to protect me.

        If you're okay with having your every move tracked across the web, by all means, use a different browser.

        But do yourself a favor and stop pretending that this has anything to do with seeing ads on the internet.

        • by petsounds (593538) on Saturday February 23, 2013 @07:47PM (#42992321)

          Well, the public was given a choice back in the 90's. There were ad-driven sites, and there were subscription-based sites.

          We know which business model won. The "free" one, because people tend to value short-term rewards over long-term ones. The tracking and collusion by ad companies is just natural evolution of the wild west world of internet advertising. Ad rates have gotten so low that Google would probably be as poor as Yahoo if they weren't keeping tabs on you wherever you go and offering that profiling to advertisers. Facebook as well.

          So, this completely has to do with ads on the internet. The public chose short-term self-interest, and now we're reaping the consequences of that choice. I know that a lot of newer slashdotters probably work at VC-funded startups, and think that the internet is just a giant playground where everything is free, but some of us lived and worked through dot-com fantasyland 1.0, and the reality is that businesses have to actually make money. The sad thing is that we're just going through the same cycle again. VC money is a cancer on the tech industry, because it creates unsustainable business models, suppresses competition, and turns the customer into a product.

          • Ad rates have gotten so low that Google would probably be as poor as Yahoo if they weren't keeping tabs on you wherever you go and offering that profiling to advertisers. Facebook as well.

            The reason that ad rates are low is because anyone in an industrialized society is so constantly bombarded with ads that the ads fade to an incomprehensible background hum that does nothing but interfere with the transmission of the information people actually want. Collapse of this system is inevitable; and when it does,

      • Re: (Score:2, Informative)

        by Anonymous Coward

        Yes, because the Internet really sucked prior to commercialisation.

          Don't believe the guff, prior to a commercialised Internet, services still ran and ran well.

  • Why wait for v22? (Score:5, Insightful)

    by Jimbookis (517778) on Saturday February 23, 2013 @05:34PM (#42991471)
    Stick it in v19.0.1. Bring it on!
  • by Sigma 7 (266129) on Saturday February 23, 2013 @05:34PM (#42991473)

    Since Netscape 4.7, there was an option to block third-party cookies (yet DoubleClick found a way around that). Changing a default option should have no impact on the advertisers - they can adapt or die.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      Doubleclick is now known as Google adwords. So it should be interesting to see if this ever gets into Chrome...

    • "yet DoubleClick found a way around that"

      Not really. IIRC, they were using a pixel tracker... a third-party graphic, not a third-party cookie. And I am pretty sure they were far from the first to do that. Just the first to use it the way they did.

  • by Anonymous Coward

    [grumpy cat] Good.

  • by femtobyte (710429) on Saturday February 23, 2013 @05:35PM (#42991481)

    If the advertising industry is still capable of responding, we obviously haven't nuked them enough yet.

    • by greg1104 (461138)

      The problem is that advertisers are like cockroaches; you can't kill them with nukes. When all of civilization has been reduced to a post-apocalyptic wasteland, and mutant zombies roam the land, there will still be someone trying to sell you that one weird trick for losing belly fat.

      • by femtobyte (710429)

        You may not ever be able to get rid of them all. But when a slum houses more roach than human tenants by mass, it's probably time to raze the tenements to the ground with fire and re-build something more suitable for human habitation. The most dismal sectors of the web, consisting of tiny slivers of human content wedged between giant mounds of advertisers' feces, are overdue to be razed and rebuilt from scratch, based on new models besides maximally-intrusive-scumbag-ad-supported content. No doubt the roach

  • by John Hasler (414242) on Saturday February 23, 2013 @05:37PM (#42991489) Homepage

    ...would be incorporating AdBlockPlus and NoScript and enabling both by default.

    Do it.

    • Noscript is good, but too inconvenient for regular users. Ghostery is much better (for anti tracking use), since it already has a blacklist of the trackers and does not really affect the browsing.

      Adblock, Flashblock, Ghostery - must have, Noscript - highly recommended.

    • by Mitreya (579078) <(mitreya) (at) (gmail.com)> on Saturday February 23, 2013 @06:51PM (#42991981)

      incorporating AdBlockPlus and NoScript and enabling both by default.

      Quite a few websites (whether intentionally or not) make it difficult to figure out which domain needs to run javascript for them to function. It is often _not_ the current domain. So users will end up choosing "Enable all scripts (dangerous)" option with NoScript sooner or later.

      Also, when the webpage redirects you to a processor for finalizing a payment, a lot of work can be lost. Cannot go back without losing entered data and cannot complete the payment because reload will screw things up. NoScript should really ask you "Click redirects to a different domain -- enable scripts there?"

      • by Yaa 101 (664725)

        I dunno about others but when a site refuses to show content without me unblocking scrips it will just get ignored.
        b.t.w. US sites are really the worse with sometimes 15 or more scripts and most of them 3rd party.

        Besides, unless advertisers find a way to serve me from 127.0.0.1, they will not do anything as I couldn't care less about their whining because I do not want their bought for web anyway.
        They can keep their 80% of their paid for web and stick it where daylight is not showing as it's all cheapo lose

  • by bradley13 (1118935) on Saturday February 23, 2013 @05:38PM (#42991501) Homepage

    Block 3rd party cookies, and that is. This is my default setting, and it rarely has any impact on the actual content of a website.

  • by manicpop (1342057) on Saturday February 23, 2013 @05:46PM (#42991545)
    The great thing about Firefox is you can block all cookies by default, and whitelist only specific domains. Just block everything except ones you know you need (like maybe your banking site). Use "allow for session" for sites that need cookies for some reason but you don't need to save permanent data. There's also a great extension called "Cookie Monster" that will let you set all those options on a per-domain basis from the status bar.
  • Safari (Score:2, Insightful)

    by Anonymous Coward

    Doesn't Safari already do this by default?

  • Nuclear Response (Score:5, Informative)

    by Bob9113 (14996) on Saturday February 23, 2013 @06:00PM (#42991639) Homepage

    The initial response from the online advertising industry is unsurprisingly hostile and blustering, calling the move 'a nuclear first strike.'

    This is a completely justified nuclear response. The nuclear first strike was when the advertising industry started stalking people everywhere they go without informed consent or even an easy way for average people to opt out, and with no way to purge your history. If you had only used cookies in the public interest, the browser that cares about its users would not have to respond to your hostile behavior.

  • The initial response from the online advertising industry is unsurprisingly hostile and blustering, calling the move 'a nuclear first strike.'

    I guess one person's "nuclear first strike" is another's "measured response."

  • Most sites will work fine, but you'll have to add an exception for disqus.com if you want to post comments on sites that use disqus. Latest version of it should detect and warn you to enable coolies though.
    • by PPH (736903)

      warn you to enable coolies though.

      Just as I suspected. The Chinese are behind this.

  • I would go even further than Mozilla plans to go (and Safari goes already):

    By default, I would require all cookies to be either 1st party or "blessed" by either the user or the 1st party.

    In other words, if Slashdot had a Facebook widget, either the end user would have to whitelist Facebook to allow it to deposit cookies from anywhere, or Slashdot would have to explicitly "bless" the specific widget or the web browser would not let the embedded Facebook widget read or write cookies without prompting the user

  • by schmidt349 (690948) on Saturday February 23, 2013 @06:18PM (#42991765)

    The "first-party context" loophole is the deathknell of this thing, just as Safari's own mechanism doesn't actually protect anybody's privacy.

    If you don't like tracking cookies, that's fine, but there is an infinite variety of workarounds for this so-called solution. One can easily use a URL proxy, for instance -- you click a link marked "Next Page" that actually goes to "entirelylegitimatewebsite.com/track_me_please," which sets a cookie and immediately redirects you to "mysite.com/nextpage." Hey presto, first-party context cookie set!

    On the other hand, there's browser local storage, beacon URLs via AJAX... the list goes on and on. Hell, even if most web browsers _do_ start blocking all third-party cookies under all circumstances, the data kingpins will start offering handy little Rack and Tomcat plugins that use first-party cookies to track user behavior across the Web.

    If you're a Web user who's paranoid about information leaks, you should already be using Tor and some privacy-centric web browser. But given the degree of personalization inherent in most of the 21st century Web, I have a hard time understanding why a paranoiac would use the Web at all.

  • by WaffleMonster (969671) on Saturday February 23, 2013 @06:39PM (#42991905)

    If you have some spare time restart your browser, fire up wireshark and filter for DNS queries then go to just the home page of any of a bazillion web sites... It is insane... one single page load of something like cnn,fox,nbc,forbes translates into 20-30 of dns queries for all manner of advertising and market intelligence companies.. Everyone knows this stuff exists but I was genuinly shocked by the volume and number of sites involved.

    If it isn't cookies it will be fingerprinting, flash cookies, DNS cache probing + IP but we can work to mitigate these things as well.

  • Not kudos to Mozilla for taking so many years to do what is obviously needed. This and many other things should not have needed a community submission. The core programmers should already know how to do these things and know that they are essential for safe browsing experience.

  • I have to block ALL cookies.

  • A disaster. (Score:2, Funny)

    by Anonymous Coward

    What a frelling disaster. The end of third party cookies will pose problems for my household. My wife is getting better at baking but so far cookies seem beyond her even with third party products.

  • by SampleFish (2769857) on Saturday February 23, 2013 @08:53PM (#42992665)

    Fuck these assholes until they bleed.

    "Nuclear first strike"? It's a counter-measure. I'm so sick of people using war rhetoric inappropriately. There is no "nuclear cookie blocker" and there is no "war on Christmas". There are no bombs going off and nobody is dying in the streets. This statement makes me want to bomb the corporate office of an ad agency so they have something to complain about*. Might stop the spam for a week too.

    *This user does not support the actual use of explosives to make a point. Bombs are not educational tools and should be used responsibly. We now return to your regularly scheduled flame war.

  • by t4ng* (1092951) on Saturday February 23, 2013 @09:03PM (#42992723)
    I never quite understood how, for the past several years, embedded PayPal payment buttons have remained completely broken if the client disabled third party cookies. Maybe if all browsers did this PayPal would finally fix their system.
    • by t4ng* (1092951) on Saturday February 23, 2013 @09:20PM (#42992811)

      Whoops, just read through the thread on Bugzilla about the patch. It's not really disabling third party cookies completely. It still allows third party cookies to be exchanged if cookies from that third party already exist on the client. So if you visited PayPal directly, then went to a web site with an embedded PayPal button, that site would still send client's PayPal cookies.

      That seems like a good trade-off between security and zero-config for most cases. But if also means unless you explicitly disable all third party cookies, sites like Facebook will still be able to follow you around the web.

      • by Spykk (823586)

        But if also means unless you explicitly disable all third party cookies, sites like Facebook will still be able to follow you around the web.

        That is one way of interpreting this. The other is as yet another reason not to visit Facebook.

  • by the_B0fh (208483) on Saturday February 23, 2013 @10:19PM (#42993067) Homepage

    About the only thing that'll survive a nuclear war is cockroaches. So, if the cookie tracking online ad industry survives this nuclear strike, are they cockroaches...?

  • by knorthern knight (513660) on Saturday February 23, 2013 @10:30PM (#42993097)

    I hate to rain on your parade, but...

    Let's say someone has a website http //www.good.example.com, and want http //ads.doubleclick.net to get past this filter. Assuming they control their own DNS, they simply need to set up a CNAME www.bad.example.com that points to ads.doubleclick.net. Voila, the ads.doubleclick.net server shows up on the same domain as www.good.example.com.

    • by Luthair (847766)
      Except that the Ad agencies want to track you across different sites and won't have access to that cookie when the user is on foobar.com
  • by smagruder (207953) <stevem@webcommons.biz> on Sunday February 24, 2013 @02:49AM (#42993965) Homepage

    If this change reduces the overall efficacy of advertising on websites, then we'll likely see many independent websites go out of business. Facebook will love this, as it seems like their goal to rub out (yes, I mean this in the mobster sense) the web outside of them.

    Maybe we need a compromise?

    Have a website somehow "vouch" for the third-party cookies in use on their site by either disclosing them to their users, or letting them present an option/warning to visitors that says "To keep our site financially sustainable, we ask that visitors accept cookies from our advertisers -- to that end, we require cookies to not be blocked to access our content".

    I understand why people detest advertising, but it's also part of a commercial ecosystem that keeps the independent web alive and kicking. If we allow the blocking of third-party cookies, we should also give webmasters the power to block access from anyone who is blocking them, and even more, blocking ads on their site. It's only fair.

Wherever you go...There you are. - Buckaroo Banzai

Working...