Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
Firefox Advertising Mozilla Privacy Your Rights Online IT

Firefox Will Soon Block Third-Party Cookies 369

An anonymous reader writes "Stanford researcher Jonathan Mayer has contributed a Firefox patch that will block third-party cookies by default. It's now on track to land in version 22. Kudos to Mozilla for protecting their users and being so open to community submissions. The initial response from the online advertising industry is unsurprisingly hostile and blustering, calling the move 'a nuclear first strike.'"
This discussion has been archived. No new comments can be posted.

Firefox Will Soon Block Third-Party Cookies

Comments Filter:
  • by Sigma 7 ( 266129 ) on Saturday February 23, 2013 @05:34PM (#42991473)

    Since Netscape 4.7, there was an option to block third-party cookies (yet DoubleClick found a way around that). Changing a default option should have no impact on the advertisers - they can adapt or die.

  • by bradley13 ( 1118935 ) on Saturday February 23, 2013 @05:38PM (#42991501) Homepage

    Block 3rd party cookies, and that is. This is my default setting, and it rarely has any impact on the actual content of a website.

  • by manicpop ( 1342057 ) on Saturday February 23, 2013 @05:46PM (#42991545)
    The great thing about Firefox is you can block all cookies by default, and whitelist only specific domains. Just block everything except ones you know you need (like maybe your banking site). Use "allow for session" for sites that need cookies for some reason but you don't need to save permanent data. There's also a great extension called "Cookie Monster" that will let you set all those options on a per-domain basis from the status bar.
  • Nuclear Response (Score:5, Informative)

    by Bob9113 ( 14996 ) on Saturday February 23, 2013 @06:00PM (#42991639) Homepage

    The initial response from the online advertising industry is unsurprisingly hostile and blustering, calling the move 'a nuclear first strike.'

    This is a completely justified nuclear response. The nuclear first strike was when the advertising industry started stalking people everywhere they go without informed consent or even an easy way for average people to opt out, and with no way to purge your history. If you had only used cookies in the public interest, the browser that cares about its users would not have to respond to your hostile behavior.

  • Re:Safari (Score:5, Informative)

    by Forever Wondering ( 2506940 ) on Saturday February 23, 2013 @06:00PM (#42991641)

    Doesn't Safari already do this by default?

    In the first bugzilla entry for the patch, it details what Safari does and proposes to mimic it.

  • by rihkama ( 732472 ) on Saturday February 23, 2013 @06:04PM (#42991665)

    I regularly clean out my cookies with "delete all", but I'd prefer to keep the ones for sites that require a login. But it's too hard to delete cookies individually.

    You can achieve that in Firefox without any extra extensions: Under Privacy: 1. Use Custom settings for history - Accept cookies from sites - Keep until: I close Firefox 2. Under Exceptions: - Add sites you want to allow permanent cookies sites using "Allow" button Done. Sites you allow can store cookies until they expire while other cookies are cleared every time you close the browser.

  • Re:Why wait for v22? (Score:5, Informative)

    by kthreadd ( 1558445 ) on Saturday February 23, 2013 @06:06PM (#42991685)

    Because there is a staging process for adding features to Firefox, so that nothing breaks once something reaches the release builds.

  • by Giorgio Maone ( 913745 ) on Saturday February 23, 2013 @06:17PM (#42991759) Homepage

    The patch is not exactly a one-liner [], because the implemented behavior is not as straight-forward as just "block 3rd party cookies".

    It's "block cross-site cookies from origins which I've not visited yet as a 1st party websites and have already 1st party cookies from".

    This means, for instance, that Facebook, Google and Twitter gets likely a free-pass to track almost anybody.

    And that once you (accidentally or not) click any ad box, you give a free-pass to its advertising agency too.

  • by Anonymous Coward on Saturday February 23, 2013 @06:31PM (#42991857)

    blocking third party cookies doesn't, in any way, prevent a website from displaying ads on a website. This isn't an either/or situation. The third-party cookies are used to track users.

  • by Anonymous Coward on Saturday February 23, 2013 @06:34PM (#42991873)

    Yes, because the Internet really sucked prior to commercialisation.

      Don't believe the guff, prior to a commercialised Internet, services still ran and ran well.

  • by WaffleMonster ( 969671 ) on Saturday February 23, 2013 @06:39PM (#42991905)

    If you have some spare time restart your browser, fire up wireshark and filter for DNS queries then go to just the home page of any of a bazillion web sites... It is insane... one single page load of something like cnn,fox,nbc,forbes translates into 20-30 of dns queries for all manner of advertising and market intelligence companies.. Everyone knows this stuff exists but I was genuinly shocked by the volume and number of sites involved.

    If it isn't cookies it will be fingerprinting, flash cookies, DNS cache probing + IP but we can work to mitigate these things as well.

  • by Mitreya ( 579078 ) < minus threevowels> on Saturday February 23, 2013 @06:51PM (#42991981)

    incorporating AdBlockPlus and NoScript and enabling both by default.

    Quite a few websites (whether intentionally or not) make it difficult to figure out which domain needs to run javascript for them to function. It is often _not_ the current domain. So users will end up choosing "Enable all scripts (dangerous)" option with NoScript sooner or later.

    Also, when the webpage redirects you to a processor for finalizing a payment, a lot of work can be lost. Cannot go back without losing entered data and cannot complete the payment because reload will screw things up. NoScript should really ask you "Click redirects to a different domain -- enable scripts there?"

  • by petsounds ( 593538 ) on Saturday February 23, 2013 @07:47PM (#42992321)

    Well, the public was given a choice back in the 90's. There were ad-driven sites, and there were subscription-based sites.

    We know which business model won. The "free" one, because people tend to value short-term rewards over long-term ones. The tracking and collusion by ad companies is just natural evolution of the wild west world of internet advertising. Ad rates have gotten so low that Google would probably be as poor as Yahoo if they weren't keeping tabs on you wherever you go and offering that profiling to advertisers. Facebook as well.

    So, this completely has to do with ads on the internet. The public chose short-term self-interest, and now we're reaping the consequences of that choice. I know that a lot of newer slashdotters probably work at VC-funded startups, and think that the internet is just a giant playground where everything is free, but some of us lived and worked through dot-com fantasyland 1.0, and the reality is that businesses have to actually make money. The sad thing is that we're just going through the same cycle again. VC money is a cancer on the tech industry, because it creates unsustainable business models, suppresses competition, and turns the customer into a product.

  • by t4ng* ( 1092951 ) on Saturday February 23, 2013 @09:20PM (#42992811)

    Whoops, just read through the thread on Bugzilla about the patch. It's not really disabling third party cookies completely. It still allows third party cookies to be exchanged if cookies from that third party already exist on the client. So if you visited PayPal directly, then went to a web site with an embedded PayPal button, that site would still send client's PayPal cookies.

    That seems like a good trade-off between security and zero-config for most cases. But if also means unless you explicitly disable all third party cookies, sites like Facebook will still be able to follow you around the web.

  • by nedlohs ( 1335013 ) on Sunday February 24, 2013 @01:18AM (#42993695)

    For firefox: network.http.sendRefererHeader, set it to 0 in about:config

The only function of economic forecasting is to make astrology look respectable. -- John Kenneth Galbraith