Firefox Will Soon Block Third-Party Cookies 369
An anonymous reader writes "Stanford researcher Jonathan Mayer has contributed a Firefox patch that will block third-party cookies by default. It's now on track to land in version 22. Kudos to Mozilla for protecting their users and being so open to community submissions. The initial response from the online advertising industry is unsurprisingly hostile and blustering, calling the move 'a nuclear first strike.'"
First strike was in Netscape (Score:5, Informative)
Since Netscape 4.7, there was an option to block third-party cookies (yet DoubleClick found a way around that). Changing a default option should have no impact on the advertisers - they can adapt or die.
If you don't, you should (Score:5, Informative)
Block 3rd party cookies, and that is. This is my default setting, and it rarely has any impact on the actual content of a website.
just block all cookies (Score:5, Informative)
Nuclear Response (Score:5, Informative)
The initial response from the online advertising industry is unsurprisingly hostile and blustering, calling the move 'a nuclear first strike.'
This is a completely justified nuclear response. The nuclear first strike was when the advertising industry started stalking people everywhere they go without informed consent or even an easy way for average people to opt out, and with no way to purge your history. If you had only used cookies in the public interest, the browser that cares about its users would not have to respond to your hostile behavior.
Re:Safari (Score:5, Informative)
Doesn't Safari already do this by default?
In the first bugzilla entry for the patch, it details what Safari does and proposes to mimic it.
Re:Feature Request: remove all cookies EXCEPT (Score:5, Informative)
I regularly clean out my cookies with "delete all", but I'd prefer to keep the ones for sites that require a login. But it's too hard to delete cookies individually.
You can achieve that in Firefox without any extra extensions: Under Privacy: 1. Use Custom settings for history - Accept cookies from sites - Keep until: I close Firefox 2. Under Exceptions: - Add sites you want to allow permanent cookies sites using "Allow" button Done. Sites you allow can store cookies until they expire while other cookies are cleared every time you close the browser.
Re:Why wait for v22? (Score:5, Informative)
Because there is a staging process for adding features to Firefox, so that nothing breaks once something reaches the release builds.
Not that simple (Re:Online Advertising Response) (Score:5, Informative)
The patch is not exactly a one-liner [mozilla.org], because the implemented behavior is not as straight-forward as just "block 3rd party cookies".
It's "block cross-site cookies from origins which I've not visited yet as a 1st party websites and have already 1st party cookies from".
This means, for instance, that Facebook, Google and Twitter gets likely a free-pass to track almost anybody.
And that once you (accidentally or not) click any ad box, you give a free-pass to its advertising agency too.
Re:Online Advertising Response (Score:4, Informative)
blocking third party cookies doesn't, in any way, prevent a website from displaying ads on a website. This isn't an either/or situation. The third-party cookies are used to track users.
Re:Online Advertising Response (Score:2, Informative)
Yes, because the Internet really sucked prior to commercialisation.
Don't believe the guff, prior to a commercialised Internet, services still ran and ran well.
Insanity laden cookies (Score:5, Informative)
If you have some spare time restart your browser, fire up wireshark and filter for DNS queries then go to just the home page of any of a bazillion web sites... It is insane... one single page load of something like cnn,fox,nbc,forbes translates into 20-30 of dns queries for all manner of advertising and market intelligence companies.. Everyone knows this stuff exists but I was genuinly shocked by the volume and number of sites involved.
If it isn't cookies it will be fingerprinting, flash cookies, DNS cache probing + IP but we can work to mitigate these things as well.
Re:A nuclear first strike... (Score:5, Informative)
incorporating AdBlockPlus and NoScript and enabling both by default.
Quite a few websites (whether intentionally or not) make it difficult to figure out which domain needs to run javascript for them to function. It is often _not_ the current domain. So users will end up choosing "Enable all scripts (dangerous)" option with NoScript sooner or later.
Also, when the webpage redirects you to a processor for finalizing a payment, a lot of work can be lost. Cannot go back without losing entered data and cannot complete the payment because reload will screw things up. NoScript should really ask you "Click redirects to a different domain -- enable scripts there?"
Re:Online Advertising Response (Score:5, Informative)
Well, the public was given a choice back in the 90's. There were ad-driven sites, and there were subscription-based sites.
We know which business model won. The "free" one, because people tend to value short-term rewards over long-term ones. The tracking and collusion by ad companies is just natural evolution of the wild west world of internet advertising. Ad rates have gotten so low that Google would probably be as poor as Yahoo if they weren't keeping tabs on you wherever you go and offering that profiling to advertisers. Facebook as well.
So, this completely has to do with ads on the internet. The public chose short-term self-interest, and now we're reaping the consequences of that choice. I know that a lot of newer slashdotters probably work at VC-funded startups, and think that the internet is just a giant playground where everything is free, but some of us lived and worked through dot-com fantasyland 1.0, and the reality is that businesses have to actually make money. The sad thing is that we're just going through the same cycle again. VC money is a cancer on the tech industry, because it creates unsustainable business models, suppresses competition, and turns the customer into a product.
Re:Maybe PayPal will fix their system... (Score:4, Informative)
Whoops, just read through the thread on Bugzilla about the patch. It's not really disabling third party cookies completely. It still allows third party cookies to be exchanged if cookies from that third party already exist on the client. So if you visited PayPal directly, then went to a web site with an embedded PayPal button, that site would still send client's PayPal cookies.
That seems like a good trade-off between security and zero-config for most cases. But if also means unless you explicitly disable all third party cookies, sites like Facebook will still be able to follow you around the web.
Re:Online Advertising Response (Score:5, Informative)
For firefox: network.http.sendRefererHeader, set it to 0 in about:config