
Container Tabs - malikNF
https://wiki.mozilla.org/Security/Contextual_Identity_Project/Containers
======
rlpb
I would like to be able to configure my browser to open every URL in a domain-
specific "container", unless I say otherwise.

Say site www.a.org includes an image from www.evilcorp.org, and
www.evilcorp.org sets a cookie. When I then go to www.b.org and it includes an
image from www.evilcorp.org, I don't expect the cookie to be sent back.

In other words, the cookie should be tied to www.a.org, _even though_ it
actually came from www.evilcorp.org. It should only be sent if my URL bar says
www.a.org AND the image is coming from www.evilcorp.org.

I feel that this is how browsers should have been designed in the first place.
I welcome this Container Tabs feature, but I don't think it quite goes far
enough to restore my privacy.

~~~
cpeterso
Firefox is integrating a cookie feature from Tor called first-party isolation
or double-key cookies. It will separate third-party cookies for each first-
party site, so evilcorp.org cookies for evilcorp.org images on a.org will not
be set for evilcorp.org images on a.org. Blocking third-party cookies can
break some site that rely on third-party resources, but first-party isolation
should allow each site to work without cookie "crosstalk".

You can test first-party isolation now by flipping the about:config pref
"privacy.firstparty.isolate" to true. Beware that there are still bugs that
break some sites, which is why the feature is not enabled by default yet. If
you find bugs, please report them in Bugzilla! Here is the Firefox bug
tracking the integration and known bugs:

[https://bugzilla.mozilla.org/show_bug.cgi?id=1299996](https://bugzilla.mozilla.org/show_bug.cgi?id=1299996)

~~~
hackuser
I'm glad Firefox is doing this, but ...

> Blocking third-party cookies can break some site that rely on third-party
> resources

Can anyone name sites that require them?

As someone who defaults to deny all cookies and manually enables every one my
browser accepts, I don't think I've found a site that requires 3rd-party
cookies. Few sites require cookies unless you login or have shopping cart.

Of course, that's anecdotal. Maybe I just don't visit certain categories of
sites and don't encounter them.

~~~
sleavey
StackOverflow, sadly. Their Javascript requires some off site cookies to allow
for their cross domain user account stuff. Not enabling third party cookies on
the StackExchange sites leads to broken pages.

~~~
untoreh
Wouldn't that be the case for any site using sso?

~~~
sleavey
Yes, though there are some ways around this. You could send the user to
another domain to sign in using a unique request ID that identifies the user.
After authenticating this unique ID can be communicated back to the first site
to show the user has authenticated, and a cookie could keep the session
information. That wouldn't give a seemless sign-in on every site, though -
you'd need one cookie (and one sign-in) per domain.

The other way is to have all StackExchange sites be subdomains of
stackexchange.com - which is how the designers of the web intended it to be, I
think.

------
nikcub
This is a neat idea but it doesn't implement the main reason I use separate
profiles in Chromium - different security contexts based on how much you trust
a site.

Example: my main general browsing profile has flash, PDFs and all plugins
disabled, absolutely all handlers switched off, all hardware access off, WebGL
switched off, no account logins and uBlock Origin set to aggressively block
most third-party requests.

My second most used context is for personal sites I login for - with access to
third-party cookies (for those sites) and running most third-party requests
with standard uBlock rules.

I have yet other contexts (Chrome profiles) where Flash is enabled if I need
that, then a separate browser for Java etc.

I'd like to see these security levels built into browsers where the contexts
are built around permissions and site trust rather than access to the user
store (which is also important)

I don't think it's realistic for most users to do this right now with
profiles, as it requires a lot of discipline - it needs to be in the UI.

Browsers have become as sophisticated as operating systems and we're accessing
more and more of our personal data using them, yet the model of 'every site
has access to everything' be it a site you trust, like Gmail, or a random URL
you're clicking on - has somehow survived.

It's the equivalent of the old days where everyone would run their local
systems with an admin account for everything. I really think browsers need a
rethink along these lines where websites are treated like apps and you can
apply a trust group to each.

~~~
vosper
I'm genuinely not trolling here: what are you worried could happen if you
didn't do all of this stuff with the extensions and settings in your various
profiles? What does it mean to trust a website?

~~~
jolux
I turn all of those Chrome features off everywhere anyways. I find the
handlers to be especially annoying. Why the fuck would I want that? There's a
reason I use Mail.app and it's not because I love using email in web views.

~~~
homakov
Isn't mailto: opening Mail.app for you?

~~~
jolux
yes, but Chrome bugs me about switching it to Gmail every time.

------
JohnBooty
I am a Mozilla supporter and FF is my "daily driver" browser. Very interested
in this feature.

Chrome has had it for a years, and it's a _killer_ feature for many
developers. It's very very useful to have multiple browser windows open, each
logged into the same site as a different user. A lot of people do this by
opening multiple browsers (FF, Chrome, Edge, Safari, etc) but that has its
limits and it just adds another variable my poor brain would prefer not to
handle.

Also very useful for home/work separation. One browser account for work and
one for home. And also maybe one for porn. So that when you're screensharing
in a meeting and you type a URL into the browser, you don't get autocomplete
suggestions for your favorite porn sites popping up. Happened to an old
(married) boss of mine once while displaying his screen on the projector...
typed "a" into the URL field and the browser helpfully suggested he navigate
to AdultFriendFinder. Right in front of some clients. :)

Firefox's "container tabs" implementation may be slightly confusing. Chrome's
implementation is dead simple. One identity per window, and the identity name
is always displayed in the upper right.

With FF's container tabs, I'll have one identity per tab, and I can see
they're color coded, but that means I'll have to mentally map colors to
identities. It's more flexible than Chrome's implementation but there's more
cognitive overhead involved.

Also, what's up with the name "container tabs?" That tells me nothing about
what they do. All tabs... contain things. I think they need to rename it to
"identity tabs" or something. How on Earth would anybody ever guess that
"container tabs" is related to identities and data sharing?

We'll see how it plays out though. I'm excited to try it and I am continually
grateful for Mozilla's efforts. In fact this reminds me I haven't donated to
them in a while....

~~~
rcthompson
Edit: I guess I'm misremembering how Chrome works, or maybe they changed it
since I've last used Chrome seriously. I'll leave the comment so the replies
make sense.

Original comment:

I'm kind of surprised that Mozilla went with a per-tab approach here, since
they went with per-window for private browsing (while Chrome did the opposite:
per-tab private browsing and per-window profiles).

~~~
dingo_bat
That's not right. Chrome's incognito mode is per window.

~~~
parasubcutaneor
Not even. Chome's session isolation is only per each of the two browsing
modes.

~~~
fragmede
Chrome supports multiple profiles (click the person icon or username on the
upper right), not just logged and incognito.

~~~
angry_octet
Yes, but all incognito tabs are in the same session, even if opened in
separate windows.

------
x1798DE
Right now, what I'm doing is that all my standard browsing happens on Firefox,
with uMatrix blocking JS and just generally locked down. For anything where I
want to log in or have a persistent identity (stackoverflow, gmail, etc), I
set up separate Chrome profiles and manually open each site in the appropriate
profile.

Honestly, this whole thing is a bit of a pain - my ideal solution would be one
where I can set up "domain groups" matching on the URL in the URL bar, each
fully isolated from one another (different extensions, settings, caches,
histories, forms, cookie stores, etc), and clicking links that go from one
profile to another, all referer information is stripped out. Anything not
matching one of the domain groups would go to the "default session" (which I
would configure to be completely locked down and ephemeral).

Additionally, I'd want a context-menu item "Open link in group <x>", which
would open something matching another domain group in the domain group of my
choice, so that I could do things like visit gmail in two different groups.

~~~
echelon
Context based on domains sounds like a perfect and elegant solution. I hope
someone from Mozilla is reading this.

~~~
_dark_matter_
I'm pretty sure about 90% of us Mozilla engineers are on hacker news :)

------
altano
This is awesome. Microsoft's identity system is a nightmare so switching
between my Office 365 email account and my OneDrive/music accounts is always
annoying. I'd love to be able to contain each and stay logged in to both
accounts.

At work I test lots of user accounts on the same site and make heavy use of
Chrome profiles for that. This would fill a similar role.

But while I'm glad to have them, no average user would ever understand any of
these concepts as presented in these screenshots.

------
sirn
This looks amazing!

I have been using Self-Destructing Cookies[1] for few years and while I think
the extension is great, I always feel there's not enough isolation between
tabs. For example, if I have Twitter logged in in one tab, and other tab
contain Twitter button, then the other tab can still have access to my Twitter
cookie. (Because Twitter tab is still active, so SDC would not destroy the
cookie.) I know this is solvable using tracker blocker, but something like SDC
but worked on tab container level would be very welcomed.

(Other side effect of using SDC is I seems to get the harder ReCAPTCHA that
make you click an object until all of it disappear, with new ones popping up
after clicking. Usually took about 5-10 clicks. Very annoying.)

[1]: [https://addons.mozilla.org/en-US/firefox/addon/self-
destruct...](https://addons.mozilla.org/en-US/firefox/addon/self-destructing-
cookies/)

~~~
edgartaor
You may want to try uMatrix[1]. It block any 3rd party content by default
(cookies, scripts,...) . So Twitter buttons (and similar) do not load by
default, but you can allow it with two clicks.

[1]: [https://addons.mozilla.org/en-
US/firefox/addon/umatrix/](https://addons.mozilla.org/en-
US/firefox/addon/umatrix/)

~~~
sirn
Thanks for the suggestion, although I'm already using uMatrix :-)

SDC + uMatrix do make a really great combination, and I'm really glad I use
these extensions when I see some sites loading 10+ trackers that are not
relevant to site's function at all.

------
znpy
I've been doing this for years using both Firefox' and Thunderbird's multiple-
profile features.

Just run "firefox --no-remote -ProfileManager" and here you go.

So the serious question is: how is this any different from using multiple
profile?

Multiple profile also have the pro/con that they are actual different
processes, so there's no information leak between profiles whatsoever (well,
unless some serious hacking happens).

Edit: being different processes with different profiles, they also have
different configuration folders, different cookie sets, different password
storage locations etc...

~~~
remir
_Just run "firefox --no-remote -ProfileManager" and here you go._

I'm sure Grandma and Joe SixPack will do that... Not everybody is tech savvy.
I'd say the majority of FF users don't even know there's a profile manager.

~~~
wolrah
Reminder of the thing it's being compared to:

> The containers feature is enabled in Firefox Nightly 50 by default with the
> about:config pref `privacy.userContext.enabled` set to true.

Grandma and Joe SixPack aren't running Firefox Nightly with about:config
tweaks either.

~~~
Scarbutt
To be fair, grandma and joe sixpack don't even know firefox exists.

~~~
wongarsu
Maybe not in the US, but in Germany Firefox is the most popular browser.

------
grenoire
I would love this feature and it would actually get me to switch to Firefox in
a heartbeat. I'm currently using Chrome just because of the the (subjectively)
better developer tools, but this is a feature that would make my life so much
easier!

~~~
scrollaway
Firefox tab management is lackluster compared to Chrome; container tabs won't
change that :/

Every time I try using Firefox I pretty quickly hit the limitation on
selecting tabs. Chrome lets you select tabs like files in a file manager:
Shift click for ranges, ctrl+click for adding/removing single tabs. You can
then drag & drop the group in or out of various windows, close all at once,
etc.

Container tabs imho won't be usable unless something like this is in place.
When dealing with as few as 5+ tabs, I certainly wouldn't want to manually
tweak them one at a time. Can't imagine for 20+, 50+.

But the idea is nice for feature separation, I like that a lot.

~~~
iokanuon
Try the Tree Style Tab addon for Firefox. Managing 100+ tabs in Firefox is a
breeze. I can't bring myself to use Chrome now.

~~~
richardboegli
Great minds think a like ;)

------
liminal
I like where this is heading but their pre-selected categories don't make
sense. Container isolation should be based on security requirements rather
than site content. E.g. shopping and banking have similar security
requirements that are different than following a click-bait link on facebook.

I'd like a container per Google account since trying to switch users in their
apps is a disaster that forces me to run multiple browsers.

I'd also like to tie sites to specific containers. So supposing Banking stays
its own category, that should mean that any sites that open in the Banking
container will never open in another container. Similarly it should be
possible to whitelist a set of sites for a container so e.g. only specific
banking sites will launch in the Banking container.

Each container should have its own set of security permissions.

I'd like to have disposable containers. I want a safe space where I can open a
sketchy link and not have to worry about that page doing anything to the rest
of my environment.

------
nmy
This is why I'm using Firefox nightly. It is a killer feature to keep open my
many AWS and GCP accounts (one container per client). It still needs to be
polished though.

------
thewisenerd
why isn't "Saved Passwords" and "Saved Search and Form data" separated between
containers?

There have been autofill/form-data attacks in the past[0] and there was a
story recently on HN's front page showing the same[1].

I'd like to point out that mozilla already has a configuration option to
disable form data saving on https sites, 'browser.formfill.saveHttpsForms'.
Why?[2]

> Right; the idea is to eliminate "opportunism". If my laptop is stolen,
> Firefox's current behavior makes it easy for a thief to find a https: site
> in my history, go to it, check out, and then just let autocomplete hand them
> my complete credit card details.

[0]
[https://news.ycombinator.com/item?id=12171547](https://news.ycombinator.com/item?id=12171547)
[1]
[https://news.ycombinator.com/item?id=13329525](https://news.ycombinator.com/item?id=13329525)
[2]
[https://bugzilla.mozilla.org/show_bug.cgi?id=252486](https://bugzilla.mozilla.org/show_bug.cgi?id=252486)

~~~
Timshel
Probably because of usability, they are still exploring how to integrate it in
the browser (it will probably stay hidden behind a pref for a while). Right
now no configuration screen is aware of the container feature.

~~~
masklinn
Yeah usability is a toughie, an other feature I'd be interested in would be
some sort of container inheritance (e.g. sub-identities in a work context when
clients provide office 365 identities or to test projects under different
identities all within the broader work context) but that's even harder to make
easy to use.

------
newscracker
This is really awesome!!! I used to manage this kind of separation by using
private windows and using different browsers. I don't really want to manage
these by window or create user profiles, as may be the case in other browsers.

------
aplaice
I don't want to be too greedy (considering that the presence of this feature
on the desktop is already great), but is there any chance that this will be
coming to Firefox for Android? It might be a challenge to implement this UX-
wise; however, it would also be extremely helpful since it would help in
isolating mobile "web-apps" while still using a decent browser (Firefox for
Android instead of Chrome), especially as profiles, which exist on the desktop
version of Firefox, are not available on Android.

(Googling does not seem to have produced any relevant hits.)

------
hosh
Cool. I had been using multifox plugin for testing websites, but it won't work
with the new multiprocess engine and the plugin author had no intention of
porting it. Glad to see an alternative.

I use Firefox for testing my dev work but reading about the privacy use-case,
I might seriously consider switching from Chrome as my main browser.

------
mozillauser2017
I've been using the Private Tab addon to open separate logins in the same
window for years: [https://addons.mozilla.org/firefox/addon/private-
tab/](https://addons.mozilla.org/firefox/addon/private-tab/)

------
jagtesh
This is a great idea! I love the fact that I can have both contexts in the
same window. What would also be pretty cool is being able to move all windows
in one context into a new window, if I want to separate things in a new OS
workspace.

------
TazeTSchnitzel
This would be nice for using more than one Twitter account without needing to
open one in private browsing (TweetDeck exists, and I do use it, but I prefer
Twitter Web). I hope it makes it to the release channel.

------
raphaelh
There's a nice addon for Firefox, called Priv8:
[https://addons.mozilla.org/en-
US/firefox/addon/priv8/](https://addons.mozilla.org/en-
US/firefox/addon/priv8/)

This is a Firefox addon that uses part of the security model of Firefox OS to
create sandboxed tabs. Each sandbox is a completely separated world: it
doesn't share cookies, storage, and a lots of other stuff with the rest of
Firefox, but just with other tabs from the same sandbox.

------
jedisct1
This is really neat.

I became a huge fan of Opera Neon's interface, though. And it would be a
perfect fit for "containers". Drop icons into folders, and done. Folders
represent containers.

------
_andromeda_
This is really good. I might actually find myself using FF more now. Chrome
supports multiple profiles but it's quite tedious make the switch(you'd need
to create multiple accounts). The best solution that I'd been using was
opening an incognito session, regular session, guest session(easier than
having multiple profiles but hardly sufficient when you want many more
separate sessions).

Edit: I love the color coding feature that distinguishes the distinct
containers you have open.

------
Tajnymag
Lack of history separation seems quite pitty to me imo :-/

~~~
Sylos
Well, that's not really the idea behind the feature. If you want that, you
should work with different Firefox Profiles: [https://support.mozilla.org/en-
US/kb/profile-manager-create-...](https://support.mozilla.org/en-
US/kb/profile-manager-create-and-remove-firefox-profiles)

------
cpeterso
How would you design a user interface for container tabs that non-technical
users can understand?

Something like container windows, isolating different browser _windows_
instead of tabs, might be a clear way to visibly show the separation to the
user. In one window, they can log into their work Gmail. In another window
they can log into their personal Gmail without any Google cookie confusion.

------
jbverschoor
I'm long searching for a solution to do this is a much broader way.. On the OS
level.

Private Work A Work B Work C

Ideally it would seem like a different user. (Filesystem, cmd-tab). But easily
accessible like the three finger swipe. Fast user switching doesn't cut it.

I even tried logging in on my local machine using VNC or remove desktop.. Is
having 4 VMs the only way?

~~~
Sylos
Yet another potential solution, if you're on Linux. This is more on the
accessible side of things, it doesn't do separation as much as you would like
it:

KDE Plasma has what they call "Activities". In its basic idea, it's kind of
like fancy desktop workspaces. So, it does separate your windows into
workspace-like groups, but you can also set what files and widgets are
displayed on the desktop on a per-Activity basis.

So, you don't have a different filesystem, but you can have a folder or
multiple folders displayed on each Activity's desktop. Also, shortcuts to
different applications, including for example Firefox profiles, as well as
different sets of widgets, for example I like to use the little post-it note
widgets to write things down on.

And yeah, with that you can then just switch between Activities via a simple
keyboard shortcut or by clicking an Activity-selector on your panel (if you've
put one there).

~~~
jbverschoor
This sounds most like what I'd like. Spaces on mac doesn't cut it because the
application instances are shared, which causes it to switch spaces when
tabbing into something.

------
chrisper
This is pretty awesome. Very useful.

My school's security is a joke. You cannot log out except by closing your
browser. The session also never expires.

Not only that, but now they moved to a "single-sign on." If I sign in on one
app, it signs me in for all apps.

------
raimue
Nice to see this integrated natively. I was using MultiFox before to get this
functionality. For example, this allows me to manage multiple twitter
accounts, without logging out and back in all the time.

------
therealmarv
Tech question: Does Firefox has technical process seperation of tabs nowdays?
This is one of the main features of Chrome since 1.0 and just want to know if
Firefox has something similar finally.

~~~
Sylos
The foundational work is there, it's currently still going through testing,
although you can already manually enable it and it works rather well, but as
of right now it's not planned to have complete separation for each individual
tab, as that just chews up a lot of resources with relatively little gain in
performance.

What's planned instead, is to use a set number of processes across all tabs.
So, if this would be two processes, then every other tab will share a process
with one another. And they'll probably have around 5 processes for tabs at a
maximum once this is fully rolled out, at least for the foreseeable future.

You can manually change this maximum number of processes in about:config,
though. And if you do set it to something like 500, i.e. just a very big
number that you're not likely to hit in number of tabs, then it will separate
each tab into its own process, with whatever performance problems come with
that.

~~~
cpeterso
The about:config pref to control the number of content processes shared by
tabs is "dom.ipc.processCount".

------
muddysky
Slightly OT: This page reads like Mozilla's Developer Network (MDN) online
documentation, I had to read the first sentences few times until I got what
container tabs are about.

However, very nice feature.

~~~
Manishearth
That's because it's on the Mozilla wiki. I'd expect better docs on the support
site (and maybe MDN) once the feature nears completion/release. The mozilla
wiki contains all kinds of odds and ends about random ongoing projects
(status, documentation) and is mostly developer-facing.

------
nkkollaw
It would be cool if there was a shortcut to hide all other tabs but a certain
group.

I would love if I could use this to organize my 100 tabs I always have open.

------
j_s
I use the Qupzilla browser incognito mode which is a separate session per-
window by default. It uses the Chrome guts and has a few rough edges.

------
drc0
the thing I blame is that ctrl+t on a container opens a new tab of the default
container and not the one that is currently on focus.

------
StevePerkins
Awesome. Coming up with legitimately innovative features and publicizing them
will do more good than a dozen new logo campaigns.

------
teekert
Nice, up until now I used Chrome as the browser logged into everything (fb,
Twitter, Google) and FF as the main browser.

------
alkonaut
Why do I even need this? Isn't it by default so that site1.com can't see
cookies from site2.com for example?

~~~
Too
site1.com might include embedded images that are hosted by site2.com, so may
site3.com, site4.com, site5.com and site6.com

Now site2.com (aka facebook like button) knows that you have visited both
site1, 2, 3, 4 and 5.

You can work around this in some ways by disabling "third party cookies" but
this breaks certain features, such as using your facebook identity to post
comments on other sites, so sadly all browsers enable this by default.

~~~
znpy
see my reply about multiple profiles

------
zyxzkz
Been wanting something like this for years.

------
anigbrowl
A welcome development, though long overdue. I don't understand why browser UI
is so boring and unimaginative.

------
espeed
An official linux container tab with shell access (for dev, emacs, etc) would
be a killer feature for Chromebooks.

------
lmedinas
Anyone know when this feature is planned to hit Beta or Stable ?

~~~
Sylos
Do you mean officially considered beta/stable quality or just that it's
_there_ in the Beta or Stable version, so that you don't have to migrate to a
less stable version of Firefox in order to use it?

If it's the latter, there's two preferences that you can flip in about:config
to enable it (even in Firefox Stable): privacy.userContext.enabled and
privacy.userContext.ui.enabled

Mind though that since this feature is currently still under active
development, that it might actually be less error-prone in the normally less
stable versions of Firefox.

~~~
lmedinas
This is why I ask when it will be enabled by default on Beta or Release. Any
idea when is planned ?

~~~
malikNF
This is available on Firefox Nightly.

------
WillyOnWheels
another way to use chrome in a sandbox

[https://blog.jessfraz.com/post/docker-containers-on-the-
desk...](https://blog.jessfraz.com/post/docker-containers-on-the-desktop/)

------
DyslexicAtheist
not needed if you're running Qubes-OS :)

------
hkjgkjy
As a user, I actually just want my browser to contain less features. Vendors
add and add and add features. If I want different user profiles, I already
have many users on my OS - I just switch between them.

When Chrome came out, I and many others switched to it just because it was
lacking so many features. It was great!

~~~
altano
Chrome actually already has this feature in the form of profiles. See the top-
right icon.

~~~
richardboegli
Yes it does and I have been using this. But it seems to be per window not tab.
Unless I've missed something?

~~~
arthurfm
> it seems to be per window not tab

Chromium-based Ghost Browser [1] can do it per tab or tab group.

It would be nice if Google implemented the same feature into Chrome since
multiple profiles can be a hassle.

[1] [https://ghostbrowser.com](https://ghostbrowser.com)

~~~
richardboegli
This looks EXTREMELY interesting. Thanks for sharing.

