
Firefox Follows Apple in Blocking Third-Party Cookies Online - pseudolus
https://www.bloomberg.com/news/articles/2019-06-04/firefox-follows-apple-in-blocking-third-party-cookies-online
======
floatingatoll
The official Firefox blog post also includes instructions on how _existing_
Firefox users can enable this protection, as Bloomberg's choice of phrasing
"new downloads" is inaccurate.

[https://news.ycombinator.com/item?id=20095039](https://news.ycombinator.com/item?id=20095039)

EDIT: The option enabled for new users today is "Block third-party trackers".
There is an older option that many previously enabled, "Block all third-party
cookies" that, as noted below, will break many Internet sites (such as single-
sign on). Keep an eye out for this when checking your existing profiles.

~~~
jasonlotito
The reporting is accurate. New downloads will automatically have this
protection enabled. Existing installations do not have this automatically
enabled, and instead need to be manually enabled. You could have just shared
the additional information without useless addendum.

~~~
floatingatoll
New users who download Firefox for the first time will have this automatically
enabled, says the exact language in the Firefox post about it.

Existing users who read Bloomberg’s phrase “new downloads” as “it’s a new
download since I just downloaded it today” will be sorely disappointed.

(Yes, I am totally expecting some HN readers to read “new downloads” and then
consider a download’s ctime while asking “is it a new download?” rather than
realize the above.)

------
Irishsteve
Disclaimer: I am not a cookie

How much market share would either apple or Firefox need to get before google
consider following the same plan

~~~
asark
Google's probably already coming up with a way to do this, while privileging
their own because it's "part of your Chrome login, not the ordinary web
experience". Fits with their usual "hey, look, we're helping! (but also
crippling the competition)" business model.

~~~
rhizome
Some doof from Bloomberg was just on the radio justifying Chrome's stance by
saying third-party cookies are necessary for showing your email address during
logins.

------
derekp7
I would be happy if the browser vendors could come up with a standard of
running only first-party javascript, or third party javascript that has been
signed with a code-signing certificate or otherwise whitelisted. This could
help curb drive-by infections delivered by malicious ads.

------
autoexec
This is great for grandparents, but I'm not trusting Firefox or any browser to
block ads/cookies/JS. I don't expect many people who are already using 3rd
party addons and extensions to disable that stuff to stop because of this

------
panpanna
Firefox (and chrome) has had this for ages (opt-in till now), and it breaks a
lot of services.

I don't think they previously would dare to enable it out of the box. But now
they can just say Apple does this too...

~~~
shrimp_emoji
Like what?

I've had third-party cookies blocked for, as you say, ages (and I even block
JavaScript, with selective exceptions), and I use everything from Discord to
Amazon just fine.

~~~
will4274
Basically all cloud authentication services. Try signing into a bunch of apps
and then signing out - with third party cookies disabled, you'll find you're
still signed in to most of the apps, because the browser refused the (third
party) session cookie clear.

~~~
jeroenhd
This depends on the service. I believe many authentication services actually
use cross-tab communication (so they open a tab/window and can exchange
messages as long as both are open). AFAIK Google makes use of that method and
other one-click providers do too.

That is, however, more difficult than just setting third-party cookies so
smaller authentication services might choose not to use such functionality.

If Chrome or Edge follows in this path though, websites won't have a choice
but to make things work with this feature enabled.

~~~
will4274
OpenID Connect implementations use iframes for logout, because that's what the
spec says. Iframes are a third party context. The big Identity companies
(Ping, Oracle, Microsoft) wrote the OpenID Connect spec. Google may be the odd
man out (they are notorious for implementing logout poorly in general) but the
biggest enterprise authentication services use iframes for logout.

There is a compromise here which works for logout which was commonly
implemented for a few years - supporting third party cookie clear but not set.
But Apple ended this norm.

------
blazespin
Nothing burger. Ad tech companies will just start asking for first party
cookies to help track.

~~~
rhizome
Will they get them?

~~~
Uw7yTcf36gTc
yep Facebook and Google already switched to 1st party to get around the Safari
issue.

