
First-party isolation in Firefox: what breaks if you enable it? - fanf2
https://www.ctrl.blog/entry/firefox-fpi
======
andrewaylett
I've been running at home and at work with first-party isolation enabled for a
few months now. Google login works fine for me, as does login with Google.
It's broken a few internal tools, especially when people do things like
hotlink across internal systems (which would have been broken at least some of
the time for most people anyway, until they realise that to view _this_ page
properly they need to log in over _there_). Also breaks PlayStation Network.

All in all, insufficiently broken for me to be bothered enough to turn it back
off :). I do wish there was a "view from alternate origin" feature though, to
let me load a site as if it were loaded in an iFrame -- that would let me work
around the issues with my internal sites.

~~~
some_account
The best strategy is to not use Google however. It's not like you need to in
2018 anymore. There are better services for almost anything out there,
although you may have to pay a few dollars for some of them.

Well worth it since they are superior to Google. For email, Fastmail is king.

~~~
d2wa
I use “alternative search engines” daily. However, I have to crawl back to
Google if I want to find things that were published in the last two weeks.
Even Microsoft Bing can’t keep up with all the content that appears on the web
every day.

~~~
erinnh
If its just search engines, you dont exactly have to be logged in to use
Google.

Also, there are Google search-proxies like startpage.com

~~~
stephengillie
[http://duckduckgoose.com/](http://duckduckgoose.com/)

~~~
known
site:news.ycombinator.com About 91,000 results (0.38 seconds)

site:news.ycombinator.com in google.com About 11,90,000 results (0.25 seconds)

~~~
clear_dg
And how many of the initial results in google will be filtered out (e.g
takedown notices) when you hit the very last page? I'm doubtful about the
usefulness of the results count in comparisons like this.

------
jedberg
I've been doing this the hard way for years -- running four browsers at all
times, each for different things. Chrome is logged into Google, Firefox is
logged into Facebook, Safari is for HN/Reddit, and Chrome canary is for other
random sites that I don't want to have already logged in, like when I use the
AWS console. And then I also use incognito windows for going to forums and
deal sites and all those sites known for having 25 tracking bugs.

Overall it's not too bad, but there are definitely annoyances around not being
logged into Google everywhere for example.

~~~
wfh
have you considered using multiple profiles/containers in one browser e.g.
Firefox supports containers, and Chrome supports profiles?

~~~
seba_dos1
Firefox actually supports both. It already supported profiles way before
Chrome existed, and recently got support of containers.

------
erinnh
Ive been using it since Firefox 58, where they fixed a bug that broke cookie-
whitelisting.

Ive been pretty happy. The only website where it really is a problem is
Playstation Network, but I have an addon that disables FPI when I really need
to temporarily.

~~~
fredsir
How can you tell it works? I've been trying now 5 times to enable it, and
testing if it works. If I understand correctly, if I log in to gmail.com
(mail.google.com), google.com should be logged in, but google.dk and
youtube.com shouldn't since First-Party Isolation should be isolating them,
but no matter how hard I try, it doesn't work. If I log in to mail.google.com,
I get logged into youtube.com, google.com and google.dk.

Am I misunderstanding how it is supposed to work?

I've tried completely uninstalling firefox 5 times now - including wiping the
profile from my machine - but the same thing keeps happening.

~~~
flotzam
Cooperating websites can subvert first-party isolation by redirecting the top
level page through multiple first-party domains (with an ID in the URL). And
Google does exactly that when you login. How to properly prevent it is still
an open question:

[https://bugzilla.mozilla.org/show_bug.cgi?id=1319839](https://bugzilla.mozilla.org/show_bug.cgi?id=1319839)

------
jstanley
I like most of what you said and agree with the cause.

But why does your own blog load up with an apparently-unironic call to be
whitelisted in Adblock?

If you don't want to be tracked by other people's ads, why are you helping
track people with ads on your own site?

The page also loads Google Analytics.

~~~
d2wa
Effort have been made at keeping the impact of ads and tracking low:
[https://www.ctrl.blog/about/privacy-policy#privacy-policy-
ad...](https://www.ctrl.blog/about/privacy-policy#privacy-policy-ads)

The ads help fund writing and research into technologies that restrict ads
without blocking them outright. You choosing to block ads is your choice, but
it takes away incentives for researching and writing about the topics you care
to read about. You can sign-up for Flattr if you prefer not to see ads and
still support writers.
[https://flattr.com/contributors](https://flattr.com/contributors)

~~~
jasonkostempski
Advertise natively, don't track. It's that simple, no need for research. Our
ancestors did it for hundreds of years. There is no acceptable level of
tracking.

~~~
jimmaswell
> There is no acceptable level of tracking.

On what grounds do you make this sweeping absolute statement? I'm personally
willing to accept lots of tracking by Google, Facebook, etc. in exchange for
free or cheaper services.

~~~
frenchy
It's fine that you are, but some of us are not. I'm fine seeing plain ads,
just not traking ads. If the website owner doen't want to show plain ads then
that's their choice.

(note, I don't use an ad blocker, just a tracking blocker)

------
eslaught
Is there a test I can use to confirm that it's working? I've set
privacy.firstparty.isolate true and
privacy.firstparty.isolate.restrict_opener_access true and when I log in to
Github followed by Travis, Travis was able to log in without prompting for a
password....

Firefox 62 macOS.

Edit: I did lose all my cookies on restart, so I do believe the option is at
least enabled. Still would like to test that it's actually doing something.

~~~
tomrittervg
Go to [https://ritter.vg/misc/ff/fpi.html](https://ritter.vg/misc/ff/fpi.html)
On first load it should say "There was nothing in local storage."

Now go to
[https://rittervg.com/misc/ff/fpi.html](https://rittervg.com/misc/ff/fpi.html)
On first load it should say the same. If it says the same timestamp that was
stored on the first page - it's not working.

Source: I'm a Mozilla Developer who is one of the primary devs/supporters of
First Party Isolation.

~~~
user812
What if the box is empty? JS is allowed. (Edit: I guess the culprit is "third
party cookies blocked by default")

So wouldn't a better test be about a third party that was used in a first
party context before? Since FPI goes beyond third party cookies.

~~~
tomrittervg
Thanks for diagnosing that for me, you're right blocking third party cookies
does cause it to fail.

Both tests are equally valid. I just gave one because trying to be exhaustive
about testing it would be mind-numbing. The test I provded only does
localstorage, but FPI also isolates DNS cache, H2, image cache, favicons,
cookies, localstorage, indexdb, etc etc

You can do yours by visiting [https://anonymity.is/misc/ff/fpi-
iframe.html](https://anonymity.is/misc/ff/fpi-iframe.html) first; then visit
the ritter.vg and rittervg.com links.

~~~
user812
Thanks for the clarification.

What surprises me the most is that not only Firefox but also my Safari Browser
passes all those tests when ITP is enabled.

~~~
tomrittervg
Safari by default has a stricter storage access policy by default for all
third-party domains, which requires you to visit the domain as a first party
first. So it's probably that rather than ITP.

~~~
user812
I have a general question if you don't mind. I use Firefox Beta. Why is
Firefox going the route of a manual blacklist (disconnect) instead of working
on some kind of programmatic machine-learning/somewhat intelligent third-party
storage blocking by default that doesn't discriminate known against unnkwon
trackers?

------
pard68
I use it. Over the last year or two this feature, in addition to a renewed
effort towards privacy on my part has led me to simple not use websites which
will not work with my privacy settings.

My only real hold outs in the "decidedly not private wise" camp are my gmail
account used for various emails I still wish to receive but don't wish to give
my email too and my old nick (this one here).

------
strictfp
I guess trackers will just ask websites to route analytics traffic through
their own infrastructure. Would it be enough for example.com to setup a dns
alias pointing tracking.example.com to tracking.com?

~~~
icebraining
That breaks cross-domain tracking, though; before, cookies set on
analytics.com (pulled on SiteA) would be sent back to them when pulled from
SiteB. If you now use different domains on each site, that doesn't work.

(To be clear, I think this is a good thing)

~~~
pests
Except all the analytics company has to do is have another shred of evidence
that your identy is linked and it can just give out tokens that represent
opauqe blobs you take care of and index by it's token like PHP does session
storage.

------
Animats
That's a great feature. I just turned it on and logged into everything I care
about, and it all worked. I already had so much ad and tracker blocking that
it didn't create any new problems.

------
amarand
Security is always a blessing (it keeps your stuff secure) and a curse -
people are lazy and don't want to use it because it generally causes pain
points. Remembering to bring your keys, remembering increasingly-complex
passwords and PINs, remembering to lock your doors, click this security
warning, check that checkmark box. Security is a pain. But it's also a
necessity. I like the idea of more isolated sandboxes, reducing third-party
tracking cookies, third-party content. I go to my bank's web-site, why do I
want to grab information from outside of my bank? Anyway...it's good to see
Firefox is trying something new. It'll be interesting to see how well it works
in the wild.

------
franciscop
This is great news, especially in stark constrast to other articles in the
front page of HN right now.

------
Havoc
Interesting. Was planning to migrate over to FF anyway

------
t0astbread
What about just using uMatrix (or similar extensions)? You have more precise
control over what gets allowed and what not and you can just temporarily or
partially disable protection for logins/payments etc.

~~~
d2wa
It's not the same thing at all. See this discussion to learn the differences
of uMatrix and FPI.
[https://www.reddit.com/r/javascript/comments/9edeqe/firstpar...](https://www.reddit.com/r/javascript/comments/9edeqe/firstparty_isolation_in_firefox_and_what_breaks/e5q0475/)

------
wodenokoto
> I’m not sure whether that is because Mozilla consider it unsafe,
> unpractical, or don’t want to commit to maintain the feature in future
> releases.

I imagine it was implemented for the container tabs.

~~~
clumsysmurf
The main problem I see with account containers — still — is that you can't say
"this container can only have certain websites in it". For example, if you put
reddit in a "social" container, but click on links to the stories, then you
have all of your cookies and stuff polluting the social container.

~~~
mehrdadn
I feel like the cause is most likely that there are just too many darn
websites for a user to be willing to specify them all. Solving this would seem
to require some global database of "all sites run by company X" that undergoes
constant maintenance.

~~~
kibwen
How far would the WHOIS records go toward providing that info?

~~~
mehrdadn
Not sure... sounds to me like you'd at least need a cache of all WHOIS records
in the world to be able to invert the mappings from an org to its domains.

------
olliej
The biggest problem is SSO and similar - especially across organizations that
have multiple domains (think the various google properties for instance). Part
of how they work is the login process cycling through multiple domains when
you click the login button. Dealing with that, and making everything work
without also making the same technique work for tracking is ... challenging.

~~~
bugmen0t
every SSO is different. But mine all worked.

------
psergeant
Another plan is to use self-destructing cookies. You can whitelist some
domains then, and break much less

~~~
d2wa
You can still be tracked through cache tokens, DNS cache-probing, and methods
other than cookies. FPI is so much more than just keeping cookies under
control.

------
sqldba
please s/quite/quiet

------
fredsir
So after enabling it, is there some easy way to see if it actually works?

~~~
user812
Go into your FF profile, open SiteSecurityServiceState.txt - it will show
every HSTS entry separated into firstparty domains.

Similar, in the storage folder in your FF profile you can see that every
firstparty website has it's own folder and third party cookies are places
inside that folder and can not share data with other folders.

------
JBiserkov
How is this different than using uMatrix / uBlock origin?

~~~
d2wa
[https://www.reddit.com/r/javascript/comments/9edeqe/firstpar...](https://www.reddit.com/r/javascript/comments/9edeqe/firstparty_isolation_in_firefox_and_what_breaks/e5q0475/)

------
bugmen0t
TLDR: in my experience: very little.

