Hacker News new | past | comments | ask | show | jobs | submit login

Is there a test I can use to confirm that it's working? I've set privacy.firstparty.isolate true and privacy.firstparty.isolate.restrict_opener_access true and when I log in to Github followed by Travis, Travis was able to log in without prompting for a password....

Firefox 62 macOS.

Edit: I did lose all my cookies on restart, so I do believe the option is at least enabled. Still would like to test that it's actually doing something.

Go to https://ritter.vg/misc/ff/fpi.html On first load it should say "There was nothing in local storage."

Now go to https://rittervg.com/misc/ff/fpi.html On first load it should say the same. If it says the same timestamp that was stored on the first page - it's not working.

Source: I'm a Mozilla Developer who is one of the primary devs/supporters of First Party Isolation.

What if the box is empty? JS is allowed. (Edit: I guess the culprit is "third party cookies blocked by default")

So wouldn't a better test be about a third party that was used in a first party context before? Since FPI goes beyond third party cookies.

Thanks for diagnosing that for me, you're right blocking third party cookies does cause it to fail.

Both tests are equally valid. I just gave one because trying to be exhaustive about testing it would be mind-numbing. The test I provded only does localstorage, but FPI also isolates DNS cache, H2, image cache, favicons, cookies, localstorage, indexdb, etc etc

You can do yours by visiting https://anonymity.is/misc/ff/fpi-iframe.html first; then visit the ritter.vg and rittervg.com links.

Thanks for the clarification.

What surprises me the most is that not only Firefox but also my Safari Browser passes all those tests when ITP is enabled.

Safari by default has a stricter storage access policy by default for all third-party domains, which requires you to visit the domain as a first party first. So it's probably that rather than ITP.

I have a general question if you don't mind. I use Firefox Beta. Why is Firefox going the route of a manual blacklist (disconnect) instead of working on some kind of programmatic machine-learning/somewhat intelligent third-party storage blocking by default that doesn't discriminate known against unnkwon trackers?

Seems to be working, thanks! (had to disable blocking of third-party trackers for it to function, but after that, it works as promised, and I have re-enabled blocking of third-party trackers)

If Travis redirects to github, I assume github would get access to it’s own cookies again, and then be able to perform oauth, after which it redirects to Travis again with a token in the URL, no cookies or local storage needed as far as I’m aware.

Did you restart between changing the settings and doing your tests? If not, they’re invalid, and you should repeat them.

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact