Hacker News new | past | comments | ask | show | jobs | submit login
Firefox to Block All 3rd Party Trackers by Default (twitter.com)
401 points by geekybiz 4 months ago | hide | past | web | favorite | 186 comments

Companies have begun switching tracking tech to first-party cookies (where possible) since Apple's introduction of "Intelligent Tracking Protection," so Mozilla's similar move probably won't have that much of an impact either.

Apple has responded with ITP 2.1, though, limiting _all_ (persistent) cookie lifetime to 7 days, although these could probably be accurately re-issued/kept alive in my opinion: https://webkit.org/blog/8613/intelligent-tracking-prevention...

ITP 2.1 also removes support for Do Not Track (as it's not honored anyway).

Note that Mozilla has been working on that feature for at least five years. For a very long time, it was not possible to land this without breaking gazillions of sites.

Apple can afford to be more aggressive, and force features such as ITP 2+, because of their iOS monopoly, and expect webdevs to scramble for fixes, but Mozilla doesn't have such leverage, so they need to avoid breaking the web.

Also, they got their ass handed to them in a smear campaign when they tried blocking 3rd party cookies the first time around in 2013 [1] and ended up accepting these by default again.


I, and probably many other users, have begun blocking all first-party cookies by default. I only permit it on sites I sign into and want to remember me, which are very few.

If Mozilla wants to make a real difference, they'd study uMatrix and figure out how to create UX that would give that degree of flexibility and power to non-technical users.

>I only permit it on sites I sign into and want to remember me, which are very few.

I don't know if I'm an outlier, but I hate having to resign back into sites I use even semi-regularly unless its for administrative access or purchase confirmation. Regular "auto sign outs" already happens with a few due to a snafu somewhere along the stack, for me The Economist and Foreign Affairs are the major ones where it seems like every time I go back to visit I'm signed out. In contrast sites like HN or Ars seem to never sign me out (or maybe once every few years) and some of the newspapers are once or twice a year. Being signed out creates more friction then I'd have thought before experiencing it often, perhaps amplified since I tend to read on the model of "see a few of interesting stories, open them all in tabs, then go through them" and if signed out I not only need to sign in but every single tab will be "you've reached your article limit please sign in".

I have suspicions about how much it even matters when it comes to tracking for any site I'm actually paying for. I mean, by definition they know who I am, real money is changing hands after all. Within their own site there is no technical measure that can prevent them from seeing what remote resources of theirs I specifically am calling for, it's their resources after all with authentication required. And once they have the info what would prevent them sharing/selling it would be their own interests and the law, not anything from my end. Clearing 1st party cookies smells suspiciously like privacy theater for any site at all that depends on authentication in any significant way.

You block cookies, scripts, frames, on sites you DONT sign into, and you allow them on sites you do sign into. uMatrix makes it really easy.

> I don't know if I'm an outlier, but I hate having to resign back into sites I use even semi-regularly unless its for administrative access or purchase confirmation.

Having set up a master password in Firefox, resigning usually takes me a single click (as the login info is filled in by the browser). Would this be useful in your case?

I use a password manager, so it's really only slightly annoying unless I've set up 2FA, at which point I probably care enough to either put it with it or allow it to use cookies.

The list of sites I sign into in the first place is very short. Most of the time websites remembering me is used to implement anti-features.

I don't believe that many users are blocking first-party cookies. Source: I'm a web analyst managing large sites and can see how many visitors block all cookies. It's minimal. Also blocking first-party cookies requires a degree of tech-savviness and it prevents many websites from working properly.

To add with that the parent comment said, I do as well, in two ways:

- IE prompts me if I want to block cookies on a website, so unless I trust it, I block by default.

- I have an extension on Firefox that is "Cookie Autodelete", so I visit a site and unless I whitelist it, all cookies will be deleted when I leave.

I wondering if you are not seeing blocked cookie because of the second one. I'm not blocking it, but as soon as I leave it gets deleted, effectively doing the same thing.

One thing I want to add regarding "Cookie Autodelete" that tripped me up, unlike it's predecessor it does not default at the start to deleting everything, so you may end up running it for a year thinking it's clearing everything and than realize you have a multi-megabyte list full of tracking cookies.

Right. I have Firefox configured to delete all cookies when I close it. And it only accepts 3rd-party cookies from sites that I've already visited during a session.

Cookie Autodelete is a step over that, it will automatically delete cookies from a site after you close the tab.

I just use incognito/private mode all the time for my browsing. Signing in each time is not really a big pain with password managers.

I've never used umatrix and just stuck with noscript over the years due to the lengthy process of allowing scripts / domains, going through random external scripts required to make pages work that are not self-explanatory.

Is there anything in umatrix to make the switch worthwhile?

I migrated to uMatrix because it allows me to block cookies, media, javascript, and xhr by default. It replaced several different privacy extensions with a single control panel. You can set the defaults to be as strict or lenient as you wish.

>I migrated to uMatrix because it allows me to block cookies, media, javascript, and xhr by default. It replaced several different privacy extensions with a single control panel. You can set the defaults to be as strict or lenient as you wish.

That's a lot of configuration to do. I'd rather just use Firefox containers, noscript, and use Tor for things I don't want tied to my ad profile.

"by default"

It's not a lot of config at all. If the site breaks, you click a button and unblock some stuff. Otherwise the defaults work great.

I use uMatrix since 2 years or so and it works out of the box for 70/80% of websites. By working I mean they are not completely broken.

For the ones that don't work it's normally 1 or 2 clicks in the UI to allow some 3rd parties and save it.

Sometimes a site works by default in the "broken" state but as soon as I give it more permissions it breaks by adding a paywall or some modal window.

uMatrix is like linux: it requires more work upfront but give you more control and customization options.

>> I, and probably many other users, have begun blocking all first-party cookies by default.

So this change should have no effect on you right? You're blocking all cookies? I like that idea, but how many things does it break?

I use uMatrix in Firefox to block javascript, cookies, media, etc by default. For any site I need to login, I can easily enable them.

I don't see it too often, but occasionally I do run across a site that won't load at all without cookies enabled. For these circumstances, I use Containers and Cookie AutoDelete.

The only situations where I tend to have problems are those where I have a third-party payment window that opens in a new tab. It sometimes takes some fiddling with the settings to make it work properly.

> many things does it break?

Almost nothing, surprisingly enough. Of course it breaks websites I sign into, so I simply whitelist those.

I wish DNT was honoured, but it's as good as a "do not commit crime" sign.

> I wish DNT was honoured, but it's as good as a "do not commit crime" sign.

I bet the ad industry wishes they'd played ball, now that browsers are baking tracking protection in.

DNT is practically defunct. https://en.wikipedia.org/wiki/Do_Not_Track#History

In January 2019 W3C Tracking Protection Working Group concluded work on Do Not Track standard citing "insufficient deployment of these extensions" and lack of "indications of planned support among user agents, third parties, and the ecosystem at large." In February 2019 Apple Safari 12.1 was released without support for DNT to avoid it being used as a "tracking variable."

You can tell how bad the lack of support / teeth is when people start using the flag to not track them as an extra way of tracking people. That's extremely telling... but sadly not unexpected by many of us.

Should Mozilla remove the DNT header from Firefox like Apple did in Safari? When DNT does nothing except give trackers one more bit of fingerprint entropy, is there any value in users still allowing users to send DNT? "DNT: I am one of those people who does not want you to track even though I know you will."

I think it's fine since it's opt-in. Maybe there could be a warning in the UI though.

If honoring DNT was mandatory, the crime would be much easier to spot, compared to the current (EU) cookie law fiasco.

There are millions of Do not Trespass signs out there, the difference is that they have some legal weight.

Ten years ago it would have been a different matter, but it doesn't seem that far fetched to get do not track to be the legal equivalent of a "no" on those GDPR consent forms, but with no options for dark patterns and no way to re-query on every page load for those who opt-out.

DNT should have been part of GDPR as explicit opt-out

Or GDPR could allow users to send "DNT: 0" (aka "Do Track") to auto-accept all those GDPR cookie prompts. :)

How can first-party cookies used to track users across multiple properties?

You send tracking events to your analytics/tracking partner from your backend instead of from the browser and they combine the cookie ids.

I thought the whole purpose of using third party JavaScript and third party cookies in advertising is that the advertisers don't trust the host backends. What's to stop a site operator from "boosting" the stats in order to make more money?

Useful for people using Facebook pixel, Google Ads pixel. They have no incentive to lie (they aren't making money out Facebook or Google), it's just about making sure their users are being tracked after clicking an ad on Instagram, etc.

So you just do a get adprovider.foo/track/<id> from the browser with no cookies and batch send from your backend -- they then just make sure the data you send them roughly matches?

For most big sites this isn't a problem as you're not going to be gaming the stats (presumably the legal costs outweigh the benefit) -- for the scammy small sites faking ad rev.. Well, if this kills them then good riddance ?

Can't the big sites negotiate directly with advertisers? I thought I read somewhere that the New York Times does this. In that case, why bother with the bloat of ad networks and their monstrous JavaScripts and other garbage?

If it's (as you say) good riddance to the small, scammy sites then I think it's the medium-sized sites which will really have a problem. Not big enough to negotiate directly, not small enough to disappear overnight.

> why bother with the bloat of ad networks

Except a few very rare cases, ad networks can statistically deliver a far more effective ad than a manually curated ad.

The network also has the infrastructure in place to track the user all the way from the ad click to completing a purchase, potentially across many devices or even in a physical store. They use those numbers to demonstrate their value with hard figures rather than marketing fluff.

> and they combine the cookie ids.

And how do they do that? The "advantage" of third-party tracking is that a cookie set by the analytics service on site A gets sent back when the user goes to site B and C and D (etc).

Without that, they have to somehow figure out that user 34 on site A is the same as user 95 on site B. That's often possible, but much less reliable.

I assumed the grandparent meant how do "you" track across your own properties..

For the likes of google and co, I wouldn't be surprised if we start seeing more ad companies requiring you to send some other PII via the api so they can turn a random tracking ID into an email address or whatever though.

The same user on a.com and b.com get different ID's, but a.com and b.com both send data to tracker.com which maps that ID to an email address and then tracker.com can easily combine 'em. Not sure it's legal to do so, when I was working in this space we were quite forbidden from mixing up tracking information from various properties

No, I meant across different properties of different publishers. I assume that's still only possible with browser fingerprinting, IPs etc.

So blocking third-party cookies is a good start to avoid tracking across different publishers (which is the big no-no for me, the fact that a single publisher knows what i read of his is not such a big issue and not that different to what has always been done by just crawling the ht_access logs...)

Site B has an iframe back to site A and the 'user 34' cookie can still be read.

All these protections only prevent setting cookies, not reading them again.

It does prevent them from reading too: "Domains classified as trackers are not able to access or set cookies, local storage, and other site data when loaded in a third-party context." (emphasis mine)


Browser fingerprinting?

How do you defeat that? If people want to track... they will track.

Throw away your browser and renounce all web technologies made after November of 1995.

Disable Javascript!

I remember when people used to believe Progressive Enhancement meant works without JS... no longer.

The next step is that they will let third-parties inject javascript from the backend. At that point all is lost and the web will die a horrible death.

Routing tracking traffic through a subdomain that proxies through to the third party is already a thing. And my adblocker, at least, already blocks that too.

It's not death anyway; it's just that blockers will have to adjust to blocking bits of third party content.

> it's just that blockers will have to adjust to blocking bits of third party content.

Just wondering: how will that work when javascript is compressed and obfuscated together with the main code served by the website?

And the final step, pixel rendered canvas generated in webassembly (basically Flash in 202x.)

Disable javascript!

Are you speculating or is that a real plan?

Well, it would be a trivial response against the blocking of third-party javascript done by ad-blockers.

I assume they'd only combine them on "soft factors" (browser fingerprints, IPs etc) then?

Since the unique IDs between the different platforms would differ for the same user (as there's no way to coordinate without 3rd party cookies)

Why do you believe that first party cookies will be able to be re-issued/kept alive? It seems unclear if a visit within 7 days can refresh that timer

One thing mentioned on the responses that might be really concerning is the fact that this will mean that for a lot of analytics it will look like firefox usage is close to zero.

No usage data, devs caring less about firefox, users having more problems when using firefox, less users using firefox, less users having 3rd party trackers blocked, chrome monopoly growing.

Alternatively, it work to FF's benefit that no one can know what the real percentage of users are.

There might be some positive press around "the numbers in Analytics do not reflect users on FF"

Nah. People making decisions don't care. Firefox usage will be reported as super low, and it won't be tested.

And users who report having issues with Firefox will be told to use Chrome (that is what's already happening)

And we will shout back : )

I'm already on it as might be seen here.

Feel free to complain loud and clear if it doesn't work in FF. Make it clear that FF support isn't optional.

Also on my to do list: complain even more, including to relevant authorities about Googles abuse of market position to push their browser. Feel free to join me here as well.

(And to be sure: feel free to complain when supposedly mainstream sites doesn't work in any major browser - safari, edge, FF and even Chrome : )

We make noise, we will shout back, but even if the noise we're making eventually resolves to something positive, let's not kid ourselves, it will take _time_.

In the meantime, FF support (while, for now, relatively inexpensive/free if you just use web standards) will just continue being optional considering Chromium's quasi-monopoly.

This is why I use FF for development(and all other browsing). I get firefox support by default on all my work.

Same here : )

Only once have I experienced that something I'd actually write for production only worked in FF and not across all modern browsers.

Protip for anyone who reads this and thinks "but my employer doesn't care about Firefox':

I typically used FF also while testing other peoples work and if it didn't work in Firefox then 9 out of 10 times it didn't work in any other browser than Chrome (had some devs on my team who really didn't seem to care about cross browser compability but it would work in most browsers before it was approved :-))

Not at all unlike back in the IE6 days. Back when the response from geekdom was a loud and resounding, "fuck that!"

Suckiness of the browser situation aside, I fear I'll soon be coming to miss those days.

Since when we decided it is OK to install global tracking for everybody, whether they want it or not? The User-Agent is still visible to the website I'm visiting.

It's enough that a few large websites provide stats summary for their users. It is not necessary that Google, FB and co. track the entire Internet.

I run into a similar issue at work. I deploy ad-blockers on all student and staff machines. This makes our users invisible in Google Analytics. Supposedly our top browser is Mobile Safari.

Wouldn't it be easier to use something like PiHole to block requests to ad and analytics servers at the network level?

My web filter blocks ads, but ublock is better. It blocks off-campus and handles first-party ads. It also hides ad content frames better than dns-level blocking does. It's also easy for users to turn off when some site doesn't agree with it. My network level ad filtering has to be simple to avoid breakage since it's harder to work around.

But you're saying here that metrics might not faithfully keep track with reality; presumably an industry that cares will simply improve their metrics until they don't care.

In an ideal world yes, but what actually tends to happen is that the company starts to work towards improving their metric numbers at the cost of actually doing good business. I've seen this happen over and over again.

The web server's access logs will probably be a good place to look in the future then.

Websites can look at their own usage stats. As with some other aspects of this, people will have to actually do some work in-house.

No, they won't have to; they can simply ignore FF. I fully support this change, but to think FF matters enough to force anyone to do anything seems unfortunately a thing of the past.

Well, then Firefox will need to emulate Chrome, except that it still protects users.

In my experience as a long-term Firefox user, developers already don't care about Firefox. It's amazing how many websites I visit that break or look awful until I switch to Chromium.

Interesting, I've been using Firefox for years and can't remember the last time I've experienced a site that didn't perform as expected.

Which sites? I've been using FF as my browser for years. The only sites I've had issues with are owned by Google.

> this will mean ... No usage data

This presupposes that the current tracking (spyware) data is a reasonably accurate representation of reality. This assumption could be tested by comparing the "analytics" data to the server logs. but who wants to use accurate first-party data when delusions about "analytics" can tell you what you want to hear.

Don't forget all the Firefox forks that have to falsely identify as Firefox in order to get websites to not simply kick them off. Firefox usage is already significantly lower than Firefox usage is shown in terms of useragent statistics. A lot of that is because Firefox has chromed itself if not in source code then in spirit.

They should have user-agent info on a per-request basis. That's not the same as tracked browser-to-customer association but will at least help.

Who cares? Devs should be building to the spec, not vagaries of some privileged implementations.

And it's nobody's business what I do with the bits after it comes down the pipe anyways.

Firefox's Container's approach has been quite interesting to use, but if a suggestion could get out to the Firefox team, I would advise improved streamlining of workflow for the extension, including with sync and returning browser setup, and for organizing and setting up new containers (configuring them to always open for a domain, putting them in folders).

Yeah the UX of Multi-Account Containers is awful. The number of steps the user is required to follow to make a website always open in a particular container is absurd.

    1) Create a new container 
    2) Open a new tab with that container
    3) Open the website in that container
    4) Check "Always open in [container name]"
    5) Open a new tab and load that page again.
    6) Click "Remember my decision"
    7) Click "Open in [container name] Container"
I don't mean to throw shade, I'm sure whoever came up with this had good intentions, but it needs work. (Also, why a limit of 8 colors and 12 icons? Why not an arbitrary number of colors and user definable icons?)

> Also, why a limit of 8 colors and 12 icons? Why not an arbitrary number of colors and user definable icons?

This commonly called the paradox of choice. Satisfaction is often higher when choosing from a limited set of good options than choosing from a large set of options with varying quality.

(YMMV, it is also used as an excuse for being inflexible, or for forcing bad options on users a.l.a. a false dilemma, and to be honest I'm not sure how to tell the difference as an outsider)

It's pretty crap in practice. Which of those icons am I to choose for HN? Dog? Fork and knife? Apple? Sunglasses? Briefcase? Gift?

I chose 'Dollars' as the closest fit due to the association between the tech industry and greed, but really shouldn't there be at least one tech-themed icon? Of the 12, two are food themed, two or three are shopping related, etc. The icon set is redundant with poor conceptual coverage.

Okay, maybe I'm a nerd who cares about tech and Mozilla thinks most firefox users who use Multi-Account Containers will be regular joes who aren't interested in tech. I disagree, but maybe that's their theory. What icon am I to use for youtube? Everybody uses youtube. Is youtube conceptually a briefcase? Trees? Dog? Is it a dog because everybody watches dog videos on youtube? I chose sunglasses, because sunglasses are associated with eyes and eyes are associated with videos.. it's a pretty tenuous association. And which color? Red makes sense, youtube brands itself with the color red. Yet red isn't on the color list. Two shades of orange are on the list, but not red. What the fuck? So youtube is "dark orange sunglasses". Great, just great.

I just pretend that’s not a feature and use the circle with a single color for everything.

> Also, why a limit of 8 colors and 12 icons? Why not an arbitrary number of colors and user definable icons?

If I had to guess it would be UX designers: users are really dumb so lets make sure we make this simple enough.

Of course they don't say these words but sometimes I feel this attitude shines through everywhere :-/

The Temporary Containers addon is a great way to use containers everywhere, but I agree a bit of streamlining from upstream to standardize things would be even better.

With Temporary Containers, you can easily run one new container per tab. Or one new container per domain or even subdomain within the same tab. Although the latter option will break many sites and the go back button.

Containers are amazing. The only headache I've run across so far has been a dungeon of my own design--I have certain sites that are confined to my Shopping container (Amazon, PayPal, eBay, couple others). What's bitten me more than once is trying to purchase from a site where I forgot to re-open it in the Shopping container, get to checkout, try to pay via Amazon or Paypal, and have the payment fail because the login cookie is in a different container.

Agreed. Containers feels a little unfinished right now. Sync is a must and the UX needs to be improved a little so it's easier to start them up and organize them. There should probably be an opt-in option to always ask you into which container you want new websites you visit, too. This way I wouldn't have to change it after the fact or make the effort to set-up a container before I think about visiting the site.

Containers have some great add-ons built around them, have you taken a look?

I agree with your point completely though- needs to be a front and center feature.

I'd like to add something else- firefox should ship a 'power user' edition. Comes pre-installed with uBlock origin/uMatrix/temporary containers/sidebar tabs/greasemonkey/Tridactyl (sorry emacs users ;)

> firefox should ship a 'power user' edition

If you have Firefox-Sync enabled. You will get all your extensions anyway. so it is a one time setup for all those extensions that you need.

First time hearing Tridactyl! I'm using Vimium. Does it have any advantage over Vimium?

Related to the GP - Tridactyl has container support with `tabopen -c [container name] url`, for example.

Generally we're much more happy to add features. Vimium cares much more about looks and stability (although we do have a Vimium-style theme with `colours shydactyl`).

>If you have Firefox-Sync enabled. You will get all your extensions anyway. so it is a one time setup for all those extensions that you need.

Yes, but it's still annoying to set up the containers and set up that certain sites only open in certain containers.

Also if I'm on a work device I may not want to sign into Firefox Sync for privacy reasons.

Same reason as mine- separation of work and private profiles

Sorry never used it but one advantage of tridactyl is that the creator lurks here and is extremely responsive and kind.

I will tell you what 3-fin can and can't do-


Js, key bindings, can show alpha and numeric hints. In numeric mode, behaves like vimp- type char of link text. ;; for link info. ; for hover. C-d/C-f et al work. H, L navigate history. Edit in vim. C-i

Cannot: Self limitation -

No way to stop page load I think. Very painful :)

No shortcut for search. No readline bindings in text editing regions.

Webext limitation- takes a while to load.

That's all I use right now.

You can stop page load with `stop`, bound to x, provided that the page has loaded enough for Tridactyl to be running.

Search - we actually have our own find mode now. Instructions on how to set it up are on the changelog. The default Firefox one has find next / previous bound to Ctrl-G / Ctrl-Shift-G.

You can add readline binds to text regions if you want. It's mentioned and linked to on the help page somewhere near the top.

You'll have to pardon me for not finding time to read the manual and spouting nonsense! I'm going to get around to it real soon, just too much backlog!

Good. They should've done this ten years ago.

However, I don't know how it'll play out in the long run. FF is already on the radar of ad-driven sites, including those that just need basic unique visitor counters verified by third parties rather than doing evil privacy invasion things. So they could decide to boycot FF alltogether. I hope this isn't going to happen, though. Anyone in the ad-driven content business here to share their opinion? Or should we go back to pixels?

What is a "tracker" here? How will Firefox determine that?

A tracker is a script included as part of a webpage's content, often utilizing some combination of tracking pixels (an http request for a 1x1 image file from the tracking script's providers domain), a persistent cookie, and increasingly some form of browser/device fingerprint which is used to identify a particular machine.

The user's machine presents back to the tracking network the cookie and a bunch of http params to the tracking provider whilst interacting with pages that support the script, which the tracker stores in a database to sell access to.

It gives developers/businesses a way to collect metrics while offloading the trouble of keeping track of and maintaining the infrastructure to do so to someone else.

Firefox will probably be enforcing a cross-origin isolation constraint, requiring that all material be hosted by the domain you're requesting from in the first place, which doesn't really fix the problem since people will probably just try to build ways around the limitation.

Until the industry breaks itself free of it's current fetish for wholesale data collection, it's just going to be an arms race.

But Firefox also identify as trackers APIs - see here https://ibb.co/QFXYjhL

Firefox uses the Disconnect blocking list to determine what is tracking, and Disconnect doesn't only filter out cookies.


"Disconnect Private Browsing automatically detects when your browser tries to make a connection to anything other than the site you are visiting. We call these other attempted connections “network requests" https://disconnect.me/help

Moving everything to first-party tracking could potentially solve a lot of the problems.

It could reduce the across-the-entire-web tracking, categorizing and labeling of users, and instead limit analytics to useful things like "what percentage of my users are on mobile".

Whatever they feel like it being. Including images.

For some reason, this keeps getting flipped to "on" for me, and I have to keep turning it off, to get images to load correctly in both my RSS reader and via a convenience user script.

My work laptop is a very fast upper end macbook and I can somewhat reliably run Firefox on that. My personal laptop is an older macbook pro retina model and whenever I use firefox on that it gets incredibly slow and from time to time the computer just freezes for 20-40 seconds. So, sadly, I can't use firefox on that.

At one point someone on HN posted a link to the bug report on mozilla's bug tracker about this issue with retina macbooks. Does anyone have that link? I can't find it.

Yes that seems to be it! Thank you. Always good to not be alone when experiencing such problems.

I've got a bottom of the line 2013 macbook air. I closed everything down earlier to update to mojave, and firefox told me it would close 7 windows and 71 tabs. Never had a problem with it.

My main desktop is an ubuntu 16.04 machine with 16GB of memory and I've never had a slowdown, often get upto the 100+ tab range across different windows.

The MacBook Air doesn’t have a retina screen, it appears to be related to that. I also use ff on Ubuntu without issues.

I'm currently surfing on a "MacBook Pro (Retina, 15-inch, Late 2013)". It works fine with 4 window opened (1 private, 2 with ~20 tabs, main one with at least 50 tabs).

I'm also running 10+ extensions.

Works pretty well for me.

Sometime after awhile the video playback goes wonky though. I end up doing `sudo killall firefox`.

I have an old Thinkpad X220 and i see no slowdown with Firefox, but I do see more CPU usage in my cpu graphs compared with Chromium so I worry when I am on battery power. I'm not sure how to properly compare CPU usage to determine if I am just imagining it.

I use Firefox Nightly on a MacBook (Retina) and it performs very well with WebRender on and gfx.compositor.glcontext.opaque set to TRUE. Faster than Safari even! Worse battery life though.

Why now, as opposed to several years ago? Are there downsides to blocking 3rd party trackers by default, and if so, what has changed recently to allow this to happen now?

I have 3rd party cookie blocking on Chrome.

Honestly the two things I've noticed are: - I have to fill out recaptcha. A lot. - I've been applying for jobs, some companies have a button for linked in auto fill. Sometimes this works sometimes it doesn't

Beyond that there's a few other thing like, wikidot, that don't really work. In this case the cookie is given by wikidot for sign in, then you're redirected to the custom url wikidot instance (Scp foundation in this case) and you're just not logged in until you allow cookies in this case.

Sites use third parties to provide various functionality. If you block them, the site can appear partially broken. I assume Mozilla has been testing and working on minimizing breakage.

It's a huge step forward. Does it block Google Ads too?

If so, ad companies should consider some kind of functionality to proxy the advertisements through the partners' websites.

I've seen ublock struggle with Server Side Ads Injection.

Will this also force Do Not Track to be on, similar to the current tracking blocklists in Firefox? That's the primary reason why I have it turned off and rely on uBlock Origin + a few other extensions.

DNT is pretty much dead because no one ever really honored it.

Irrelevant information to the question.

Firefox right now has two options related to DNT:

"Send web sites a “Do Not Track” signal that you don’t want to be tracked

(_) Always

(_) Only when Firefox is set to block known trackers"

These two options don't become irrelevant, but the choice related to them does if the default is "block known trackers" (if that is the same as "block all 3rd party trackers by default).

And that is exactly why I would like it to not be forced on (or off). I want my browser to report no DNT setting at all, to reduce my fingerprinting profile.

https://panopticlick.eff.org/ reports that 1 in 1.67 browsers send the DNT header, so the best option fingerprinting-wise might be to leave it on, at least information-wise.

Of course, that ratio will likely change when Safari drops support for DNT entirely. See discussion here https://news.ycombinator.com/item?id=19101156

They send the header, but with which value? I probably didn't express myself well enough, I want my browser to send the "DNT not configured" value.

Sorry, I left that part out. My browser sends DNT=1, and I get 1/1.67, which should mean that 1/1.67 browsers send DNT=1. This means that the total share of browsers that send the DNT header at all is at least 1/1.67, but probably higher.

How do you prevent Iframes from communicating their cookies to the parent window? Using window.postMessage?

Disable all cookies for iframes? That seems like it would break the internet.

If you're the parent, you can use the `sandbox` attribute on the frame. If you're the child, you can use the `frame-ancestors` CSP directive.

"If you're the parent, you can use the `sandbox` attribute on the frame. If you're the child, you can use the `frame-ancestors` CSP directive."

... Yea but that requires the parent frame not to want the tracking to take place right? Why would they put the iframe in sandbox mode if they were trying to track their users?

Do you use server side visitor tracking on your projects? This will probably if not already shift analytics more to the backend.

I'm using a self-hosted instance of Countly for a new project. It's been great so far. Still client-side, but since you host it, the domain isn't blacklisted.

I think this is huge. It reminds me of the early days of Firefox (back then still known as Phoenix) in a world where IE6 and pop-up ads dominated. At launch IE6 was really the best and most innovative browser of it's time (IMHO). But after IE6 had beaten Netscape, Microsoft stopped putting money in IE development and the situation got worse over time. It was Phoenix with, among other things, a pop-up blocker that was on by default that brought down Internet Explorers hegemony.

Today, with Chrome being dominant the situation is different because Google is still innovating Chrome at light speed. The one and only Achilles heel to beat this giant is by attacking their business model, which is to enable ad blocking by default. I expect this is something people want, just like pop-up blockers back in the days. Google will never be able to lead, or even follow in this direction without changing their business model.

Unfortunately, Mozilla’s own business model also heavily relies on selling ads, albeit indirectly. According to this statement from an independent audit report[1]:

"Note 10 - Concentrations of Risk:

Mozilla has entered into contracts with search engine providers for royalties which expire through November 2020. Approximately 93% and 94% of Mozilla’s royalty revenues were derived from these contracts for 2017 and 2016, respectively, with receivables from these contracts representing approximately 75% and 79% of the December 31, 2017 and 2016 outstanding receivables."

In other words, $539 Million, which is 93% of their total revenue, comes from companies that have selling ads as their business model (Baidu, Google, Yahoo and Yandex [2]).

I really hope Mozilla will be able to change this revenue stream to better align with their mission[3]. They have been trying to diversify their revenue since 2014 [4] and although they might not be as dependent on Google as they once were, they're still almost fully dependent on ads.

Oh, and yeah, of course simply making a better browser than Chrome would also help ;)


* https://www.mozilla.org/en-US/foundation/annualreport/2017/

* https://assets.mozilla.net/annualreport/2017/mozilla-2017-fo...

[1] https://assets.mozilla.net/annualreport/2017/mozilla-fdn-201...

[2] https://wiki.mozilla.org/Global_Search_Strategy_Status

[3] https://www.mozilla.org/en-US/mission/ "An Internet that truly puts people first, where individuals can shape their own experience and are empowered, safe and independent."

[4] https://blog.mozilla.org/advancingcontent/2014/02/11/publish...

Google may be innovating Chrome, but few of those enhancents proide me, as user, any value, and many subtract from it.

Firefox has an opportunity.

I like this!

I think this is a bad idea. Even though I personally block 3rd party trackers by default, breaking the web by default will cause problems.

Also, ad blocking will start being a problem when enough people start doing it. I still remember the days of no websites yelling at you for blocking their ads. Things are going to get much worse.

"breaking the web by default"

It's not breaking the web, it's breaking part of the web's grasp on users. Is the web for people or is it there to use people?

"Ad blocking will start being a problem"

I live in the days where both all ads and all bullshit responses to my adblocker ("don't block my ads!!") are blocked; it's a breeze of fresh air. Sometimes a site tries to get around it and I block it permanently.

What do you use to block the requests to disable your ad blocker?

Between uBlock Origin and uMatrix in whitelist mode, you'll virtually never see those "disable your blocker" nags.

uBlock Origin comes with anti-adblock lists; they're just disabled by default. I also use element picker mode.

Element picker mode is right at the edge of my patience, so I usually give up if it doesn't work. If I still really want something from the site I view source.

Good. Let them yell, allow the system to break. I'm not convinced that the current status quo of paying for services via targetted advertising that amounts to quite a severe level of manipulation and tracking is tenable (nor desirable). Figure out something better.

The alternative is what we do now: a select group with tech savvy blocks advertisements, and lets the masses pick up the bill by 'accepting' ads and having their every movement online tracked.

> Figure out something better.

There is no magical solution. The alternative is some kind of payment system.

And many people can't afford paying for each site they visit, so it would limit people's access to the net if there were paywalls everywhere.

Also, if sites can't show ads and not enough people subscribes then many sites will close which would lead to further concentration of the web. Small players would be eliminated, big players would still thrive.

Independent journalism would decrease while sites financed by rich companies and people could keep running and promoting the agenda of the rich players.

If people can't afford paying, then it follows that they can't afford being advertised at in order to stimulate their consumption beyond what they actually need. If the answer to that is that people are of course in their right to ignore advertisements (as if that is possible), then by extension blocking them outright is morally defensible as well, and we are right back to where we are now.

Either that, or on-line advertising is not nearly as effective as advertisers think it is, and they are just subsidising the whole shebang while the Facebooks and Googles profit.

As for journalism: yes, that is tricky. Personally, I'm subscribed to one national quality newspaper (NRC in the Netherlands) as my main source of news and research journalism, and just today I've set up an annual subscription for €12 with the Guardian, which I visit occasionally as it is one of the few reliable British sources for news on the whole Brexit ordeal.

Ideally, I would pay a monthly flat fee that I can distribute at the end of each month to participating websites I've visited, but such a system would have to be fair to both the consumers and the publishing websites. If it just ends up a system with yet another FAANG-like Silicon Valley middleman that takes a 30% cut I'm not interested.

> If people can't afford paying, then it follows that they can't afford being advertised

You know the answer to that. People can pay with their data, their interests. And if you put the question to people if they want a free web which sells their data or pay for every site then most people will choose the first.

And what is that data used for, if not targetted advertising?

The data is a means to an end: the ability to provide advertisers with a way to reach very specific groups of people, and a way for advertising platforms to track not just the same user, but a very detailed user profile.

Knowing what people's interests are is worth diddly-squat until you use that knowledge to push ads to them that are likely to resonate with them.

>The alternative is what we do now: a select group with tech savvy blocks advertisements, and lets the masses pick up the bill by 'accepting' ads and having their every movement online tracked.

And I like it. I know it's selfish; I'm just speaking my mind.

Soon, there will be so many people blocking ads that many websites will simply become pay-per-view, and that's going to be bad for me.

Then we work around that, with a Sci-Hub style approach.

It's worth noting that historically that RFC 2109 and RFC 2965 specified that user agents should respect the user's privacy and not allow cross-server cookies. Since browsers have flat out ignored this recommendation since the beginning this never meant anything, and newer RFCs explicitly allow the default. But if we had been a little more prescient this mess could have been avoided.

It's also worth noting that anecdotically, blocking all third party cookies and running an adblocker has not lead to "breaking the web" in my personal use. I can count any issues I encountered on one hand, and I've run this setup for years. It might me that my internet use is weird (I don't believe so) but it makes me feel the consequences for users for this is overblown.

It's not for lack of prescience. Lou Montulli (the guy who created cookies) realized that third-party cookies were being used for tracking and advertising early on and made the decision to not to break them. I think his reasoning [1] has stood up well too.

[1] https://web.archive.org/web/20170421064522/http://www.montul...

breaking the web by default will cause problems

Doesn't Safari already do this (or something like this)?

Safari works pretty well on most web sites. So what will Firefox be doing differently that will "break" the web?

Yes, it’s quite complex though: https://webkit.org/blog/category/privacy/

I agree completely --- large organisations taking what are essentially political stances basically means war, and the only ones who lose in the end are the users --- because the opponents are just going to find more ways around it when there is such escalation. I wish the browser developers would just focus on implementing specs, and give users the choice of options. This paternalistic "we're doing this for you" attitude can't stop soon enough.

> I think this is a bad idea. Even though I personally block 3rd party trackers by default, breaking the web by default will cause problems.

How is this “breaking the web”? Honest question, I would not subscribe to that sentiment, but am interested in other points of view.

By default, unless the user has changed his settings, if a website tells a browser to load something, the browser should do so.

If there are some conflicts of interest between the user and the website, the browser (chosen by the user and put on user's device by the user) should be on the user's side, and work with them to ensure that the interests of the user are met - at the expense of website "desires". A browser is not a platform for websites to run on; a browser is a tool for the user to interpret the content provided by websites according to the user's wishes.

A prime example of "if a website tells a browser to load something" is popup windows - if a website tells a browser to open a dozen popups and popunders, then no, the browser should not do so. Earlier browsers did what the websites told them to do, and that was a horrible thing, so that's been changed.

A browser is a user agent - it exists to serve the user. Its defaults should be chosen to best serve the interests of the user.

What if the website told the browser to load malware?

Browsers in the modern web need to defend the user, not execute arbitrary instructions from random websites that nobody cares about.

A website cannot tell a browser to "load malware", unless we're talking about a exploit, which should be patched.

(Please don't say "if I send you a malformed png file you have to execute the exploit, otherwise your argument breaks down".)

If I ask my User Agent to load a particular news article (for example), I am not intending to ask for a myriad companies to start monitoring my reading habits, social interactions, shopping, or anything else.

When I buy and read a newspaper, I don't expect the publisher to start following me everywhere and keeping a log of my life. When I read an article online, I shouldn't have to think about that either. But sites have so flagrantly abused the ability to deliver more than just the content I've deliberately requested, in order to track (and monetize) user behavior everywhere, that it's entirely appropriate for my User Agent to take steps to defend me.

I don't mind a site delivering some ads alongside the content I've asked for, just like I accept some ads in a printed magazine. But I don't expect my magazine to come with an embedded tracking device that will stick to me like a burr, even long after I've read the content and recycled the pages.

How are you drawing a principled distinction between "if a website tells a browser to load something, the browser should do so" and "a website cannot load malware [except via an exploit]"? Clearly, asking the browser to load an EXE, or run this JavaScript that attacks website X, could be considered malware, so the line is fuzzier than 'if a website asks, a browser should load it'.

'We should patch exploits' and 'all things we would like to not load are considered exploits' seems to be rather begging the question. There is a class of things that use legitimate browser features, but we would prefer to not load by default.

Malware is software that is explicitly designed to disrupt, damage, or gain unauthorized access to a machine.

You are covering the unauthorized access but disrupting/damaging is absolutely possible using plain old HTML and JS.

Privacy advocates argue that it's not only possible but many trackers are guilty of exactly that.

So the browser is in fact blocking malware.

... And yes, if you think about it, that definition does apply to ads as well. Really says something doesn't it :)

sure they can, unrequested crypto miners running in the background are malware

As opposed to requested crypto miners. I would gladly trade some processor time and energy so that I don't have to watch obnoxious ads.

I disagree. I think by default the browser should protect the user, and protect the user's privacy. The browser is an agent of the user, not an agent of the websites the user visits.

Edit: PeterisP says it much better in a sibling comment.

Yeah, you lost that ‘right’ at the time when popup ads were popular.

> "I still remember the days of no websites yelling at you for blocking their ads."

I recommend updating your adblocker. I haven't seen that kind of crap in ages, because I block that stuff too.

Third party cookies shouldn't exist in the first place.

I partly agree with you: they should be an earned privilege that I agree to turn on for some websites, not something turned on by default. because there are some genuine use cases, such as single sign-on, that they're actually useful for.

Eh, single-sign-on is easily fixed for most applications; just forward the entire window to the SSO provider, so the cookies are first-party, then forward back once they're logged in.

I wish it was that simple.

If you can bounce through an SSO provider to set a first-party cookie, you can bounce through an ad tracker. Even with a heuristic that requires action on the interstitial, how do you distinguish between redirects to services like Google that support social login and ad tracking?

Separating SSO and ad tracking is nontrivial and may result in collateral damage.

Third party scripts shouldn't exist either.

but it's not breaking the web, it's fixing it.

They should be careful because some sites do break without tracking.

Who is 'they' in that sentence?


I figured 'they' refers to website developers.

Does this mean that analytics will also be blocked? If it is true it will be a shot in the foot, because Google pays a lot of money to Mozilla. Translated automatically.

Firefox/Mozilla is not as reliant on Google anymore as it once was, having diversified which search engine gets set in which area. There would also still be a reason for google to be the default search engine even in a browser that blocks third party trackers by default, namely the original reason of getting users to use your search engine. So I don't see a problem here and I doubt Google would or could force Mozilla to not make that change, even though the business people in Google probably don't like it.

Mozilla released the extension "Facebook Container", which is great, but that's only one of the FANG companies notorious for invading privacy. Where is the "Google Container" extension from Mozilla? There exists such an extension but it's by a third party, not by Mozilla. It would be nice to see it from Mozilla since I trust them more than I trust some random extension developer; I can feel confident in recommending Facebook Container to people but I'd have to keep up on the reputation and ownership of the Google Container extension to feel good about recommending it to others.

I guess what I'm saying is it would be nice for Mozilla to be a bit more bold in demonstrating this independence from Google. It seems to me they still fear/respect Google more than Facebook.



Those container extensions are just the "Firefox Multi-Account Containers" extension developed by Mozilla with some default settings for Facebook and Google.


Yup, and I use it religiously. I keep my work Google account separate from my personal Google account, which is separate from everything else. If I don't trust it, it gets a separate container.

Putting Facebook in a box is easier for many people because they have fewer things that are connected to their Facebook. Any such things break with containerisation. Firefox spells that out, but people will be surprised anyway.

Let's give a real world example. I use Facebook container. I also have YouTube premium. So, normally I don't see YouTube adverts because I'm logged into my account with Premium.

But inside the Facebook container, I am an anonymous YouTube user, with no Premium account. So if a user embeds a YouTube video, it has adverts.

Now, if I used the Google Container, all YouTube videos, other than on YouTube itself, would be anonymous and so have adverts.

There's a lot more integration like this for Google than Facebook, and so the experience with containers is worse for Google than Facebook.

One of the main reasons to use Firefox these days is to be more free from the tentacles of Google. So this move is a logical step in the right direction. If you're OK with being permanently tracked by Google, you might as well use Chrome.

One might also want to use Firefox to resist against a Chrome monopoly. I do use Firefox for both reasons.

The fact that I prefer it to Chrome also for convenience and practical reasons helps a lot of course.

All trackers are equal, but some trackers are more equal than others.

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact