Apple has responded with ITP 2.1, though, limiting _all_ (persistent) cookie lifetime to 7 days, although these could probably be accurately re-issued/kept alive in my opinion: https://webkit.org/blog/8613/intelligent-tracking-prevention...
ITP 2.1 also removes support for Do Not Track (as it's not honored anyway).
Apple can afford to be more aggressive, and force features such as ITP 2+, because of their iOS monopoly, and expect webdevs to scramble for fixes, but Mozilla doesn't have such leverage, so they need to avoid breaking the web.
If Mozilla wants to make a real difference, they'd study uMatrix and figure out how to create UX that would give that degree of flexibility and power to non-technical users.
I don't know if I'm an outlier, but I hate having to resign back into sites I use even semi-regularly unless its for administrative access or purchase confirmation. Regular "auto sign outs" already happens with a few due to a snafu somewhere along the stack, for me The Economist and Foreign Affairs are the major ones where it seems like every time I go back to visit I'm signed out. In contrast sites like HN or Ars seem to never sign me out (or maybe once every few years) and some of the newspapers are once or twice a year. Being signed out creates more friction then I'd have thought before experiencing it often, perhaps amplified since I tend to read on the model of "see a few of interesting stories, open them all in tabs, then go through them" and if signed out I not only need to sign in but every single tab will be "you've reached your article limit please sign in".
I have suspicions about how much it even matters when it comes to tracking for any site I'm actually paying for. I mean, by definition they know who I am, real money is changing hands after all. Within their own site there is no technical measure that can prevent them from seeing what remote resources of theirs I specifically am calling for, it's their resources after all with authentication required. And once they have the info what would prevent them sharing/selling it would be their own interests and the law, not anything from my end. Clearing 1st party cookies smells suspiciously like privacy theater for any site at all that depends on authentication in any significant way.
Having set up a master password in Firefox, resigning usually takes me a single click (as the login info is filled in by the browser). Would this be useful in your case?
- IE prompts me if I want to block cookies on a website, so unless I trust it, I block by default.
- I have an extension on Firefox that is "Cookie Autodelete", so I visit a site and unless I whitelist it, all cookies will be deleted when I leave.
I wondering if you are not seeing blocked cookie because of the second one. I'm not blocking it, but as soon as I leave it gets deleted, effectively doing the same thing.
Is there anything in umatrix to make the switch worthwhile?
That's a lot of configuration to do. I'd rather just use Firefox containers, noscript, and use Tor for things I don't want tied to my ad profile.
It's not a lot of config at all. If the site breaks, you click a button and unblock some stuff. Otherwise the defaults work great.
For the ones that don't work it's normally 1 or 2 clicks in the UI to allow some 3rd parties and save it.
Sometimes a site works by default in the "broken" state but as soon as I give it more permissions it breaks by adding a paywall or some modal window.
uMatrix is like linux: it requires more work upfront but give you more control and customization options.
So this change should have no effect on you right? You're blocking all cookies? I like that idea, but how many things does it break?
I don't see it too often, but occasionally I do run across a site that won't load at all without cookies enabled. For these circumstances, I use Containers and Cookie AutoDelete.
The only situations where I tend to have problems are those where I have a third-party payment window that opens in a new tab. It sometimes takes some fiddling with the settings to make it work properly.
Almost nothing, surprisingly enough. Of course it breaks websites I sign into, so I simply whitelist those.
I bet the ad industry wishes they'd played ball, now that browsers are baking tracking protection in.
In January 2019 W3C Tracking Protection Working Group concluded work on Do Not Track standard citing "insufficient deployment of these extensions" and lack of "indications of planned support among user agents, third parties, and the ecosystem at large." In February 2019 Apple Safari 12.1 was released without support for DNT to avoid it being used as a "tracking variable."
Ten years ago it would have been a different matter, but it doesn't seem that far fetched to get do not track to be the legal equivalent of a "no" on those GDPR consent forms, but with no options for dark patterns and no way to re-query on every page load for those who opt-out.
For most big sites this isn't a problem as you're not going to be gaming the stats (presumably the legal costs outweigh the benefit) -- for the scammy small sites faking ad rev.. Well, if this kills them then good riddance ?
If it's (as you say) good riddance to the small, scammy sites then I think it's the medium-sized sites which will really have a problem. Not big enough to negotiate directly, not small enough to disappear overnight.
Except a few very rare cases, ad networks can statistically deliver a far more effective ad than a manually curated ad.
The network also has the infrastructure in place to track the user all the way from the ad click to completing a purchase, potentially across many devices or even in a physical store. They use those numbers to demonstrate their value with hard figures rather than marketing fluff.
And how do they do that? The "advantage" of third-party tracking is that a cookie set by the analytics service on site A gets sent back when the user goes to site B and C and D (etc).
Without that, they have to somehow figure out that user 34 on site A is the same as user 95 on site B. That's often possible, but much less reliable.
For the likes of google and co, I wouldn't be surprised if we start seeing more ad companies requiring you to send some other PII via the api so they can turn a random tracking ID into an email address or whatever though.
The same user on a.com and b.com get different ID's, but a.com and b.com both send data to tracker.com which maps that ID to an email address and then tracker.com can easily combine 'em. Not sure it's legal to do so, when I was working in this space we were quite forbidden from mixing up tracking information from various properties
So blocking third-party cookies is a good start to avoid tracking across different publishers (which is the big no-no for me, the fact that a single publisher knows what i read of his is not such a big issue and not that different to what has always been done by just crawling the ht_access logs...)
All these protections only prevent setting cookies, not reading them again.
How do you defeat that? If people want to track... they will track.
It's not death anyway; it's just that blockers will have to adjust to blocking bits of third party content.
Since the unique IDs between the different platforms would differ for the same user (as there's no way to coordinate without 3rd party cookies)
No usage data, devs caring less about firefox, users having more problems when using firefox, less users using firefox, less users having 3rd party trackers blocked, chrome monopoly growing.
There might be some positive press around "the numbers in Analytics do not reflect users on FF"
I'm already on it as might be seen here.
Feel free to complain loud and clear if it doesn't work in FF. Make it clear that FF support isn't optional.
Also on my to do list: complain even more, including to relevant authorities about Googles abuse of market position to push their browser. Feel free to join me here as well.
(And to be sure: feel free to complain when supposedly mainstream sites doesn't work in any major browser - safari, edge, FF and even Chrome : )
In the meantime, FF support (while, for now, relatively inexpensive/free if you just use web standards) will just continue being optional considering Chromium's quasi-monopoly.
Only once have I experienced that something I'd actually write for production only worked in FF and not across all modern browsers.
Protip for anyone who reads this and thinks "but my employer doesn't care about Firefox':
I typically used FF also while testing other peoples work and if it didn't work in Firefox then 9 out of 10 times it didn't work in any other browser than Chrome (had some devs on my team who really didn't seem to care about cross browser compability but it would work in most browsers before it was approved :-))
Suckiness of the browser situation aside, I fear I'll soon be coming to miss those days.
It's enough that a few large websites provide stats summary for their users. It is not necessary that Google, FB and co. track the entire Internet.
This presupposes that the current tracking (spyware) data is a reasonably accurate representation of reality. This assumption could be tested by comparing the "analytics" data to the server logs. but who wants to use accurate first-party data when delusions about "analytics" can tell you what you want to hear.
And it's nobody's business what I do with the bits after it comes down the pipe anyways.
1) Create a new container
2) Open a new tab with that container
3) Open the website in that container
4) Check "Always open in [container name]"
5) Open a new tab and load that page again.
6) Click "Remember my decision"
7) Click "Open in [container name] Container"
This commonly called the paradox of choice. Satisfaction is often higher when choosing from a limited set of good options than choosing from a large set of options with varying quality.
(YMMV, it is also used as an excuse for being inflexible, or for forcing bad options on users a.l.a. a false dilemma, and to be honest I'm not sure how to tell the difference as an outsider)
I chose 'Dollars' as the closest fit due to the association between the tech industry and greed, but really shouldn't there be at least one tech-themed icon? Of the 12, two are food themed, two or three are shopping related, etc. The icon set is redundant with poor conceptual coverage.
Okay, maybe I'm a nerd who cares about tech and Mozilla thinks most firefox users who use Multi-Account Containers will be regular joes who aren't interested in tech. I disagree, but maybe that's their theory. What icon am I to use for youtube? Everybody uses youtube. Is youtube conceptually a briefcase? Trees? Dog? Is it a dog because everybody watches dog videos on youtube? I chose sunglasses, because sunglasses are associated with eyes and eyes are associated with videos.. it's a pretty tenuous association. And which color? Red makes sense, youtube brands itself with the color red. Yet red isn't on the color list. Two shades of orange are on the list, but not red. What the fuck? So youtube is "dark orange sunglasses". Great, just great.
If I had to guess it would be UX designers: users are really dumb so lets make sure we make this simple enough.
Of course they don't say these words but sometimes I feel this attitude shines through everywhere :-/
With Temporary Containers, you can easily run one new container per tab. Or one new container per domain or even subdomain within the same tab. Although the latter option will break many sites and the go back button.
I agree with your point completely though- needs to be a front and center feature.
I'd like to add something else- firefox should ship a 'power user' edition. Comes pre-installed with uBlock origin/uMatrix/temporary containers/sidebar tabs/greasemonkey/Tridactyl (sorry emacs users ;)
If you have Firefox-Sync enabled. You will get all your extensions anyway. so it is a one time setup for all those extensions that you need.
First time hearing Tridactyl! I'm using Vimium. Does it have any advantage over Vimium?
Generally we're much more happy to add features. Vimium cares much more about looks and stability (although we do have a Vimium-style theme with `colours shydactyl`).
Yes, but it's still annoying to set up the containers and set up that certain sites only open in certain containers.
Also if I'm on a work device I may not want to sign into Firefox Sync for privacy reasons.
I will tell you what 3-fin can and can't do-
Js, key bindings, can show alpha and numeric hints. In numeric mode, behaves like vimp- type char of link text. ;; for link info. ; for hover. C-d/C-f et al work. H, L navigate history. Edit in vim. C-i
Self limitation -
No way to stop page load I think. Very painful :)
No shortcut for search.
No readline bindings in text editing regions.
Webext limitation- takes a while to load.
That's all I use right now.
Search - we actually have our own find mode now. Instructions on how to set it up are on the changelog. The default Firefox one has find next / previous bound to Ctrl-G / Ctrl-Shift-G.
You can add readline binds to text regions if you want. It's mentioned and linked to on the help page somewhere near the top.
However, I don't know how it'll play out in the long run. FF is already on the radar of ad-driven sites, including those that just need basic unique visitor counters verified by third parties rather than doing evil privacy invasion things. So they could decide to boycot FF alltogether. I hope this isn't going to happen, though. Anyone in the ad-driven content business here to share their opinion? Or should we go back to pixels?
The user's machine presents back to the tracking network the cookie and a bunch of http params to the tracking provider whilst interacting with pages that support the script, which the tracker stores in a database to sell access to.
It gives developers/businesses a way to collect metrics while offloading the trouble of keeping track of and maintaining the infrastructure to do so to someone else.
Firefox will probably be enforcing a cross-origin isolation constraint, requiring that all material be hosted by the domain you're requesting from in the first place, which doesn't really fix the problem since people will probably just try to build ways around the limitation.
Until the industry breaks itself free of it's current fetish for wholesale data collection, it's just going to be an arms race.
Firefox uses the Disconnect blocking list to determine what is tracking, and Disconnect doesn't only filter out cookies.
"Disconnect Private Browsing automatically detects when your browser tries to make a connection to anything other than the site you are visiting. We call these other attempted connections “network requests" https://disconnect.me/help
It could reduce the across-the-entire-web tracking, categorizing and labeling of users, and instead limit analytics to useful things like "what percentage of my users are on mobile".
For some reason, this keeps getting flipped to "on" for me, and I have to keep turning it off, to get images to load correctly in both my RSS reader and via a convenience user script.
At one point someone on HN posted a link to the bug report on mozilla's bug tracker about this issue with retina macbooks. Does anyone have that link? I can't find it.
My main desktop is an ubuntu 16.04 machine with 16GB of memory and I've never had a slowdown, often get upto the 100+ tab range across different windows.
I'm also running 10+ extensions.
Works pretty well for me.
Sometime after awhile the video playback goes wonky though. I end up doing `sudo killall firefox`.
Honestly the two things I've noticed are:
- I have to fill out recaptcha. A lot.
- I've been applying for jobs, some companies have a button for linked in auto fill. Sometimes this works sometimes it doesn't
Beyond that there's a few other thing like, wikidot, that don't really work. In this case the cookie is given by wikidot for sign in, then you're redirected to the custom url wikidot instance (Scp foundation in this case) and you're just not logged in until you allow cookies in this case.
If so, ad companies should consider some kind of functionality to proxy the advertisements through the partners' websites.
I've seen ublock struggle with Server Side Ads Injection.
Firefox right now has two options related to DNT:
"Send web sites a “Do Not Track” signal that you don’t want to be tracked
(_) Only when Firefox is set to block known trackers"
These two options don't become irrelevant, but the choice related to them does if the default is "block known trackers" (if that is the same as "block all 3rd party trackers by default).
Of course, that ratio will likely change when Safari drops support for DNT entirely. See discussion here https://news.ycombinator.com/item?id=19101156
Disable all cookies for iframes? That seems like it would break the internet.
... Yea but that requires the parent frame not to want the tracking to take place right? Why would they put the iframe in sandbox mode if they were trying to track their users?
Today, with Chrome being dominant the situation is different because Google is still innovating Chrome at light speed. The one and only Achilles heel to beat this giant is by attacking their business model, which is to enable ad blocking by default. I expect this is something people want, just like pop-up blockers back in the days. Google will never be able to lead, or even follow in this direction without changing their business model.
Unfortunately, Mozilla’s own business model also heavily relies on selling ads, albeit indirectly. According to this statement from an independent audit report:
"Note 10 - Concentrations of Risk:
Mozilla has entered into contracts with search engine providers for royalties which expire through November 2020. Approximately 93% and 94% of Mozilla’s royalty revenues were derived from these contracts for 2017 and 2016, respectively, with receivables from these contracts representing approximately 75% and 79% of the December 31, 2017 and 2016 outstanding receivables."
In other words, $539 Million, which is 93% of their total revenue, comes from companies that have selling ads as their business model (Baidu, Google, Yahoo and Yandex ).
I really hope Mozilla will be able to change this revenue stream to better align with their mission. They have been trying to diversify their revenue since 2014  and although they might not be as dependent on Google as they once were, they're still almost fully dependent on ads.
Oh, and yeah, of course simply making a better browser than Chrome would also help ;)
 https://www.mozilla.org/en-US/mission/ "An Internet that truly puts people first, where individuals can shape their own experience and are empowered, safe and independent."
Firefox has an opportunity.
Also, ad blocking will start being a problem when enough people start doing it. I still remember the days of no websites yelling at you for blocking their ads. Things are going to get much worse.
It's not breaking the web, it's breaking part of the web's grasp on users. Is the web for people or is it there to use people?
"Ad blocking will start being a problem"
I live in the days where both all ads and all bullshit responses to my adblocker ("don't block my ads!!") are blocked; it's a breeze of fresh air. Sometimes a site tries to get around it and I block it permanently.
Element picker mode is right at the edge of my patience, so I usually give up if it doesn't work. If I still really want something from the site I view source.
The alternative is what we do now: a select group with tech savvy blocks advertisements, and lets the masses pick up the bill by 'accepting' ads and having their every movement online tracked.
There is no magical solution. The alternative is some kind of payment system.
And many people can't afford paying for each site they visit, so it would limit people's access to the net if there were paywalls everywhere.
Also, if sites can't show ads and not enough people subscribes then many sites will close which would lead to further concentration of the web. Small players would be eliminated, big players would still thrive.
Independent journalism would decrease while sites financed by rich companies and people could keep running and promoting the agenda of the rich players.
Either that, or on-line advertising is not nearly as effective as advertisers think it is, and they are just subsidising the whole shebang while the Facebooks and Googles profit.
As for journalism: yes, that is tricky. Personally, I'm subscribed to one national quality newspaper (NRC in the Netherlands) as my main source of news and research journalism, and just today I've set up an annual subscription for €12 with the Guardian, which I visit occasionally as it is one of the few reliable British sources for news on the whole Brexit ordeal.
Ideally, I would pay a monthly flat fee that I can distribute at the end of each month to participating websites I've visited, but such a system would have to be fair to both the consumers and the publishing websites. If it just ends up a system with yet another FAANG-like Silicon Valley middleman that takes a 30% cut I'm not interested.
You know the answer to that. People can pay with their data, their interests. And if you put the question to people if they want a free web which sells their data or pay for every site then most people will choose the first.
The data is a means to an end: the ability to provide advertisers with a way to reach very specific groups of people, and a way for advertising platforms to track not just the same user, but a very detailed user profile.
Knowing what people's interests are is worth diddly-squat until you use that knowledge to push ads to them that are likely to resonate with them.
And I like it. I know it's selfish; I'm just speaking my mind.
Soon, there will be so many people blocking ads that many websites will simply become pay-per-view, and that's going to be bad for me.
It's also worth noting that anecdotically, blocking all third party cookies and running an adblocker has not lead to "breaking the web" in my personal use. I can count any issues I encountered on one hand, and I've run this setup for years. It might me that my internet use is weird (I don't believe so) but it makes me feel the consequences for users for this is overblown.
Doesn't Safari already do this (or something like this)?
Safari works pretty well on most web sites. So what will Firefox be doing differently that will "break" the web?
How is this “breaking the web”? Honest question, I would not subscribe to that sentiment, but am interested in other points of view.
A prime example of "if a website tells a browser to load something" is popup windows - if a website tells a browser to open a dozen popups and popunders, then no, the browser should not do so. Earlier browsers did what the websites told them to do, and that was a horrible thing, so that's been changed.
Browsers in the modern web need to defend the user, not execute arbitrary instructions from random websites that nobody cares about.
(Please don't say "if I send you a malformed png file you have to execute the exploit, otherwise your argument breaks down".)
When I buy and read a newspaper, I don't expect the publisher to start following me everywhere and keeping a log of my life. When I read an article online, I shouldn't have to think about that either. But sites have so flagrantly abused the ability to deliver more than just the content I've deliberately requested, in order to track (and monetize) user behavior everywhere, that it's entirely appropriate for my User Agent to take steps to defend me.
I don't mind a site delivering some ads alongside the content I've asked for, just like I accept some ads in a printed magazine. But I don't expect my magazine to come with an embedded tracking device that will stick to me like a burr, even long after I've read the content and recycled the pages.
'We should patch exploits' and 'all things we would like to not load are considered exploits' seems to be rather begging the question. There is a class of things that use legitimate browser features, but we would prefer to not load by default.
You are covering the unauthorized access but disrupting/damaging is absolutely possible using plain old HTML and JS.
Privacy advocates argue that it's not only possible but many trackers are guilty of exactly that.
So the browser is in fact blocking malware.
... And yes, if you think about it, that definition does apply to ads as well. Really says something doesn't it :)
Edit: PeterisP says it much better in a sibling comment.
I recommend updating your adblocker. I haven't seen that kind of crap in ages, because I block that stuff too.
If you can bounce through an SSO provider to set a first-party cookie, you can bounce through an ad tracker. Even with a heuristic that requires action on the interstitial, how do you distinguish between redirects to services like Google that support social login and ad tracking?
Separating SSO and ad tracking is nontrivial and may result in collateral damage.
I guess what I'm saying is it would be nice for Mozilla to be a bit more bold in demonstrating this independence from Google. It seems to me they still fear/respect Google more than Facebook.
Let's give a real world example. I use Facebook container. I also have YouTube premium. So, normally I don't see YouTube adverts because I'm logged into my account with Premium.
But inside the Facebook container, I am an anonymous YouTube user, with no Premium account. So if a user embeds a YouTube video, it has adverts.
Now, if I used the Google Container, all YouTube videos, other than on YouTube itself, would be anonymous and so have adverts.
There's a lot more integration like this for Google than Facebook, and so the experience with containers is worse for Google than Facebook.
The fact that I prefer it to Chrome also for convenience and practical reasons helps a lot of course.