The official Firefox blog post also includes instructions on how existing Firefox users can enable this protection, as Bloomberg's choice of phrasing "new downloads" is inaccurate.
EDIT: The option enabled for new users today is "Block third-party trackers". There is an older option that many previously enabled, "Block all third-party cookies" that, as noted below, will break many Internet sites (such as single-sign on). Keep an eye out for this when checking your existing profiles.
The reporting is accurate. New downloads will automatically have this protection enabled. Existing installations do not have this automatically enabled, and instead need to be manually enabled. You could have just shared the additional information without useless addendum.
New users who download Firefox for the first time will have this automatically enabled, says the exact language in the Firefox post about it.
Existing users who read Bloomberg’s phrase “new downloads” as “it’s a new download since I just downloaded it today” will be sorely disappointed.
(Yes, I am totally expecting some HN readers to read “new downloads” and then consider a download’s ctime while asking “is it a new download?” rather than realize the above.)
Google's probably already coming up with a way to do this, while privileging their own because it's "part of your Chrome login, not the ordinary web experience". Fits with their usual "hey, look, we're helping! (but also crippling the competition)" business model.
Some doof from Bloomberg was just on the radio justifying Chrome's stance by saying third-party cookies are necessary for showing your email address during logins.
I would be happy if the browser vendors could come up with a standard of running only first-party javascript, or third party javascript that has been signed with a code-signing certificate or otherwise whitelisted. This could help curb drive-by infections delivered by malicious ads.
This is great for grandparents, but I'm not trusting Firefox or any browser to block ads/cookies/JS. I don't expect many people who are already using 3rd party addons and extensions to disable that stuff to stop because of this
I can't say that's been my experience. It breaks some stuff, but far less than I was expecting it too. (Ditto for disabling javascript entirely with uMatrix..) Talking up the downside like this has the effect of making people hesitate to try it for themselves. I wish I'd started years earlier, but everyone was talking about how much of a hassle it is. It's not a hassle. Most of the time I don't notice anything going wrong.
And if Google wasn't under anti-trust investigation now, it would probably purposefully change its apps so they don't work unless you enable cookie tracking again.
ReCAPTCHAv2 is basically already there. It's easily the greatest pain point for disabled javascript, third party isolation, etc.
It never actually gives you harder problems to solve, it just starts rejecting a greater number of correct answers. Eventually it will let you correctly solve dozens of problems in a row without letting you pass, but also never telling you that they've made the decision to keep you out. They also add in a long fade animation for each tile, just to punish humans (bots wouldn't find it annoying, on account of being bots.)
> Firefox (and chrome) has had this for ages (opt-in till now), and it breaks a lot of services.
My data-point: Every couple of years I try to enable it, but every time there is _that website_ that breaks because it really needs third-party cookies.
Usually they are oldish, unmaintained "third party solutions", a couple of times banks, once the complete university-wide single-sign-on system.
I hope that, thanks the vast number of Apple users in key positions, these problems will now be quickly solved.
I've had third-party cookies blocked for, as you say, ages (and I even block JavaScript, with selective exceptions), and I use everything from Discord to Amazon just fine.
Note that the Cookies setting Firefox enabled for new users is “Block third-party trackers”. While there is a more restrictive “Block all third-party cookies” option available, that’s not the same thing and as above suggests, the “all” option will break some sites (such as single sign-on) that the trackers-only option will not.
Basically all cloud authentication services. Try signing into a bunch of apps and then signing out - with third party cookies disabled, you'll find you're still signed in to most of the apps, because the browser refused the (third party) session cookie clear.
This depends on the service. I believe many authentication services actually use cross-tab communication (so they open a tab/window and can exchange messages as long as both are open). AFAIK Google makes use of that method and other one-click providers do too.
That is, however, more difficult than just setting third-party cookies so smaller authentication services might choose not to use such functionality.
If Chrome or Edge follows in this path though, websites won't have a choice but to make things work with this feature enabled.
OpenID Connect implementations use iframes for logout, because that's what the spec says. Iframes are a third party context. The big Identity companies (Ping, Oracle, Microsoft) wrote the OpenID Connect spec. Google may be the odd man out (they are notorious for implementing logout poorly in general) but the biggest enterprise authentication services use iframes for logout.
There is a compromise here which works for logout which was commonly implemented for a few years - supporting third party cookie clear but not set. But Apple ended this norm.
By making it the default on a sufficiently large percentage of the population, a lot fewer services will be broken by it (because the services will fix their sites).
https://news.ycombinator.com/item?id=20095039
EDIT: The option enabled for new users today is "Block third-party trackers". There is an older option that many previously enabled, "Block all third-party cookies" that, as noted below, will break many Internet sites (such as single-sign on). Keep an eye out for this when checking your existing profiles.