This seems exactly right: now that we have partitioned cookies, cookie clearing should clear cookies for the whole partition.
Just shows how Google et al, strive to safeguard and profit from the status quo, at the expense of every internet user.
No -- it's just how cookies were meant to work from the start, the most obvious implementation before the privacy/security/tracking implications got worked out, which has taken many years.
And Google's working to make similar improvements to Chrome:
https://blog.chromium.org/2020/01/building-more-private-web-...
So not "insane" at all. To the contrary, it was entirely reasonable at the beginning, and now we see browsers reasonably addressing the problems that have arisen.
The fact that for a long, long time the vast majority of Firefox's income has come from search engine partnerships, a category google dominates?
Also: Firefox has been rather poor about user privacy. Integrating third party stuff that's difficult to remove, like Pocket, for example.
There was the whole "Looking Glass" debacle where they dropped in a Mr. Robot promotional plugin into Firefox completely silently.
When someone posted in bugzilla about it, the project manager for the plugin made the thread employee-only. It was then changed back to public briefly, before disappearing for good, reportedly being locked so even employees can't see it:
https://bugzilla.mozilla.org/show_bug.cgi?id=1424977#c21
Ask yourself: "why is a bug files about a promotional plugin so secretive that not even employees can view it?"
BTW: Guess where that project manager used to work before she worked at Mozilla? Answer: an online advertising and analytics firm (according to her LinkedIn profile at the time.)
Google is historically the largest financial contributor to Mozilla (paying for spot as default search engine) and thus has always had leverage on what they do with FF.
There were a few years there where Moz flexed on google by making Yahoo the default, but then switched back to Google last year. My guess is they had to show google they were willing to go elsewhere in order to regain some of their autonomy, which is why it's only in the last couple of years that FF has been willing to add default customer privacy features despite directly hurting FB/Google's ability to track users.
Mozilla gets 90+% of it operating budget via a deal with Google, but Firefox developement is not influenced at all by Chrome. Totally independent.
Big Tech exists for users, not advertisers. Privacy must come first and money must come second. Thats why we have more privacy than ever and Google does not make much money. Government regulation is totally unnecessary. All incentives are aligned toward greater privacy.
Google will "build a more private web" for its advertising targets. Sorry advertisers. :(
1. Also known as "users".
Historically cookies weren't partitioned by site. So if you went to clear the cookies for https://publisher.example, then the browser wouldn't know whether to also clear cookies for https://other.example.
(Cookies are still not partitioned by default in Firefox; it requires turning on Total Cookie Protection)
If it didn't come with all the tracking and privacy implications, being able to see your friends' comments on a site first, use social widgets etc. is a feature.
This will also break some sites, some of which will never get fixed, so this is a hard change to make (but necessary at this point).
I don't even care if they track me - what I care about is that they track mostly everybody. Such power should not be underestimated.
I suspect this is going to help against some CSRF as well?
The jar is the key new thing, not the emptying.
In my opinion, the simplest way to deal with cookies is to disallow third party, and to keep a white list of authorized websites. Cookies outside this white list should be deleted manually or automatically after a few hours. Extensions for this probably exist, but I've had bad experiences with extensions breaking or becoming intrusive, so I made my own where I hard coded the domains that I want to keep.
That is one of the main issues I have when I do things like that, online payments fail in subtle ways and you aren't sure if the payment goes through or not.
By the time sites are incorporating Google's own JavaScript code, tracking cookies can be stored as the site itself. Only a single action (look how much data is handed to the site via the URL of a search result, for example) and this site-specific cookie is just part of wider tracking.
Also, blocking people who use privacy settings can be legally iffy. Many sites are already on thin ice, telling people to use their browser settings if they don't want tracking cookies. Forcing tracking like that sounds like a recipe to receive an expensive lesson in GDPR.
The nested menus to access it aren’t very convenient.
I do use CookieAutoDelete to handle this for closed tabs.
What I really want is for all cookies to be deleted when the browser exits, except for the sites assigned to the containers I've created.
I'll have to see if this is possible in Cookie AutoDelete -- looks like it might be. Does anyone have any suggestions?
Then Cookie AutoDelete (CAD) is exact what you'd want. Firefox has a setting option that deletes all cookies except exception after the browser is closed. But in my opinion, that function is too limited. CAD filters domains on container level, while Firefox's doesn't. CAD also offers regex matching for domains, which is really useful. My favorite feature is greylisting everything in Default Firefox's container (using * regex for greylist).
CAD is compatible and best used with Firefox's Multi-Account Container.
It will take a bit to learn how it works though.
At least Firefox 90.x has a checkbox "Delete cookies and site data when Firefox is closed" in the privacy section, along with a button to "Manage exceptions..."
I rarely close my browser except for updates, or when I'm spe cifcally taking advantage of delete on exit. However, delete on tab close would be dreamy.
I don't really want it to be an extension. I don't like the power given to extensions, so the less I use the better. Sorry decent extension devs, for me the bad guys have tarnished the trust to just not want to use any.
In settings for CAD, enable container support
https://github.com/Cookie-AutoDelete/Cookie-AutoDelete/wiki/...
I use in combination with Firefox containers feature Enable Automatic Cleaning of CAD, which deletes all cookies (as well domain related contents) except those in whitelist. That has saved me a lot of time in manual greylisting.
My previous company worked on the translation and they told me they had fun trying to come up with suitable equivalents for technical words such as "minimise" and "maximise".
https://blog.mozilla.org/security/2021/08/10/firefox-91-intr...
https://www.thenational.scot/news/19494171.major-web-browser...
https://slate.com/technology/2020/09/scots-wikipedia-languag...
Reminds me of: https://en.wikipedia.org/wiki/English_as_She_Is_Spoke
Mah afore company worked oan th' translation 'n' thay tellt me thay hud fin trying tae come up wi' suitable equivalents fur tekky wurds sic as 'minimise' 'n' 'maximise'.
See how much of that series you can get through. :)
I believe the CSS equivalent of a pixel in browser rendering here is a "baw hair".
Does that also mean you never learned about Rabbie Burns in school?
I like to think I'm a man of the world. I watch a lot of Scottish TV (Burnistoun etc.), have done the NC500 and have plenty of Scottish friends. Of course there is dialect there, but I didn't realise this was a "thing".
I did find it striking that the same stat for Gaelic was just over 50k in contrast: while I know the level of Gaelic spoken in Scotland is extremely low, it's at least a better known language internationally than Scots is, so I would've expected it to be the more spoken of the two.
In fact, literally the only reason it's called "Scots" and not "Inglis", as it originally was, is as the Lowlander Scots gradually developed a sense of national identity separate from the English, they decided that they wanted a national label of their own. But of course, they still didn't want to share a national label or identity with the hated native Celtic-speaking population.
And so "Inglis" became "Scots", while "Scottis" - the native Goidelic language - became "Erse", or Irish.
The whole thing is insidious.
To test this theory, I just asked my mother in law (who is from the central belt) about Scots, and she replied, quite seriously: "Whits that? I dinnae ken whit that is, I spik proper!"
(I'm Scottish, from the North East)
I'm not Scottish myself, but even I could claim to somewhat understand Scots. I wouldn't say so on a census, but I'm sure there are plenty that would. Especially when there's some national pride at stake.
(Scottish Firefox developer)
Still, I think it's silly to go all kayfabe here and treat the languages as completely distinct. I have similar thoughts on Slovenian and Slovakian and Flemish.
It's up to the linguistic community to decide that, if their variety should be considered a "dialect" of something else or a "language" on its own. Linguists already gave up that question, it's more useful to talk about varieties anyway.
And it's the same deal with Galician versus Portuguese, with a difference - "Scots is a dialect of English" threatens Scots, but "Portuguese is a dialect of Galician" doesn't threaten Portuguese (it threatens Galician instead).
Depending on how you define "dialect" or "language", they may or may not be.
To quote the obligatory quip: "A language is a dialect with an army and navy".
Beware fighting words
> Modern Scots is a sister language of Modern English, as the two diverged independently from the same source: Early Middle English (1150–1300)
> As there are no universally accepted criteria for distinguishing a language from a dialect, scholars and other interested parties often disagree about the linguistic, historical and social status of Scots, particularly its relationship to English. Although a number of paradigms for distinguishing between languages and dialects exist, they often render contradictory results. Broad Scots is at one end of a bipolar linguistic continuum, with Scottish Standard English at the other. Scots is sometimes regarded as a variety of English, though it has its own distinct dialects; other scholars treat Scots as a distinct Germanic language, in the way that Norwegian is closely linked to but distinct from Danish.
You are probably thinking of Scottish English or Scots English, which is essentially English of some words and phrases from Scots and a very strong accent.
Scots proper is as much a language of its own as English is.
Scots and what we now think of as English arguably have a similar age and a lot of shared heritage, though obviously given how much separation, invading and other reasons for variation & remixing of languages has gone on over time, it is tricky to tie down completely what came from where when.
Ahh whisht man.
:-)
That said, I find I often have to mentally pronounce the various written forms in order to be able to understand them.
Firefox on iOS can do this, but you can’t set a Font size at all. So many websites (like Hacker News) are nearly impossible to read on an iPad.
This is the only website which I have to scale up on every computer...
Font size is set to really low (titles on the homepage are 10px, comments are even smaller).
I can read it fine at 100%, it just requires a bit more mental struggle in the age where font sizes are usually in 16/18px range.
div.comment {
line-height: 1.5
}
td {
max-width: 700px;
}
line-height:12pt; height:10px;
People are different, so it's good to have font size and zoom options. Some can go bigger, some can go smaller. I use 80% on a lot of sites, and an extension called 'Zoom Page WE' to remember the settings.
The smallest font on this page is 9px, that's just ludicrous.
I mean just open the CSS file and judge for yourself.
- specify which websites may store cookies/cache. All websites not specified can not store anything (and thus not track me), and all data for these websites is deleted once i close the tab
- i want to remember all my history
I can do this in Firefox on macOS (with some container extensions, can’t remember the names now)
I don't think it has a history feature at all though.
On macOS, there's also an app to achieve that, called "Cookie": https://apps.apple.com/nl/app/cookie/id1473091386?l=en&mt=12
On iOS however, Apple's walled garden...
Anyway I wish FF had a feature that broke down the cookies PER container, so I could purge any ones that might have snuck in due to a lapse in my judgement, e.g. if I see facebook cookies in my "twitter" container then I'd like to purge them for that particular container only.
FF only allows you to do a global purge.
EDIT: I can see this bug was raised 3 years ago which suggests it _used_ to be a feature that got removed, but sounds like it was never put back in/low priority/WONTFIX. https://bugzilla.mozilla.org/show_bug.cgi?id=1480175
https://addons.mozilla.org/en-US/firefox/addon/cookie-autode...
My experience is this also includes your cookie preferences which means if you don't enable that single option, you'll have to go through the steps to disable cookies pretty much every time you visit.
It turns out that those third party "consent form in a box" solutions tend to have settings to let the website operators choose how user-hostile the popup is supposed to be. It's a shame the DPAs are all understaffed, incompetent, unwilling, or willfully looking away (e.g. in the case of Ireland) instead of taking expensive enforcement action against companies that violate it.
A few expensive examples and every site would have a top-level, equally visible "reject all" button, and after a while, sites would realize that with 90% of people choosing that, they might as well skip that popup and assume rejection.
Those popups aren't mandatory at all, sites can simply respect your privacy by default.
How is data from previous versions of Firefox handled? Will data from ad networks be listed as a "website you have visited", made unavailable for the embedding site's cookie jar, and re-fetched upon the next visit?
Oh well, see if it still hurts in a few days.
how about allowing me to whitelist and blacklist cookies from a button? why did that feature have to disappear in the first place? instead I now have a menu in about:preferences#privacy that requires a full URL to be entered, added with a button, then confirmed with "save" in what appears to be an effort to get me to just accept cookies.
whats worse is if i switch between allow cookies, and then back to custom, my selection to block all cookies isnt honored at all. instead i get put back into 'block third party cookies.'
finally theres the misery of including blocked sites in the 'preferences' you can delete as part of your browser history, which seems like an effort to further reduce my predictable and consistent ability to block cookies altogether.
I just want a button to whitelist a domain and an option to automatically clear 100% of everything outside the whitelisted domains on every restart.
And always clean the cache, perhaps even for whitelisted domains unless the system is on a metered/slow connection.
Also, every website should always be opened in a separate "container" so cross-site tracking won't work.
If Chrome did that today this would trigger a cascade of consequences. If Firefox did that today it would just improve Firefox popularity and cause no problems.
Sites start out default clearing all cookies the moment you clear the tab. Greylisting clears them when you close the browser. Whitelist retains all cookies.
Multi-account Container and Temporary Container extensions take care of your per-tab container needs.
It was worth a chuckle.
As a heavy user of Multi-account Containers, I will be interested to see how this feature interacts with it. I use containers to maintain multiple profiles on websites and loosing all the data for those websites after clearing cookies can be frustrating.
The next step is for Firefox to finally adopt torbrowser, and natively support not allowing fingerprinting by default.
By default it's off, and it means that cookies as deleted as soon as I close the last tab for that website.
Clicking it whitelists the website and cookies are retained until I turn it off again.
This is kind of like the approach we had in the nineties. You used to get a prompt for each website, asking if you wanted to allow cookies or not. This is like a second iteration on that.
1. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cl...
2. http-response add-header Clear-Site-Data "*"
Chrome isn't going to tackle tracking/fingerprinting for obvious reasons.
Secretly, a lot of addons will run just fine. You can install them in the Firefox nightly through the "secret settings" (tapping the Firefox logo in the about screen seven times) by creating an addon collection and stuffing the right ID in your browser.
I can say the new engine is notably faster and the UI is easier to use for basic tasks, but all of the features that made me switch to Firefox on Android in the first place have been removed. Slightly nonstandard features ("being able to use your own CA" or even "being able to ignore TLS warnings") took years to implement, and logging into a website with a client certificate is still not possible.
They even took about:config from us in the stable builds, because they consider their users babies that will change random settings and break something. Firefox has dropped all support for power users and has focused on becoming Chrome 2.0, a goal which I don't think they'll ever be able to accomplish. If you don't follow the standard workflow of the 80% who forget to disable Mozilla's stalking, you're no longer important.
I'm still on Firefox but every day I'm nudged closer to just switching to Bromite instead. The lack of proper addon support was understandable at first, but by now I hoped to have some decent addon support back already. I guess the team working on it must've gotten culled so Mozilla's CEO could afford their pay raise.
Because they switched rendering engines or something. Now addons are restricted to a small subset that they've validated. You can use a custom addon collection to install untested addons (see: https://blog.mozilla.org/addons/2020/09/29/expanded-extensio...) to get around this, but there's no guarantee that the addons will work.
I loved Firefox mobile and this did me dirty. One of the big draws was adblock, and on top of needing text and extensions they changed the UI to be antiproductive.
Their playstore ratings took a massive nose dive after that release. Shame. They are the only real browser competition to Chrome.
I am annoyed that Firefox mobile tabs seem to have to refresh every single time I "tab out". I'm stubbornly sticking to it because of addons though (Dark Reader and uBlock).
After having fixed a few bugs in that regard, I pushed for giving re-enabling it by default another try with the rewritten browser, and so far that decision luckily (from my point of view) seems to have stuck.
Additionally, it has recently turned out that for pages specifying an explicit desktop-sized viewport (i.e something like meta name="viewport" content="width=1024", as opposed to either using nothing at all, which gives the standard desktop-size viewport of 980 px, or "width=device-width", meaning it's a mobile-friendly responsive layout), there was a long-standing bug meaning that the font scaling for desktop-style pages was erroneously being deactivated on xxhdpi-phones.
This latter bug affects the desktop versions of both Reddit and Slashdot for example, as both of those are using an explicitly sized viewport. It has now been fixed in Firefox 93 (https://bugzilla.mozilla.org/show_bug.cgi?id=1685756)
I don’t want a security “profile” because I don’t fit in to whatever few boxes you have setup. Or maybe I just don’t trust what you do behind that security profile setup.
I want my own granular cookie tracking. Steal it from chrome if you have to. It is the best thing since sliced bread.
I want a list of every cookie I have got. Just like IE used to do. Just chrome does today.
I want to set in the smallest detail which cookies are allowed, which are blocked, and which only last until I close session.
I have umatrix and ublock with only my personal filter list. It is not good enough. I want something much like chrome.
It's usershare first, then you have weight to put towards web standards. And I'm afraid Mozilla doesn't have the resources and willpower to fight that battle anyway. If I'm calling shots with Firefox I'm moving to Chromium immediately and then focusing on UI and privacy features. It's probably too late to make that change though. I just read Firefox lost 50 million monthly users in the last two years.
It's a little sad, there is room in the market for a 3rd party, power user's browser but it's obvious as can be that whatever browser that will be- it will be on Chromium and it won't be Firefox.
