8.3 Unexpected Cookie Sharing
A user agent should make every attempt to prevent the sharing of session information between hosts that are in different domains. Embedded or inlined objects may cause particularly severe privacy problems if they can be used to share cookies between disparate hosts. For example, a malicious server could embed cookie information for host a.com in a URI for a CGI on host b.com. User agent implementors are strongly encouraged to prevent this sort of exchange whenever possible.
The innovation here seems to be that they further partition by the URL in the address bar.
It's frustrating that browsers have been fighting and losing this war for 25 years. (Presumably they still don't block browser fingerprinting, so sites will just move to that instead...)
Tracking today is an interaction between cookies and pages, not really because cookies were designed to be shared between domains. Because of that, ads on web pages are a reason that information gets shared across sites. Any ad or other iFramed content that’s served on a site can get the domain name of where it’s be served from and then access the iFrame domain’s cookies, which enables tracking.
The cookie jar language might be a tiny bit oversimplifying/confusing in the sense that cookies are already separated from each other according to the cookie’s domain - they’re already in separate jars in a way, and this feature is changing how they partition the jars. Assuming even the most strict privacy settings, tracking cookies and scripts are often in iFrames and may not have the ability to directly read other cookies from the web site in your URL bar, and the web site might not be able read the tracking cookies. It’s not that cookies themselves are being shared per se. It’s that (say) Facebook is allowed to put an iFramed tracker on some site, and Facebook can then get a tracking blip when you visit that site and add it to a Facebook-only cookie. Total Cookie Protection is going to put cookies that only Facebook can see in a different jar for each separate site you visit, making it so that Facebook can’t read it’s own cookies across different sites.
1. Use Firefox, block .js by default, and selectively allow.
2. Set browser to block cross-site cookies, and to purge all cookies when closing browser.
3. Avoid tabbed browsing, and restart browser after using a website.
I've been doing this since about 2006. It's inconvenient, but gives some peace of mind.
Won't this break some basic features like being logged in to Facebook (or similar services, e.g. Disqus) for the purpose of embedded comment sections on other sites? They don't use cookies only for tracking buttons after all. It would be… annoying… for every site to require a separate login.
Cookies need restricted to the URL in the address bar. Anything else is like a side effect or unintended and woefully non-transparent consequence of sneaky fucks harvesting your information (clicks, keystrokes, and metadata) via JavaScript and cookies.
The problem with that is domains are a poor way of representing ownership that can be trusted. If the web was rebuilt from scratch, a better approach might be to allow cookies to be shared between secure sites using the same certificate. But that adds more complexity that I'm not sure is worthwhile. The web can absolutely get away with not having shared cookies.
Domains that want to collaborate together can still do so.
In some ways that will be less strict than Firefox's implementation. A CDN might have a certificate with hundreds of unrelated sites in it.
In some ways that will be more strict than Firefox's implementation. A site might want to serve large static files on static.foo.com but a secure login page on login.foo.com , and want to hand over the private key for static.foo.com to a CDN but not hand over the private key for login.foo.com .
Or maybe encrypting cookies using the site certificate, which would still allow cookies to be shared with domains having a different certificate, but the server needs the correct key for decryption.
That is, cookies aren't shared, they're locked down to the domain that set them. It's just that some domains have content loaded by millions of pages. This change won't protect you much if you have a relatively stable IP address without many users on it, because your IP is still in the third party domains logs. This welcome change makes it harder to differentiate people on the same IP, or to track a browser as it changes IPs.
As I'm typing this, I'm remembering how helpful IPv6 is for people who want to track everyone.
Multi address is much healthier in IPv6, so it's reasonable for your browser to even spin up an address associated with a Porn tab, and then destroy it again when you close that tab, while still using your other IPv6 address for a post you make meanwhile to Hacker News. It's also reasonable (while it was often likely to cause mysterious problems in IPv4) to give your local web server a long-lived IPv6 address while your web browser's address changes every hour.
Maybe not the privacy invasion potential but ... As we got started building amzn in the fall of 94, it was a no-brainer decision to not use cookies even though they were just arriving. The controversy around the idea was intense and it was far from clear that they would be a success as a technology. It is likely true that there was more attention being paid to the "what? it lets a remote server create a file on my driver?" angle than the privacy one.
the interaction of those is completely left as an exercise to the (standards) readers. initially only remote code execution was a problem (eg. cross-site scripting), then the usual cross-site request forgery problems. and sure, there was all the usual gimmicks with list of sites you probably visited because it was possible to fingerprint by CSS plus exploiting cache timings.
initially framesets were all the jazz. you got free hosting and the provider just put your stuff inside a FRAME and the ad went above in a different frame.
serious sites had money to pay for hosting and SSL certs. and even if someone stole some credit card numbers the solution was easy, just use paypal!
privacy was seen as something to think about only when someone asked you a/s/l (age, sex, location), so basically when interacting with other humans in chat rooms (or on forums).
...
of course slowly but surely software (more exactly the Internet) is eating the world. being online is the default. Alphabet, the 8th on the Fortune 500 list doesn't even have brick and mortar stores (oh well, there's one in NYC and during this year's Google I/O they announced the second, also in NYC).
The concern was being first to market, not with solid engineering.
It's that multiple sites will serve content (ads, Javascript libraries, like buttons) from a common site (eg an ad network) that uses its own domain. That domain is allowed to get the cookie for itself because it is referenced by multiple site, that's how this type of tracking works.
If you go to bbc.com, it still won't be able to see cookies from cnn.com, but say if advert.com is included by both sites, then it will see that you visited them both. That's the power and great danger that things like facebook and google sense represent.
The owner of the sites get some stats for free by using these services, but the biggest benefit is for google and facebook to be able to track what users are looking at accross the web. And you just need to be identifiable on one site that you visit (say, FB or gmail) for them to know exactly who you are.
From what I understand, Firefox will only allow advert.com to get the cookie it created when being loaded as part of bbc.com, but it won't be able to read its own cookie from cnn.com, it will have to create a new, separate one, thus breaking the link tracking you between sites, or at least making it harder to connect the dots.
Everyone should use FF.
Wouldn't simply installing an ad/tracking blocker like uBlock Origin be just as effective, if not moreso?
This change makes it so that requests A -> S (requests from A to S) and B -> S are treated as A -> S1 and B -> S2 instead.
Now S1 cannot read cookies from S2 and vice versa, even though they are the same site.
Regulators did warn Google NOT TO block third-party cookies before they provide a replacement, UK CMA accepted the latest proposal from Google: https://www.gov.uk/government/news/cma-to-keep-close-eye-on-...
Apple's tracking rules also raised a lot of anti-trust concerns, giving advertisement in App Store unfair advantages among other ad platforms. Latest from German Government: https://www.bundeskartellamt.de/SharedDocs/Publikation/EN/Pr...
Banning third-party cookies will increase the gap between Google, Microsoft, Apple and other ad platforms, because they can still track you based on your account (e.g. Gmail, Hotmail, iCloud). It's a huge red flag for antitrust cases they are facing (especially Google).
Means third parties win't be able to identify you qccriss sites through cookies. Means the Google Ads cookie or Floc ID will be different for each site you visit.
they can still track you based on your
account (e.g. Gmail, Hotmail, iCloud)
1) you visit to www.somesite.com
2) it serves an ad <iframe src="www.google.com/givemeanad?userforme=waps&hespent=500"
3) your browser does a request to google. It sends:
a) your login cookie from your gmail session (or ...)
b) the referrer header tells it which site to serve the ad on
c) any information the site itself wants to attach to the request
4) Google/Microsoft/Apple store this information and can provide advertisers with your identity, all sites you visit that have their ads, the "flow" (what you visited in what order, e.g. how far did you get in an ordering funnel) and any information those sites share about your account on their site.
So are Firefox accounts but they probably don't have the numbers to engage in any particularly egregious behavior.
Asking this since I know friends working at companies that were DRASTICALLY affected by the Apple advertising changes in terms of user targetability (and hence revenue) and I'm wondering if this change will be similar.
Edit: thanks for the downvotes, I would have preferred if it worked but it didn't. I tried basic troubleshooting, disabling extensions etc. but didn't find it usable on macOs Monterey, think it doesn't play well with youtube.
One is that the login service can request access from the user using a new web API (requestStorageAccess). Another is heuristics which apply when the user interacts with the page in a way which implies a login might be taking place.
In these cases, specific third parties can be granted access to allow the login. There are some more details here: https://developer.mozilla.org/en-US/docs/Web/Privacy/Storage...
According to MDN:
> More specifically, Firefox double-keys all client-side state by the origin of the resource being loaded and by the top-level site. [1]
They linked the definition of a "site" to the HTML5 spec, which says this:
> To obtain a site, given an origin origin, run these steps: [2]
> 1. If origin is an opaque origin, then return origin.
> 2. If origin's host's registrable domain is null, then return (origin's scheme, origin's host).
> 3. Return (origin's scheme, origin's host's registrable domain).
The HTML5 spec refers to the site's registrable domain according to the URL spec:
> A host’s registrable domain is a domain formed by the most specific public suffix, along with the domain label immediately preceding it, if any. [3]
Public Suffixes are defined according to a database that you have to explicitly register in [4]. If you aren't sure whether your base domain is registered as a public suffix, then it probably isn't.
[1]: https://developer.mozilla.org/en-US/docs/Web/Privacy/State_P...
[2]: https://html.spec.whatwg.org/multipage/origin.html#site
I'd expect something like this from Apple with Safari, but not Microsoft. M$ can't even give its own developer base privacy by allowing all telemetry to be disabled.
Why sell OSes for money when you can get "engagement" instead?
[1] https://blog.mozilla.org/security/2021/02/23/total-cookie-pr...
That feels worrying for competition, does it not entrench the current login providers?
(OK, technically tracking is less powerful than SSO, since only the third-party needs to know your "single" identity, the first-party website doesn't actually know it, where in SSO it does)
I mean, to be clear -- I mean the new thing might make you enter your username and password to SSO login on each site, whereas ordinarily if you have an active SSO session you don't need to re-enter username and password to login with SSO on a new site. Will it break SSO even if you are fine re-entering username and password every time you SSO login? I am not sure, but I definitely wouldn't be confident 'no' without more details/testing.
If you're just worried about logging in through sso.coolcorp.com to third-party.corp using any of the normal methods (OAuth, SAML, Kerberos, etc.) then you're probably fine.
If you're worried about composing a page made up of lots of custom embedded components and those components _don't_ use SSO (or if they do, but they authenticate invisibly using an iframe instead of authenticating entirely server-side) then you may have some things to switch up.
Or rather a large logo that says "Please use a supported browser."
But have each tuple listed still be isolated from the other, only domains listed together in a single list could share a cookie container.
If I decide I want, say, an Azure Portal container then I cannot have login.microsoftonline.com assigned to a different container -and- configured to automatically open in that container.
If I do that, I need to have a combined Azure + Office 365 + anything-I-need-to-authenticate-to-Azure-AD-for container.
It’s a good solution but with its lack of flexibility I find it’s too far in the direction of security versus convenience.
Could you explain how this could be beneficial to the user?
That setting breaks a few things, but mostly works OK. I'm confused which protection level this new capability corellates to.
Previously: Site A has a facebook Like button, which iframes in facebook.com and sets a third-party cookie for facebook.com. Site B does the same. Site B can see that you previously visited Site A, and if you have a Facebook account, then Facebook can connect your browsing activity on both A and B to that account.
New feature: Site A's Facebook Like button iframes in Facebook, and sets a cookie on facebook.com. This is a different cookie than the one Site B sets for facebook.com. The cookies cannot tell that you're the same person. If you have a Facebook account, your browsing activity on A and B is not connected to your Facebook account.
>Total Cookie Protection offers additional privacy protections beyond those provided by our existing anti-tracking features. Enhanced Tracking Protection (ETP), which we launched in 2018, works by blocking trackers based on a maintained list. If a party is on that list, they lose the ability to use third-party cookies. ETP was a huge privacy win for Firefox users, but we’ve known this approach has some shortcomings. If a tracker for some reason isn’t on that list, they can still track users and violate their privacy. And if an attacker wants to thwart ETP, they can set up a new tracking domain that isn’t on the list. Total Cookie Protection avoids these problems by restricting the functionality for all cookies, not just for those on a defined list.
You can more confidently allow third-party cookies, which means that certain features that broke with the blocking of all third-party cookies will now be able to work, but you maintain most of the protections that you gained when you used to block them.
I wish I could add an exception rule to this...
https://support.apple.com/guide/safari/prevent-cross-site-tr...
It appears Safari is just blocking the cookies, while Firefox is isolating the cookies. I guess Safari has to keep track of who to block while Firefox just isolates everybody. Are there other benefits to the Firefox approach?
Frankly, I have a hard time understanding why this Cookie Sandbox approach wasn't implemented a long time ago. I get that 25 years ago we weren't concerned about privacy, but there has been plenty of time to fix this. Advertiser influence?
Firefox is playing catch-up with this feature. The announcement says "...making Firefox the most private and secure major browser available across Windows and Mac." Note the part that I've emphasized.
For example, if you are on Site A and use cross site resource from Site C. The site C will get a cookie C('A)
And in another day, you visited a Site B that also use resource from Site C. The site C get a cookie C('B).
And C('A) != C('B)
Although these cookie are both issued by Site C. They are associated to different first party domain and can't be connected directly.
It's just like you open a private browser session for every site you visit.
I think it is a extension usage from Firefox's container technology.
Safari Tracking Prevention background:
https://webkit.org/tracking-prevention/#intelligent-tracking...
Blog posts about tracking prevention updates:
https://webkit.org/blog/11545/updates-to-the-storage-access-...
https://webkit.org/blog/10218/full-third-party-cookie-blocki...
https://webkit.org/blog/9521/intelligent-tracking-prevention...
https://webkit.org/blog/8613/intelligent-tracking-prevention...
https://webkit.org/blog/8311/intelligent-tracking-prevention...
https://webkit.org/blog/8142/intelligent-tracking-prevention...
https://webkit.org/blog/7675/intelligent-tracking-prevention...
Here is their tracking prevention policy definition:
https://addons.mozilla.org/en-US/firefox/addon/first-party-i...
That addon has links with info and just twiddles an about:config setting. It can break things (for example some ways Paypal is used by websites, although other ways work fine). There has also been the ability to block third party cookies for a very long time, possibly as long as there have been cookies, but it can also break things. As I understand it Total Cookie Protection is similar to these but with some exceptions so that not much breaks that users would notice.
Total Cookie Protection is about isolating third party cookies/web storage, without breaking as much of the web as simply blocking third party cookies does.
For my case Total Cookie Protection is enough, but if you want the same protection of Facebook Container for every website (i.e. session cookies which are deleted each time you restart the browser) you can install Cookie AutoDelete or use the built-in option to delete cookies at restart (whitelisting websites where you need permanent cookies).
I think Cookie Protection does solve the problem that I used the containers for. I wasn't really using it to keep accounts separate, per se, but more to keep companies like Google from snooping and sneaking peeks at my other cookies.
Turns out, Getting rid of 3rd party cookies concentrates power in the ad world in the hands of those with the most 1st party data (and active session cookies). Google, Facebook, Amazon and Apple. [2]
The tracking debate is contentious and has a lot of folks on here who are privacy maximalists, and I'm not trying to debate the ethics of ads.
But in terms of utility, 3rd party cookies are the backbone of ad-tech auctions and targeting, and currently give the non-Goog/FB/Amazon ad providers a way to compete on performance advertising.
Digital ad markets are expected to be nearly $565b this year, and the Tri-opoly of Google/FB/Amazon have 68% of the market. 32% of the market depends on 3rd party cookies to have a chance at competing. [3]
1 - https://privacysandbox.com/intl/en_us/open-web/#how-works-on... 2 - https://www.siliconrepublic.com/business/googles-privacy-san... 3 - https://www.emarketer.com/content/google-facebook-amazon-acc...
(at least MS accounts just don't work)
> You can turn them off.
Of course I did, long ago. The issue is that they're on by default. And defaults matter a lot because most people don't change them.
Which one do they think is the most private and secure browser for Linux?
Shoutout for firefox's cross OS, cross device syncing. "I found that and I have that it open in a tab on my desktop" and now it's open on my phone. Send another tab from phone to laptop where it's easier to work on. Really good stuff.
They don't.
If you go to example.com, and it loads an ad on tracker.com, then tracker.com will create a cookie. example.com WILL NOT be able to see that cookie. Likewise, if you were to log into example.com, tracker.com WILL NOT see the example.com cookie.
What happens (Without third party cookie blocking or FF's TCP) is if you then go to anothersite.com, and it also loads an ad from tracker.com, then the same cookie sent to it while visiting example.com will be sent, resulting in tracker.com knowing that you visited both sites. The admins of both example.com and anothersite.com will then be able to look at analytics and see that the visitors of their site also visit the other.
At no point is one site ever able to see a cookie they didn't create. Otherwise, this would be a MASSIVE security hole as it would make session stealing trivial.
However, a site is able to see a cookie they created while visiting another site.
Maybe this is what you meant, but it wasn't entirely clear.
Think: Disqus or Facebook comments at the end of articles, which used to be pretty ubiquitous. You'd be logged in and able to comment on any website using a cookie set by Disqus or Facebook, so you wouldn't have to log in or register on each individual website.
This Total Cookie Protection will break that. Your Disqus-set login cookie set on site A won't be visible when you're on site B, so you won't be logged in to Disqus there.
Likewise you can keep enhanced tracking protection in general but disable partitioning (total cookie protection) by setting it to 4
https://support.mozilla.org/en-US/kb/total-cookie-protection...
I think the change might just be they will be setting that checkbox to on now? Although I don't remember seeing this option until now.
[1] https://developer.mozilla.org/en-US/docs/Web/Privacy/State_P...
For the small players though, without massive ad-supported service offerings like Gmail, Facebook (as a platform), etc, this will screw them completely.
Mind you, I'm a HUGE privacy advocate, so I like the new Firefox functionality... but the unintended side effects cannot be ignored.
1. Cookie Auto-Delete (see https://github.com/Cookie-AutoDelete/Cookie-AutoDelete/wiki/...), where cookies and local data are automatically deleted some time after closing the tab. You can, of course, whitelist Websites to exclude them.
2. Firefox multi-container extension, to assign some websites (domains and subdomains) to a container by default so that you can visit some specific Google sites without being logged in (e.g Web search, News, Maps…) but still open Gmail and be connected to your account.
You can make this more intuitive and combine that in a single button: "Do not forget. Optionally, open website in <container>".
This would drastically level the playing field, as one can continue to use some Google/Apple services for work (e.g Play developers console, Google calendar…) but all visit to other properties would not be tracked. No need to switch between browsers, profiles or containers, this is automatic.
I've been using this set up for years now, and it works perfectly – just add uBlock and I don't care about cookies, and you'll ever see an ad or a cookie prompt ever again. Perfect.
In fact I've already encountered one site that gave me a popup telling me to enable third party cookies. It was one of those dodgy sites that scrapes and copies Stack Overflow content and the JavaScript that enabled it was very clunky - but it worked. I'm surprised there aren't more websites already doing something similar.
Firefox has essentially the same market share as Edge.
By reading this message you agree with it.
When you give users a clear, informed, singular choice that would be sticky across their entire web/app experience, the choice in itself essentially becomes obsolete. Since pretty much nobody opts-in.
You saw the effect with Apple's new "do you want to be tracked" permission, which has a disastrous impact on Facebook. Consider that this is still a per-app permission, imagine the impact when its a single permission across all apps.
As users we may say "good" and "this is what we want", but I don't think we can truly oversee what impact that would have.
That's not what Electron is but there are piles of fork-ish browser projects out there statistically nobody uses. This also answers the second question in the negative - it is not straightforward to make your own browser that's as useful as the browser you're likely using.
> That's not what Electron is
I mean...isn't it?
Forget the idea of what it's used for and just look at how it works. It's a framework for making apps that uses Chromium for rendering and a Node backend. Strip off the Node backend and you're left with Chromium.
And Chromium on its own is a web browser. Electron just doesn't show the controls for it.
As far as I'm concerned, Electron is a featureless web browser with a backend added to do things a browser normally can't do on its own, like reading local files without presenting a dialog.
Perhaps unsurprisingly, Microsoft logins are the most glaring exceptions right now (Teams, Logins, Office, Live), and we're working with MS to see if we can find an acceptable fix (or work-around while it's fixed). There are also exceptions for github.dev and history.com right now.
It's worth mentioning that these aren't simply exceptions which blanket enable tracking for those sites, it's just to work around specific breakage.
We're also working around some other specific site logins or features breaking, which would not break if sites called the new requestStorageAccess API appropritately. We're using SmartBlock to shim those cases until the sites can fix it themselves.
There is a legitimate use case for having login/identity stuff on a different domain - many of the largest companies in the world are doing this.
How can this issue be solved without either confusing users through the requestStorageAccess API, or forcing everyone to use a single domain for everything?
If this would prevent tracking, Google would not allow Mozilla to release it.
If they can't track, then each ad has less value. But then the advertiser has more budget available to spend on advertising.
Net result is no change for advertisers, or Google. But they users will see more, less targeted ad.
So that's my prediction as the result of this: We'll have more ads, but each will be less personalized.
Total Cookie Protection helps by keeping all third-party cookies isolated to the site they were set on. This means tracker domains will no longer get their cookie identifiers persisted across different sites.
However, tracking isn't limited to cookies. If unblocked, trackers can still use techniques like browser fingerprinting and cookie syncing. They could also just track you via your IP address, or, most likely, via some combination of different techniques.
Trackers can also collect sensitive information such as your email address, or even become vectors for delivering malware.
Outside of privacy/security concerns, unblocked trackers can slow down websites and waste your bandwidth.
To learn about how Privacy Badger works, visit https://privacybadger.org/#faq
It is still a lot of effort to have clear separations in every browsern...
I am using Firefox containers with the temporary containers plugins (with history deletion enabled) as well as cookies auto delete plugin (which supports containers).
Therefore, everything is usually isolated in a container inside a tab and only white listed cookies are kept in the named containers.
This is great news. I really hope we will not lose firefox. I'm not saying it is better than chromium, but I think it is important that it exists.
Their cookie allow dialog has over 700 data share partners, not including their own "legitimate interest" cookies. The dialog looks like this [1] and cannot be resized and is lazy loaded (i.e. you have to manually scroll to have the page load all of them with a few visible each scroll). And its slow so it takes a while and doesn't play well with the mouse in the iframe. There are even ones not in english or latin characters [2]
[1] https://imgur.com/a/ciuRWSx [2] https://i.imgur.com/4yc6Flo.png
Anyway i lazy loaded all of them and there are 753 (the html just to display it is > 1 megabyte
$ xmllint --format reach2.html | grep qc-cmp2-list-item-header | tail && xmllint --format reach2.html | grep qc-cmp2-list-item-header | wc -l
<button role="listitem" class="qc-cmp2-list-item-header" aria-label="Yieldmo, Inc." aria-live="polite">
<button role="listitem" class="qc-cmp2-list-item-header" aria-label="YOC AG" aria-live="polite">
<button role="listitem" class="qc-cmp2-list-item-header" aria-label="YouGov" aria-live="polite">
<button role="listitem" class="qc-cmp2-list-item-header" aria-label="ZAM Network LLC dba Fanbyte" aria-live="polite">
<button role="listitem" class="qc-cmp2-list-item-header" aria-label="Zemanta, Inc." aria-live="polite">
<button role="listitem" class="qc-cmp2-list-item-header" aria-label="zeotap GmbH" aria-live="polite">
<button role="listitem" class="qc-cmp2-list-item-header" aria-label="Zeta Global" aria-live="polite">
<button role="listitem" class="qc-cmp2-list-item-header" aria-label="Ziff Davis LLC" aria-live="polite">
<button role="listitem" class="qc-cmp2-list-item-header" aria-label="zillian sa" aria-live="polite">
<button role="listitem" class="qc-cmp2-list-item-header" aria-label="Zoomd Ltd." aria-live="polite">
753
If it is better - which seems surprising given it still seems to result in 3rd party cookies continuing to exist - how does it compare to safari’s domain partitioning from what seems like 5 years back, or the newer aayyyy iiiii tracker detecting stuff?
However this will make it easier than it currently is, to work out who is data sharing illegally.