back to article Firefox to spit out third-party cookies

The Mozilla Foundation has set up camp alongside Apple in the “cookies are bad” section of the Internet, decreeing that three versions hence its flagship Firefox browser won't accept cookies from anyone other than the publisher of websites it visits. That version will be number 22 and is due for release on June 25th, 2013. …


This topic is closed for new posts.
  1. Anonymous Coward


    I'm surprised that Ghostery isn't more popular already. I think it works on all major platforms and browsers - even works on Safari on iOS now. No Android app yet, but that's probably in the works.

    1. Fatman

      Re: Ghostery?

      It, and Ad Block Plus along with No Script are three addons NO Firefox user should be without, if you value controlling your privacy and web browser. I have Firefox setup to ask each time a new cookie request is made, and I generally "Allow For Session" the majority of times.

      Only certain sites get to keep cookies permanently (elReg is one).


        Re: Ghostery?

        ... and I would add HTTPSEverywhere, BetterPrivacy, and Flagfox to that list... as essential addons.

        Also RefControl if you're clued up. And (nb; touting my own wares) Dephormation and SecretAgent.

      2. Sporkinum

        Re: Ghostery?

        Your cookie usage is what I do as well, and is one of the reasons I stick with Firefox. Chrome and IE don't have the superior cookie handling that Firefox has had for years.

        1. Invidious Aardvark

          Re: Superior cookie handling?

          What is this superior cookie handling of which you speak? I've used FF for years but I'm also aware that IE has had the ability to block/allow cookies per site for yonks. In fact, IIRC FF started out without this feature, which IE had for some time before FF finally adopted it.

          Can't comment on Chrome as I never use it.

          1. Anonymous Coward
            Thumb Up

            Re: Superior cookie handling?

            >"What is this superior cookie handling of which you speak?"

            FF has some beautiful options to frequently delete all non-whitelisted cookies. The same can be accomplished on Chrome with the "Vanilla Cookie Manager" add-on, which can auto-delete cookies up to once every 5 minutes if you feel extremely paranoid (and can do your online banking extremely quickly).

        2. Field Marshal Von Krakenfart

          Re: Ghostery?

          I find that Blocking Unwanted Connections with a Hosts File works very well. I find it quite rewarding to see all those pop-under pages opening with no content.

          Useful if can lock-down the hosts files as well.

  2. jubtastic1

    This isn't going to have the desired result

    It will make tracking harder for about a day, assuming the ad companies fall asleep at the wheel, before they switch to another method that works. Long term all this will accomplish is to make it harder for users to see what's going on and frankly, cookies are too hard for most users to make any sense of anyway.

    I think it would be a better idea to have a think about who is going to pay for the web, users or advertisers, and after that amazingly short discussion, how to design a system that allows the advertisers to target a particular audience with a high degree of confidence that doesn't require them to maintain a database of individual users, which of course raises even more questions about who would host and be responsible for such a system.

    On second thoughts, I believe cookies are the lesser of many evils.

    1. Anonymous Coward
      Anonymous Coward

      Re: This isn't going to have the desired result

      If the advertisers know this will happen doesn't common sense tell you they will be looking to work around this particular problem. They have until June to find a solution, they probably have found a solution that they will implement.

    2. Anonymous Coward
      Anonymous Coward

      Re: This isn't going to have the desired result

      Not working IS the desired result.

      You know which mega-corp pwns Mozilla. Just about everyone visits their services: search, webmail, maps, etc... So, that mega-corp just happens to be granted exemption from Mozilla's latest tracking-blocking charade in just about everyone's browser. Who'd have thunked? The de-facto tracking/advertising monopoly being granted carte blanche to go on as before... meanwhile any vestige of competition will be snuffed out by the carefully contrived "solution". Oops. Couldn't have seen that coming.

      "Do no evil" my arse. Perhaps they like to pretend it doesn't count as long they're getting someone else to do their evil for them.

      This "third party cookie" problem has been a perennial war of attrition at Mozilla. An endless stream of noobs getting excited about "solving" the "problem" while the management throw up endless roadblocks and diversions. All manner of bizarre excuses and brazen fobbing off. "Third party? I don't even understand what that means"... "If we implement it, some people will set who'll then be confused when some sites stop working"... "Sites could redirect you to the tracking domain for it to do its cookie stuff and then redirect you back, it's beyond our wits to resolve that problemoid"... and so on... Patches have been applied, then broken, then removed. If you want to thoroughly depress yourself, have a look through some of the bugzilla threads. Many have been running for more than a decade!

      These should get you started... 67447 87388 836281 818340 818337

    3. Matthew 25

      Re: This isn't going to have the desired result

      Opera has had the facility to block 3rd party cookies for quite some time. I find it makes little difference to general browsing but cuts out one bunch of snoops.

      1. Anonymous Coward
        Anonymous Coward

        Re: This isn't going to have the desired result

        "Opera has had the facility to block 3rd party cookies for quite some time"

        And so has Firefox amongst others. As I understand it the difference here is twofold:

        1. A change in the definition of what is considered a third party cookie (i.e., one from a site you have never actually visited before).

        2. A policy change that automatically blocks third party cookies (according to 1. above), rather than asking the user to set a preference.

        1. Paul Shirley

          Re: This isn't going to have the desired result

          "1. A change in the definition of what is considered a third party cookie"

          The current FF cookie blocking is worse than useless. Block them and some sites simply won't work, even if you allow it to ask for permission - the GAME website spreads it's load across multiple internal URLs and I never managed to get it to work. If a change can get the blocking to actually be controllable on most sites it might be worth turning back on.

          What's rather more urgently needed is more effort to stop killing add-ons with every sodding FF update. That way I can stick with one cookie control solution without losing my permission settings. Not breaking existing addons has never been a priority with Mozilla though.

    4. Pet Peeve

      Re: This isn't going to have the desired result

      I already use noscript for exactly this reason, and it definitely stops tracking cookies dead. Frankly, I think most of the features of noscript should be native browser features in the first place.

      Welcome to the party, Firefox. About damn time.

  3. mIRCat

    We still allow third party cookies?

    Mines the one with peanut butter cookies in the pocket.

    1. John Brown (no body) Silver badge
      Big Brother

      "force the issue for many sites and their content providers, "

      "This site works best in Internet Explorer 6.0 or higher"

  4. Anonymous Coward
    Anonymous Coward

    Yep, I use Ghostery and other extensions on the Anon list too.

    About bloody time; making this standard will force the issue for many sites and their content providers, which break for Ghostery and other security plugins; so that they fix the sites or lose traffic! Kill offsite Flash cookies too!

    I'm so bored having to temporarily disable one of more security plugins because of these snooping and lazy turds, in the faint hope of seeing some maybe useful content.

    I really hope Flash dies soon too, it is a festering security risk, and enable ridiculous site viewing restrictions; please ban crApple Quicktime too, so that I don't have to work around not having it installed!

  5. Anonymous Coward
    Anonymous Coward

    Watch the film "Branded", and see that advertising is mental pollution.

    Companies should give up trying to profile people, be satisfied with discrete adverts, and stop bugging people; any more and I compulsively Adblock+ all your adverts _everywhere_, especially all BS 'social' media sites!

    I curse Edward Bernays, his sponsors and disciples to eternal torment for the hell they unleashed!

    1. Anonymous Coward
      Anonymous Coward

      Re: Watch the film "Branded", and see that advertising is mental pollution.

      Will watch...

      Here is my insane foaming at the mouth rant on the subject of advertising........

      Re: The thinking behind its Android security update

      "The maker of Adblock Plus is upset"...

      "What about the fucking users????"

      OK 2 points.

      I am comparatively ignorant about the proxy server issue.... sort of.

      My main grips is the oversaturation of advertising that people do not want or need, being incessantly shoved in our fucking faces all the time.

      This irritates me on several counts.....

      1. I own a pushbike... and I am very happy with that. Therefore:

      a) Stuffing adds in my face for cars irritates me - because.

      b) I don't want to see the fucking adds, and

      c) I don't want to buy a fucking car.

      This purchasing to meet my modest needs only, extends to every plethora of gear used in advertising.

      There is also the saturation advertising.....

      It's like the local shop keepers...

      They have Frontage for their own advertising above the shop awnings. They have the edge of the veranda to stick their own advertising on. They have the big shop windows to stick their own advertising on.

      They then extend their advertising out of their space and into the public space, by sticking sandwich boards on the foot path for the passing foot traffic.

      They then stick MORE of their own advertising, on their own sandwich boards out between the parking bays and the main road.....

      (which I complained about - because after a car pulled in to park and another reversed out and I nearly ran into one of the signs - and it's a fucking road, not a empty lot.)

      And they also advertise themselves and their wares in the "Proudly supported by" sections...... and in the local news papers.... and mailouts, and the reach has become sort of all pervasive.

      Even the Hollywood scum with their "Hollywood accounting" never float a movie unless it has a ton of product placements in them....

      Well the main thrust of my case is that the ONLY advertising that is really appropriate, is the advertising of the products or services, on the site of the people who are supplying them.

      This assumed right to shove endless amounts of advertising, in peoples faces, at all times, about all things, has gone from something like "the shop keepers, advertising their own services from their own premises", into a fucking plague of advertising.

      And many of the advertisers are stupid fucking human beings..... sticking flashing adds in the middle of columns of text..... "Like OH Duh - lets piss off the readers SO much, that they either leave and never come back or they are finally driven into looking for ways to block the adds....."

      Then they whine about the loss of readers....

      Fucking idiots.

      Then you get the adds that slide up or down the sides of the screen, or in from the side of the page, or the pop up layer adds that cover / block the whole page, that you have to click on to get rid of.....

      And the fucking arseholes at google, they just don't get it - shoving 10,000 adds a day in peoples faces for shit they generally don't want or need, simply wastes their time, and it's an annoyance.

      Much of it is outright stupid.... It's a fucking plague of advertising....

      They searches are filled with adds. They have adds in the search results, as well as the search results, they put adds in the Gmail, they put adds in the Youtube, they put in adds about buying adds as adds......

      I have read news papers from 200 years ago, and they SOLD the news, where the content of the paper was the news, and there was about 10% of the page space used on adds.

      Now news papers have like 90% of their total space used for adds, and they generally have skimpy low IQ stories about stupid brainless bullshit, or the sensationalist headline grabbers - and the spectator sport crap of politics.

      And even the most clueless of readers are saying, "There is nothing but shit in them - not worth reading."

      Anyway, without Add Block Plus, and Element Hiding helper for Add Block Plus, Flash Block etc., and a few other things....

      I would not even come to this site...

      But the idiots who run Google, there may indeed be legitimate technical reasons for crunching add blocking in android - but if they were allowed to run rampant - as they have, for every ONE person who becomes so irritated that they go and hunt out and install Add Block Plus and Element Hiding Helper and Flash Block etc., there are probably another 50 people who are seriously irritated by all the adds, and there are probably other 50 other people who simply refuse to use the internet much at all.

      Google is like the shop owners who have gone from the sandwich board on the sides of the street, to putting plaquards in the front yard, and signs on your house walls, and then a free interior wall papering as well....

      Stickers on your TV screen, labels in the toilet bowl, advertising screen printed on your curtains....

      They are just so fucking all intrusive and all pervasive and so fucking unrelenting and........

      Out of pure spite, I might just go pay a heap of money to Add Block Plus, just to get my own back on Google.

      1. Luke McCarthy

        Re: Watch the film "Branded", and see that advertising is mental pollution.

        It's "ads", not "adds".

      2. Inselaf
        Thumb Down

        Re: Watch the film "Branded", and see that advertising is mental pollution.

        You are either spending the few hours on the net, between "fucking"! & sleeping.

        Your posting would have been somewhat interesting were it not for the fact of the excessive usage of the word "fucking". There is surprisingly enough an abundent number of other words one could use. Sorry it spoilt the posting & was using your own words "so fucking all intrusive and all pervasive"! Completely over the top.

        By the way, Ad Blocker + is free. You can donate if you so choose. I would recommend it to everyone. You could spend a little less on donating money to Ad Block & spend some on an English Dictionary!

  6. Tree

    GURGLE will not stand for this

    Google must track you to exist. They will smother Mozilla if they do this. Watch Mozilla say "oops, my bad" and kiss Gurgle's moneybags before you know it. By the eway, Google is not evil. HAHAHA.

    1. Anonymous Coward

      Re: GURGLE will not stand for this

      "Google must track you to exist. They will smother Mozilla if they do this."

      Actually, this probably works in Google's favor. This change could drive advertising dollars back into Google search and Google Maps, and away from Facebook and the other social sites that were using cookie trackers to try to hijack a piece of Google's online advertising pie.

      The advertising dollars need to go somewhere, and if FB and friends can't track you as well, then those dollars might just flow right back into the basic Google tools.

      1. Anonymous Coward
        Anonymous Coward

        Re: GURGLE will not stand for this

        If it upsets Facebook I'm all for it.

      2. Craigness

        Re: GURGLE will not stand for this

        For google and facebook this is less strict than the current system where users can uncheck the "accept 3rd party cookies" option. By default, firefox users will have google as their homepage, so any google 3rd party cookie will be allowed. Facebook only shows ads on facebook, so if you are ever likely to see their ads then you've visited the domain voluntarily so their 3rd party cookies will not be blocked.

        1. Anonymous Coward
          Anonymous Coward

          @Craigness - Re: GURGLE will not stand for this

          Good points. It is a shame how initiatives to make life better or more secure/private for users are continually undermined by the addition of exceptions which you just know the miscreants will eventually drive a bus through.

          The point of all this is that tracking is not desired - full stop. Why not just stick to that simple principle?

  7. vagabondo

    "Use custom settings for history"

    Firefox has had good cookie control for years. But for some time it has required selecting "Use custom settings for history" from the "Privacy" section of "Preferences" in order to access the third-party and expire at end of session cookie controls. I never understood the reason for deciding to hide them behind an obscure heading -- unless trying to be nice to their advertising sponsor, at the expense of their users.

    1. Mage Silver badge

      Re: "Use custom settings for history"

      Firefox has had a setting since ages to block 3rd party cookies. But it's fairly buried in the settings.

    2. Fatman

      Re: "Use custom settings for history"

      The problem with "Use custom settings for history" is that you average Joe (L)user doesn't have the mental capacity to figure them out; and even if Joe (L)user could figure them out; he is too fucking lazy to go ahead and do it.

      Too many Joe (L)users consider a computer to be nothing more than a toaster, put in the bread, and push the lever down.

      "Who gives a fuck about how it works." bleats Joe (L)user

      And companies like Microsoft, introducing dumbed down interfaces for dummies do not help things.

      I feel a competency exam should be a ore-requisite for owning a computer, and a license should be required for internet surfing.

      Time to get the ignorant (as in lacking knowledge) assholes off of the 'net.

      1. Andy Fletcher

        Re: "Use custom settings for history"

        @Fatman Yeah right. Presumably I should stop driving because I don't have the first idea on how to fix or change the settings on an internal combustion engine.

        Joe user shouldn't have to give a fuck. If he does, the designer hasn't done his job right.

      2. Inselaf
        Thumb Down

        Re: "Use custom settings for history"

        Quote "Time to get the ignorant (as in lacking knowledge) assholes off of the 'net." Unquote.

        I take it you mean yourself as well? It amazes me how much drivel some people place in such Forums.

  8. frank ly

    Use 'Request Policy'

    I recommend the use of the Request Policy plug-in for Firefox. It blocks all requests to third party websites and indicates that it is doing so. Then, you can temporarily or permanently lift the block for all requests to that site or only requests from the site you're using at that time. (It's easier to understand if you just use it and play with it.)

    On many sites I use, there are an amazing number of third party sites that are blocked by Request Policy without my use of the originating site being affected at all. If an image is blocked, it shows the image box as greyed out with a little red flag in the middle that can be clicked to indicate the name of the site being blocked.

    The first time you use it, there is the minor frustration of having to go through the list it presents and deciding which ones to allow, since many sites use third party sites to deliver required content. However, I feel it's worth it to avoid the shedload of crap and all the inevitable tracking stuff that will be there.

    1. Charlie Clark Silver badge

      Re: Use 'Request Policy'

      I do the same with my cookie settings in Opera. Doesn't that make us the clever ones? But, even with getting close to 20 years experience of the WWW, there are times when I'm not sure which cookies to accept and for how long and there are many times when I have to go back and adjust settings or when, like El Reg, they don't work as they should. It's entirely understandable that most people have no idea what any of this is about: when I drive a car I don't sweep it for GPS trackers.

      Third-party, cookie-based advertising on the internet is, I suspect, doomed because it has been so badly handled and abused by the industry. Of course, almost all of what the industry does can be achieved by slightly less intrusive means: they just need to provide decent APIs for an exchange between website owner and advertiser.

      As an immediate improvement I'd love to see cookies must come with a manifest explaining what they do and how long they need to be valid for, and we need to come up with a sensible expiry option for never-ending sessions.

  9. Harry

    Too little, too late

    Do I understand this correctly?

    I visit a site. Let's call it has a lazy webmaster, who uses google APIs instead of writing his own code. So, firefox is saying that because I've previously visited google, firefox thinks its OK to send google my cookies.

    It sounds like they've got this completely wrong. It's precisely *because* I've previously visited google that google should *not* be given my google cookie when I visit a third party site. If I had never visited google, either directly or indirectly, then the cookie would contain no information so there would be no harm in giving back the cookie.

    Third party cookies should be accepted but automatically converted to session cookies and never shared with other tabs that might be open in the browser at the same time. To every third party site, the user should appear to be making their first visit, no matter whether or not they have visited the site as a first party.

    And what's the point of having the exemption for sites that promise to respect Do Not Track? Cookies are for tracking. So, if the site is not tracking, then it needs at the very most a session cookie.

    1. Craigness

      Re: Too little, too late

      Cookies are for tracking in the same way chainsaws are for massacring Texans.

    2. Dan 55 Silver badge

      Re: Too little, too late

      I suppose pages loaded with IFRAME and script loaded with SCRIPT will be excluded otherwise this will be next to useless. It'll be interesting to see if the 3rd party cookie ban includes cookies set by JavaScript.

      But they can't use a sledgehammer to crack a nut either otherwise they'll affect too many Ajax and Web 2.0oea sites too.

    3. Ted Dannington

      Re: Too little, too late

      "tabs" do not 'exist' (as an abstraction in anywhere near the right places in the tech stack involved in browsers rendering webpages) in order to not have information shared between them. You can't make a cookie not appear to one from and not another.

  10. Mark 65

    Whilst they're at it

    Can they also consider fixing the situation currently whereby I receive multiple requests to store or update cookies from the same domain even though I've already given my answer once with the relevant checkbox checked. It really is irritating to continually have to respond to requests from one after the other.

  11. Chris Miller

    Although I don't use IE as my main browser

    retaining it for testing and the few sites that obstinately refuse to work with other alternatives, it's had the ability to block third party cookies since at least IE6, and now does so by default for many types.

    1. Irongut Silver badge

      Re: Although I don't use IE as my main browser

      Indeed and FF has had the ability since before it existed. I've had 3rd party cookies blocked in Mozilla based browsers since v1.0 of the suite. Of course I also use Ghostery which blocks all trackers and had the nice side effect of removing the advertising that goes with them as well.

      1. Fatman

        Re: the nice side effect of removing the advertising

        Don't web pages look so much better without all of that shit!!!!

  12. DrXym Silver badge

    This is not hard to defeat

    Advertisers would have to jump a few more hoops but I doubt it's *that* hard for them to change the JS boiler plate they supply to hosting sites to inject their ads. Javascript can read and write cookies from its own origin so the glue the advertiser supplies could read the cookie from the host's origin, slap it onto the url request for the ad, and then update the cookie again in the host based on the response.

    And that's just on the client side. Advertisers could provide modules for PHP, Java, Apache which injects the tracking cookies from the host domain in the request so there is no way to tell it apart from other cookies the site might issue.

    Then there's storing data in flash shared objects, silverlight storage, HTML 5 storage and a raft of other places. See Evercookie for the ways this could be done. Basically if an advertiser wanted to track you they will.

  13. jon 72

    Cookies are like Pokemon

    You gotta get 'em all! - Just saying 'Cookies' is frankly misleading to most of the public.

    There's a dozen different techniques for storing data inside a users browser and unless you are amongst the Uber paranoid who has javascript + Flash disabled then your at risk of having your browser footprint profiled for good measure as well. Not as specific as a cookie but often as good enough.

  14. David Hicks

    Why allow third party cookies at all?

    I've never seen the need for them and they are always almost exclusively about tracking.

    1. Anne-Lise Pasch
      IT Angle

      Re: Why allow third party cookies at all?

      Breaks 99% of lesser-known shopping carts if you don't. (e.g. RBS Worldpay gateway, et al) Also, any 3rd party proxying, such as subscription mechanisms that use jsession cookies, such as campus-based logins for journals/libraries, etc.

  15. MrXavia

    So rather than track by cookie, they will just track by unique browser fingerprint, cross referenced with IP..

    Oh wait.. they already do that...

    Otherwise no way would I get the adverts I do after clearing cookies on my PC...

    I look for a gift for my wife, clear cookies & history so no reference is left on the PC.. and shocker, I go to websites and see adverts for what I just looked at,(which is dumb as I've already been there and looked at that)

    1. David Hicks

      The insurance ones always amuse me.

      We've tracked you looking at a bunch of car insurance sites so we've decided to advertise car insurance at you for the next two weeks.

      Except of course that I was looking at car insurance sites because I was buying car insurance there and then. I am now the least likely person to care about your ads. Well done.

      1. Anonymous Coward
        Anonymous Coward

        You were lucky it was just car insurance ... last year I needed to buy a spare part to mend a leaking toilet valve - and google served me with ads for toilet spares (from the same site I'd bought from) for several weeks (at least on browsers where I couldn't use ad block) .... in fact it does have an uncanny abiltiy to show me ads from sites I've just bought something from (and thus (a) know about and (b) probably no longer need to buy anything from!)

      2. Anonymous Coward
        Anonymous Coward

        After the fact

        "Except of course that I was looking at car insurance sites because I was buying car insurance there and then. I am now the least likely person to care about your ads. Well done."

        Agreed, though of course they can either serve you those ads and catch the 20% who haven't yet made up their minds and made a purchase, or they can throw some totally random ad at you and just hope!

  16. Anonymous Coward
    Anonymous Coward

    cookie blocking

    I either block of turn cookies into session cookies. Probably no real need though since I adblock and no script the hell out of everything anyway. Targeted advertising doesn't do much if you never see them.

  17. Tom 7 Silver badge

    I dont want a cookie manager

    I want a mangler so the data these people receive is worse than useless so they'll just fuck off and die.

  18. jon 72

    Ghostery != Privacy

    " We collect some basic data in server logs, like your web request, the data sent in response to that request, the Internet Protocol address, the browser type, the browser language...." Ghostery Terms of service

    Ghostery BTW is not some kids bedroom project funded by goodwill it's owned by a company called Evidon inc.. and their about us page makes interesting reading...

    I just don't see how my privacy is protected when a third party is monitoring all my internet traffic.

  19. Anonymous Coward
    Anonymous Coward

    Cookies are so yesterday... Hulu Caught Respawning Cookies

    ...How is this going to fix TRACKING INFO stored in FLASH Cookies or cached SESSIONS (ETAGS) i.e.

  20. Henry Wertz 1 Gold badge
    Thumb Up

    Fine by me...

    This is fine by me. They may want to put in a toggle (in case there's anybody using some, possibly internal, site that outrageouly breaks.) Very few sites have problems even with all cookies blocked though, so I doubt this'll be an issue.

    I'm all fine with this -- I actually wouldn't mind cookies in order to get more personalized ads that I may actually be interested in, except IT DOESN'T ACTUALLY SEEM TO WORK. Hulu, it asks on some ads if they are relevant to me, and clearly keeps track of ad skips, so I get just ads for stuff I actually am interested in (i.e. it works great!). Other sites it seems I get the same mix of ads as anyone. Therefore, indeed I do not want to be tracked and get absolutely nothing in return.

  21. Anonymous Coward
    Anonymous Coward

    Cookies are so yesterday... Hulu Caught Respawning Cookies

    ...How is this going to fix TRACKING INFO stored in FLASH Cookies or cached SESSIONS (ETAGS) i.e.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2020