Firefox getting smarter about third-party cookies

Alex Fowler

Mozilla has a long running interest in fostering greater transparency, trust and accountability related to privacy and the many cookie-based practices we see today.

fx nightly v22.0a1 privacy tabOn Friday, Mozilla released a Firefox patch into its “Nightly” channel that changes how cookies from third party companies function. Users of this build of Firefox must directly interact with a site or company for a cookie to be installed on their machine. The patch also provides an additional control setting under the “Privacy” tab in Firefox’s Preferences menu (see image).

Many years of observing Safari’s approach to third party cookies, a rapidly expanding number of third party companies using cookies to track users, and strong user support for more control is driving our decision to move forward with this patch.

We have a responsibility to advance features and controls that bring users’ expectations in line with how the web functions for them. As our General Counsel, Harvey Anderson, wrote a few weeks ago in a post about Mozilla’s recognition as the Most Trusted Internet Company for Privacy in 2012:

We all have to continue our efforts — both big and small — to create a more trustworthy environment of online products that seamlessly integrate ease of use, transparency, and user choice.

In my own use of this release this morning, I followed one of my typical browsing paths, starting with a look at surfing conditions, then local news, a major national news site, and a popular site covering the tech industry. (Incidentally, all the great coverage of our launch of Firefox OS at Mobile World Congress is really exciting!)

Here’s how the new patch changed the extent to which I was tracked:

Current Default:
Allow All Cookies
Proposed New Default:
Allow Cookies Only From Visited Domains
4 web sites used 8 first party domains 4 web sites used 8 first party domains
81 cookies from first party domains 75 cookies from first party domains
117 third party domains 0 third party domains
304 cookies from third party domains 0 cookies from third party domains
Total: 385 first & third party cookies Total: 75 first party cookies

 

I cleared all my cookies before visiting these sites and then re-performed this process several times, as I wanted to verify that in fact four sites did lead to over 300 cookies from more than 100 companies I had not visited. Display ads and sharing widgets on the sites worked fine, and as I clicked on them, the various parties involved were able to set cookies. The privacy policies on all four sites cover their cookie practices, including from third parties. Interestingly, they all pointed me to using settings in my browser to control the behavior of these cookies on their sites.

Mozilla is passionate about putting its users first and moving the web forward. That mission requires taking a leadership role on privacy, which we have repeatedly done (e.g., Do Not Track, Social API, Secure Search, Persona and Collusion).

Mozilla’s users frequently express concerns about web tracking, and we’ve been listening. We are constantly challenging ourselves to deliver a browser that conforms to user expectations while facilitating online innovation. We regularly review community and partner input, web standards, extensions, practices by other browsers, and much more. The new third party cookie patch in Firefox is just another example of those efforts.

The new default is currently only in this very early developer build of Firefox as it goes through Mozilla’s usual vetting process. As with other features we deploy, it will be several months of evaluating technical input from our users and the community before the new policy enters our Beta and General release versions of Firefox. The policy for how our current versions of Firefox handle cookies can be found here and here.

Mozilla loves to hear from our users about how it can make Firefox even better. We encourage all those interested to provide feedback via the mozilla.dev.privacy discussion group.