{"id":2409,"date":"2018-10-23T06:00:05","date_gmt":"2018-10-23T13:00:05","guid":{"rendered":"https:\/\/blog.mozilla.org\/security\/?p=2409"},"modified":"2018-10-23T05:59:31","modified_gmt":"2018-10-23T12:59:31","slug":"firefox-63-lets-users-block-tracking-cookies","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2018\/10\/23\/firefox-63-lets-users-block-tracking-cookies\/","title":{"rendered":"Firefox 63 Lets Users Block Tracking Cookies"},"content":{"rendered":"<p>As announced in August, Firefox is changing its approach to <a href=\"https:\/\/blog.mozilla.org\/futurereleases\/2018\/08\/30\/changing-our-approach-to-anti-tracking\/\">addressing tracking on the web<\/a>. As part of that plan, we signaled our intent to prevent cross-site tracking for all Firefox users and made our initial prototype available for testing.<\/p>\n<p><b>Starting with Firefox 63, all desktop versions of Firefox include an experimental cookie policy that blocks cookies and other site data from third-party tracking resources.<\/b> This new policy provides protection against cross-site tracking while minimizing site breakage associated with traditional cookie blocking.<\/p>\n<p>This policy is part of Enhanced Tracking Protection, a new feature aimed at <a href=\"https:\/\/blog.mozilla.org\/blog\/2018\/10\/23\/latest-firefox-rolls-out-enhanced-tracking-protection\/\">protecting users from cross-site tracking<\/a>. More specifically, it prevents trackers from following users around from site to site and collecting information about their browsing habits.<\/p>\n<p>We aim to bring these protections to all users by default in Firefox 65. Until then, you can opt-in to the policy by following the steps detailed at the end of this post.<\/p>\n<h4><b>What does this policy block?<\/b><\/h4>\n<p>The newly developed policy blocks storage access for domains that have been classified as trackers. For classification, Firefox relies on <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Mozilla\/Firefox\/Privacy\/Storage_access_policy#Tracking_protection_explained\">the Tracking Protection list<\/a> maintained by <a href=\"https:\/\/disconnect.me\/\">Disconnect<\/a>. Domains classified as trackers are not able to access or set cookies, local storage, and other site data when loaded in a third-party context. Additionally, trackers are blocked from accessing other APIs that allow them to communicate cross-site, such as <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/API\/Broadcast_Channel_API\">the Broadcast Channel API<\/a>. These measures prevent trackers from being able to use cross-site identifiers stored in Firefox to link browsing activity across different sites.<\/p>\n<p>Our documentation on MDN provides significantly more technical detail on the policy, including: <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Mozilla\/Firefox\/Privacy\/Storage_access_policy#Tracking_protection_explained\">how domains are matched<\/a> against the Tracking Protection list, <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Mozilla\/Firefox\/Privacy\/Storage_access_policy#What_does_the_storage_access_policy_block\">how Firefox blocks storage access<\/a> for tracking domains, and the types of third-party storage access <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Mozilla\/Firefox\/Privacy\/Storage_access_policy#What_is_not_blocked_by_the_policy\">that are currently blocked<\/a>.<\/p>\n<h4><b>Does this policy break websites?<\/b><\/h4>\n<p>Third-party cookie blocking does have the potential to break websites, particularly those which integrate third-party content. For this reason, we\u2019ve added heuristics to Firefox to automatically grant time-limited storage access <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Mozilla\/Firefox\/Privacy\/Storage_access_policy#Automatic_storage_access_upon_interaction\">under certain conditions<\/a>. We are also working to support a more structured way for embedded cross-origin content to request storage access. In both cases, Firefox grants access on a site-by-site basis, and only provides access to embedded content that receives user interaction.<\/p>\n<p>More structured access will be available through the <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/API\/Storage_Access_API\">Storage Access API<\/a>, of which an initial implementation is available in Firefox Nightly (and soon Beta and Developer Edition) for testing. This API allows domains classified as trackers to explicitly request storage access when loaded in a third-party context. The Storage Access API is also implemented in Safari and is a <a href=\"https:\/\/github.com\/whatwg\/html\/issues\/3338\">proposed addition<\/a> to the HTML specification. We welcome developer feedback, particularly around use cases that can not be addressed with this API.<\/p>\n<h4><b>How can I test my website?<\/b><\/h4>\n<p>We welcome testing by both users and site owners as we continue to develop new storage access restrictions. Take the following steps to enable this storage access policy in Firefox:<\/p>\n<ol>\n<li>Open Preferences<\/li>\n<li>On the left-hand menu, click on Privacy &amp; Security<\/li>\n<li>Under Content Blocking, click the checkbox next to \u201cThird-Party Cookies\u201d<\/li>\n<li>Select \u201cTrackers (recommended)\u201d<\/li>\n<\/ol>\n<p><a href=\"https:\/\/blog.mozilla.org\/security\/files\/2018\/10\/Preference-third-party-cookies-.jpg\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone wp-image-2411 size-full\" src=\"https:\/\/blog.mozilla.org\/security\/files\/2018\/10\/Preference-third-party-cookies-.jpg\" alt=\"Preference panel screenshot showing how to enable third-party cookies.\" width=\"1080\" height=\"468\" srcset=\"https:\/\/blog.mozilla.org\/security\/files\/2018\/10\/Preference-third-party-cookies-.jpg 1080w, https:\/\/blog.mozilla.org\/security\/files\/2018\/10\/Preference-third-party-cookies--252x109.jpg 252w, https:\/\/blog.mozilla.org\/security\/files\/2018\/10\/Preference-third-party-cookies--768x333.jpg 768w, https:\/\/blog.mozilla.org\/security\/files\/2018\/10\/Preference-third-party-cookies--600x260.jpg 600w\" sizes=\"(max-width: 1080px) 100vw, 1080px\" \/><\/a><\/p>\n<p>If you find a broken site, you can tell us about it directly in Firefox with the <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Mozilla\/Firefox\/Privacy\/Storage_access_policy#Report_Broken_Sites\">\u201cReport a Problem\u201d button<\/a> in the Control Center. If you encounter problems in the implementation of this policy, please <a href=\"https:\/\/bugzilla.mozilla.org\/enter_bug.cgi?assigned_to=nobody%40mozilla.org&amp;blocked=1480137&amp;bug_file_loc=http%3A%2F%2F&amp;bug_ignored=0&amp;bug_severity=normal&amp;bug_status=NEW&amp;cf_fx_iteration=---&amp;cf_fx_points=---&amp;cf_platform_rel=---&amp;cf_status_firefox62=---&amp;cf_status_firefox63=---&amp;cf_status_firefox64=---&amp;cf_status_firefox_esr60=---&amp;cf_status_geckoview62=---&amp;cf_tracking_firefox62=---&amp;cf_tracking_firefox63=---&amp;cf_tracking_firefox64=---&amp;cf_tracking_firefox_esr60=---&amp;cf_tracking_firefox_relnote=---&amp;cf_tracking_geckoview62=---&amp;component=Tracking%20Protection&amp;contenttypemethod=list&amp;contenttypeselection=text%2Fplain&amp;defined_groups=1&amp;flag_type-203=X&amp;flag_type-37=X&amp;flag_type-41=X&amp;flag_type-5=X&amp;flag_type-607=X&amp;flag_type-721=X&amp;flag_type-737=X&amp;flag_type-748=X&amp;flag_type-787=X&amp;flag_type-799=X&amp;flag_type-800=X&amp;flag_type-803=X&amp;flag_type-835=X&amp;flag_type-846=X&amp;flag_type-855=X&amp;flag_type-864=X&amp;flag_type-914=X&amp;flag_type-916=X&amp;flag_type-929=X&amp;flag_type-930=X&amp;flag_type-933=X&amp;form_name=enter_bug&amp;maketemplate=Remember%20values%20as%20bookmarkable%20template&amp;op_sys=Unspecified&amp;priority=--&amp;product=Firefox&amp;rep_platform=Unspecified&amp;target_milestone=---&amp;version=unspecified\">let us know on Bugzilla<\/a>. Site owners may also be interested in <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Mozilla\/Firefox\/Privacy\/Storage_access_policy#Debugging\">our debugging tools<\/a>.<\/p>\n<h4><b>Does this mean Firefox will no longer support the Tracking Protection feature?<\/b><\/h4>\n<p>Tracking Protection is still available to users who want to opt-in to block all tracking loads; with our updated UI, this feature can be enabled by setting \u201cAll Detected Trackers\u201d to \u201cAlways\u201d. All tracking loads will continue to be blocked by default in Private Browsing windows.<\/p>\n<p>Expect to hear more from us in the coming months as we continue to strengthen Firefox\u2019s default-on tracking protection.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>As announced in August, Firefox is changing its approach to addressing tracking on the web. As part of that plan, we signaled our intent to prevent cross-site tracking for all &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2018\/10\/23\/firefox-63-lets-users-block-tracking-cookies\/\">Read more<\/a><\/p>\n","protected":false},"author":1597,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30,847,69],"tags":[],"coauthors":[320791],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Firefox 63 Lets Users Block Tracking Cookies - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2018\/10\/23\/firefox-63-lets-users-block-tracking-cookies\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Steven Englehardt\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2018\/10\/23\/firefox-63-lets-users-block-tracking-cookies\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2018\/10\/23\/firefox-63-lets-users-block-tracking-cookies\/\",\"name\":\"Firefox 63 Lets Users Block Tracking Cookies - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2018\/10\/23\/firefox-63-lets-users-block-tracking-cookies\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2018\/10\/23\/firefox-63-lets-users-block-tracking-cookies\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/blog.mozilla.org\/security\/files\/2018\/10\/Preference-third-party-cookies-.jpg\",\"datePublished\":\"2018-10-23T13:00:05+00:00\",\"dateModified\":\"2018-10-23T12:59:31+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/4e57438e5a1cb316da982a0053c6ed53\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2018\/10\/23\/firefox-63-lets-users-block-tracking-cookies\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2018\/10\/23\/firefox-63-lets-users-block-tracking-cookies\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2018\/10\/23\/firefox-63-lets-users-block-tracking-cookies\/#primaryimage\",\"url\":\"https:\/\/blog.mozilla.org\/security\/files\/2018\/10\/Preference-third-party-cookies-.jpg\",\"contentUrl\":\"https:\/\/blog.mozilla.org\/security\/files\/2018\/10\/Preference-third-party-cookies-.jpg\",\"width\":1080,\"height\":468,\"caption\":\"Preference panel screenshot showing how to enable third-party cookies.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2018\/10\/23\/firefox-63-lets-users-block-tracking-cookies\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Firefox 63 Lets Users Block Tracking Cookies\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/4e57438e5a1cb316da982a0053c6ed53\",\"name\":\"Steven Englehardt\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/921e0113c6856efe3f1960058729d00f\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4013c3a1151063bb911608e4c8dc6f23?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4013c3a1151063bb911608e4c8dc6f23?s=96&d=identicon&r=g\",\"caption\":\"Steven Englehardt\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Firefox 63 Lets Users Block Tracking Cookies - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2018\/10\/23\/firefox-63-lets-users-block-tracking-cookies\/","twitter_misc":{"Written by":"Steven Englehardt","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2018\/10\/23\/firefox-63-lets-users-block-tracking-cookies\/","url":"https:\/\/blog.mozilla.org\/security\/2018\/10\/23\/firefox-63-lets-users-block-tracking-cookies\/","name":"Firefox 63 Lets Users Block Tracking Cookies - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.mozilla.org\/security\/2018\/10\/23\/firefox-63-lets-users-block-tracking-cookies\/#primaryimage"},"image":{"@id":"https:\/\/blog.mozilla.org\/security\/2018\/10\/23\/firefox-63-lets-users-block-tracking-cookies\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.mozilla.org\/security\/files\/2018\/10\/Preference-third-party-cookies-.jpg","datePublished":"2018-10-23T13:00:05+00:00","dateModified":"2018-10-23T12:59:31+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/4e57438e5a1cb316da982a0053c6ed53"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2018\/10\/23\/firefox-63-lets-users-block-tracking-cookies\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2018\/10\/23\/firefox-63-lets-users-block-tracking-cookies\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/2018\/10\/23\/firefox-63-lets-users-block-tracking-cookies\/#primaryimage","url":"https:\/\/blog.mozilla.org\/security\/files\/2018\/10\/Preference-third-party-cookies-.jpg","contentUrl":"https:\/\/blog.mozilla.org\/security\/files\/2018\/10\/Preference-third-party-cookies-.jpg","width":1080,"height":468,"caption":"Preference panel screenshot showing how to enable third-party cookies."},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2018\/10\/23\/firefox-63-lets-users-block-tracking-cookies\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Firefox 63 Lets Users Block Tracking Cookies"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/4e57438e5a1cb316da982a0053c6ed53","name":"Steven Englehardt","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/921e0113c6856efe3f1960058729d00f","url":"https:\/\/secure.gravatar.com\/avatar\/4013c3a1151063bb911608e4c8dc6f23?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4013c3a1151063bb911608e4c8dc6f23?s=96&d=identicon&r=g","caption":"Steven Englehardt"}}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2409"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/1597"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=2409"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2409\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=2409"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=2409"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=2409"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=2409"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}