New Firefox Cookie Policy

Starting with the 22nd release, the Firefox cookie policy will be more in line with user preferences. This mini-FAQ addresses some of the questions I received from Mozilla supporters, web developers, and users.

How do new Firefox cookie policies work?

In short: only sites that you actually visited can use cookies.

In more detail: if the site is the main ¹ , nothing will change. The content of third-party sites will have a cookie permission only if you have visited these sites and they have set at least one value in the cookie.
')

What does the new Firefox policy look like compared to other major browsers?

Chrome - allows all cookies.

Internet explorer - cookie permissions are determined by P3P policy . In practice, almost all third-party cookies are allowed ² .

Safari - the content of the main site (the site you are viewing - approx. Transl.) Has permission to the cookie. The content of third-party sites has a cookie permission only if you have visited these sites and they have set at least one value in the cookie.

In general, the new Firefox policy is a slightly simplified version of Safari ³ policies.

Will the new Firefox policy break websites?

Side effects should be limited. Safari cookie policies have been around for ten years, both in the desktop and in the iOS versions of the browser. Some sites may require small code changes to work with Firefox as well as with Safari.

For more confidence, the Mozilla development team, which deals with privacy issues, closely monitors the work of the policy before the final release. The change will be present for about six weeks in the pre-alpha , alpha and beta assemblies. If you find any errors, please report it to Mozilla Support Services ^{[ rus. ]} !

How can I check if my website has cookie permissions?

Easy: try setting a cookie. This method can demonstrate cookie permissions for both server and client code.
Browser-based methods are generally undesirable, as they can be unreliable and require constant updating. In addition, such methods do not take into account Chrome and Internet Explorer users who do not use the default policy.

I work with a third-party site that uses cookies. What should I do?

If a Firefox user interacts directly with your content, use the same tactics as with Safari ⁴ users. Examples of such content are Facebook applications and widgets for sending comments in which the user enters text.
If the user does not directly interact with your content, or you are not sure about this in advance, you should request permission before setting the cookie. Most analytic services, ad networks, and non-user social network widgets fall into this category.
In general, in some cases, circumventing technical policy restrictions may be justified, but not for the purpose of circumventing the privacy policy.

What happens to an existing cookie?

The new policy does not provide any conditions for existing cookies. Firefox users will need to clear cookies in order to get the effect of the new policies. ^five

What is the future of Firefox cookie policy?

There is still a lot of work to be done. Some areas in which I am interested:

• Extending cookie policies to other data storage technologies on the user side (for example, HTML5 Web Storage ).
• Providing a unified mechanism for requesting storage permissions.
• Relaxation policies for sites that adhere to the policy of Do Not Track .

Share your ideas on the mozilla.dev.privacy mailing list!

---

All the above is my point of view. I do not speak for the entire Mozilla organization.
This was my first commit to the Firefox code. Many thanks to the following people: Sid Stamm , Monica Chew, Brendan Eich , Asa Dotzler , Josh Matthews , Justin Dolske , Daniel Veditz, and other members of the Mozilla community for their advice, guidance, and patience with my inexperience.

Footnotes:
1. Defined as a public suffix +1 level.
2. Many have criticized Microsoft’s approach for its inefficiency, complexity, and dependence on the de facto obsolete P3P standard. By topic - read the distortion of the privacy policy of the site due to errors in the key of P3P , by Leon, etc.
3. The difference mainly lies in the convenience for developers.
4. The most acceptable way is to redirect users through your site. You can also use non-cookie storage technologies, although this alternative will also be limited by the policy in the future.
5. It makes sense to clear cookies every few months.

Upd . From the translator: in the pre-alpha version, you can already test innovations yourself. The settings window with the new option looks like this . Selective translation from mozilla.dev.privacy discussion:

Question : What is considered third-party content in this context? [any] iframe is third-party content?
Answer : the same as for the rest. [third-party content is] everything that has a source other than that of the parent document.

Question : What will be the behavior of the browser if the content, without having permission to do so, makes an attempt to set a cookie?
The answer is : silent failure. It might be possible to add an error message to the console, but I'm not sure what to do. For a web server, it will look as if the Set-Cookie header was lost during transmission.

Question : Do I think that as a result of these innovations, centralization will increase around the major players in the targeting industry (Google / Yahoo / Facebook / etc.), which will become practically the only sites that can set cookies for almost all users? With attendant interesting / ambiguous trade-offs (fewer players in the market - it is easier for the government to regulate them, etc.).
Jason
Answer : counter-measures will always be taken against any counter-measures, including the use of local storage (local storage): it can replace the cookie, but the cookie setting does not apply to it; or redirect users to bypass restrictions; and what you voiced.
But does this mean that we should never try partial solutions? I do not think.

Question : What will be the level of heuristics? What I mean: I visited www.socialnetwork.com and then try to set a cookie from api.socialnetwork.com. Will it work out?
The answer is yes. And with both old and new politicians. Third-party sites are sites that are defined as a public +1 suffix (see mozIThirdPartyUtil)

Question : I visit www.randomblog.com , which has a "+100500" button from api.socialnetwork.com. Will it work, even though I have never visited api.socialnetwork.com directly?
Answer : the button will be displayed and will be pressed as usual. But, if the user has never visited socialnetwork.com or its subdomain (more precisely, if the user has never received a cookie from socialnetwork.com or its subdomain), then the button will not be able to set a cookie.

Question : What about online banking, where do sites include third-party payment content in an iframe? You will never visit these third-party sites directly, although they are very necessary for a user to work on an important site. I remember Safari, the last time I opened such a site in Safari, the site reported that the Safari browser is not supported [sad smiley]
Answer : For many years I have not come across sites incompatible with Safari, presumably due to the increased popularity of iOS devices. In any case, indeed, services that use workarounds to support Safari will now have to apply them to Firefox.