Firefox Rolls Out Total Cookie Protection By Default | The Mozilla Blog
blog.mozilla.org
Updated Aug. 28, 2024. Take back your privacy Firefox is rolling out Total Cookie Protection by default to more Firefox users worldwide, making Firefox the
  • Kairos@lemmy.todayEnglish
    0·
    22 days ago

    Let me guess, itll still let websites see a list connected microphones and cameras with zero user interaction?

    • Blackmist@feddit.ukEnglish
      0·
      22 days ago

      Trying

      navigator.mediaDevices.enumerateDevices()
.then(function(devices) {
  devices.forEach(function(device) {
    console.log(device.kind + ": " + device.label +
            " id = " + device.deviceId);
  });
})

      it appears to have no label and the ids are randomly generated per site.

    • mbirth@lemmy.mlEnglish
      0·
      22 days ago

      It was - in the ancient times. Then, there were 3rd party cookies which you had to manually approve upon the initial creation. And then it went all down south and got abused via CDNs and ad networks.

  • bitjunkie@lemmy.worldEnglish
    0·
    21 days ago

    I’m curious how this will affect OAuth (if at all). Does it use an offsite cookie to remember the session, or is that only created after it redirects back to the site that initiated the login?

    • version_unsorted@lemm.eeEnglish
      0·
      20 days ago

      I my experience it generally breaks it. Leveraging cookies on the auth domain is fine, but once you are redirected to another domain, that application needs to take the access and refresh tokens and manage reauthentication as a background process. Simply don’t store those things as cookies though.

  • calcopiritus@lemmy.worldEnglish
    0·
    21 days ago

    Does making it the default also set it on my already-downloaded Firefox or only to new downloads? Just to know if I’ll have to manually set it.

    • FiskFisk33@startrek.websiteEnglish
      0·
      21 days ago

      It very probably wont change your settings for you. That would be super annoying if it changed things you set on purpose.

      • calcopiritus@lemmy.worldEnglish
        0·
        21 days ago

        What if I never changed it in the first place. So before I had it on “default” and now it would still be on “default”.

        Good to know anyway

    • Dran@lemmy.worldEnglish
      0·
      22 days ago

      Oracle, SAP, Redhat, all of their customer portals require it for SSO. I’m not saying it should be that way, but it is.

  • haywire@lemmy.worldEnglish
    0·
    22 days ago

    Forgive me if this is an overly simplistic view but if the ads with cookies are all served on Google’s platform say then would all those ads have access to the Google cookie jar?

    If they don’t now then you can bet they are working on just that.

  • Cosmicomical@lemmy.worldEnglish
    0·
    22 days ago

    Does this stop me from adding to my website an iframe to facebook where facebook can keep its cookies for my user? That would be great but I doubt it.

  • intensely_human@lemm.eeEnglish
    0·
    21 days ago

    Aren’t cookies already limited to the site at which they were created??

    What the fuck? You mean to tell me sites have been sharing cookies?

    I thought all browsers only delivered cookies back to the same site.

    • Dave@lemmy.nzEnglish
      0·
      21 days ago

      The problem is that a website is generally not served from one domain.

      Put a Facebook like button on your website, it’s loaded directly from Facebook servers. Now they can put a cookie on your computer with an identifier.

      Now every site you visit with a Facebook like button, they know it was you. They can watch you as you move around the web.

      Google does this at a larger scale. Every site with Google ads on it. Every site using Google analytics. Every site that embeds a Google map. They can stick a cookie in and know you were there.

      • MonkderVierte@lemmy.mlEnglish
        0·
        21 days ago

        Put a Facebook like button on your website, it’s loaded directly from Facebook servers. Now they can put a cookie on your computer with an identifier.

        Which is not allowed by GDPR btw, because they do that even if you don’t click them. There are plenty guides online, how to create your own, not tracking facebook like button.

        • Dave@lemmy.nzEnglish
          0·
          21 days ago

          How does GDPR fit in to Google Analytics and personalised ads?

          I would have thought it went something like: random identifier: not linked to personal info, just a collection of browsing history for an unidentified person, not under GDPR as not personal info.

          Link to account: let them request deletion (or more specifically, delinking the info from your account is what Facebook lets you do), GDPR compliant.

          Both Google and Facebook run analytics software that tracks users. I presume letting people request deletion once it’s personally linked to them is probably what let’s them do it? But I don’t live in a GDPR country, so I don’t know a whole lot about it.

          • MonkderVierte@lemmy.mlEnglish
            0·
            21 days ago

            No, it should’ve been opt-in. But loophole with “vital interest” and politics being slow and surface-level like politics.

        • Dave@lemmy.nzEnglish
          0·
          21 days ago

          Yes, it’s the reason for the tracking. To sell more targeted ads.

          If you’re up for reading some shennanigans, check out the book Mindf*ck. It’s about the Cambridge Analytica scandal, written by a whistleblower, and details election manipulation using data collected from Facebook and other public or purchased data.

        • Dave@lemmy.nzEnglish
          0·
          21 days ago

          It doesn’t have to be. Your browser sends the cookies for a domain with every request to that domain. So you have a website example.com, that embeds a Facebook like button from Facebook.com.

          When your browser downloads the page, it requests the different pieces of the page. It requests the main page from example.com, your browser sends any example.com cookies with the request.

          Your browser needs the javascript, it sends the cookie in the request to get the JavaScript file. It needs the like button, it sends a request off to Facebook.com and sends the Facebook.com cookies with it.

          Note that the request to example.com doesn’t send the cookies for Facebook.com, and the request to Facebook.com doesn’t send the cookie for example.com to Facebook. However, it does tell Facebook.com that the request for the like button came from example.com.

          Facebook puts an identifier in the cookie, and any request to Facebook sends that cookie and the site it was loaded on.

          So you log in to Facebook, it puts an identifier in your cookies. Now whenever you go to other sites with a Facebook like button (or the Facebook analytics stuff), Facebook links that with your profile.

          Not logged in? Facebook sets an identifier to track you anyway, and links it up when you make an account or log in.

          • intensely_human@lemm.eeEnglish
            0·
            21 days ago

            How is Facebook able to know what site is requesting it? Is it in the referer header, or is it parameters in the javascript/image url?

            • Dave@lemmy.nzEnglish
              0·
              21 days ago

              There is a referer header sent, but depending on the exact code added to the page, it’s very likely they are loading a snippet of JavaScript that lets them collect other information and trigger their own sending of information to their server.

              For example, Google Analytics has javascript added to the page, but loading fonts from Google’s CDN (which many sites do) will rely on the referer.