Article from JUNE 14, 2022
Mozilla completes what Google was too afraid to finish.
Let me guess, itll still let websites see a list connected microphones and cameras with zero user interaction?
Trying
navigator.mediaDevices.enumerateDevices() .then(function(devices) { devices.forEach(function(device) { console.log(device.kind + ": " + device.label + " id = " + device.deviceId); }); })
it appears to have no label and the ids are randomly generated per site.
So it still ahows the number of devices then?
Good to see Firefox still has value to provide
It baffles me that this was ever not the case.
It was - in the ancient times. Then, there were 3rd party cookies which you had to manually approve upon the initial creation. And then it went all down south and got abused via CDNs and ad networks.
I’m curious how this will affect OAuth (if at all). Does it use an offsite cookie to remember the session, or is that only created after it redirects back to the site that initiated the login?
I was also wondering that
I my experience it generally breaks it. Leveraging cookies on the auth domain is fine, but once you are redirected to another domain, that application needs to take the access and refresh tokens and manage reauthentication as a background process. Simply don’t store those things as cookies though.
I wonder how long until all the distros have this.
Does making it the default also set it on my already-downloaded Firefox or only to new downloads? Just to know if I’ll have to manually set it.
It very probably wont change your settings for you. That would be super annoying if it changed things you set on purpose.
What if I never changed it in the first place. So before I had it on “default” and now it would still be on “default”.
Good to know anyway
deleted by creator
Oracle, SAP, Redhat, all of their customer portals require it for SSO. I’m not saying it should be that way, but it is.
ah yes, the other TCP
Tasty Consensual Photos
Maybe they should patent it, to protect their TCP IP.
Or have some higher tier version called Ultimate Cookie Protection {UDP)
Id prefer a security security oriented Secure Cookie Total Protection (SCTP)
LOL
Starting in what versions?
Forgive me if this is an overly simplistic view but if the ads with cookies are all served on Google’s platform say then would all those ads have access to the Google cookie jar?
If they don’t now then you can bet they are working on just that.
The way I’m reading it, they allow the third party cookies to be used within the actual site you’re on for analytics, but prevent them from being accessed by that third party on other sites.
But I just looked at the linked article’s explanation, and not a technical deep dive.
We’ll have to see what happens but what you are talking about is what Mozilla calls Third-Party Cookies and… they are aware of it.
I can’t entirely tell if that means they will be put in the facebook cookie jar or if it will be put in the TentaclePorn Dot Org (don’t go there, it is probably a real site and probably horrifying) cookie jar. If the former? Then only facebook themselves have that which… is still a lot better I guess? If the latter then that is basically exactly what we all want but a lot of sites are gonna break (par for the course with Firefox but…).
InB4 the guy who replies to defend tenticle porn…
Does this stop me from adding to my website an iframe to facebook where facebook can keep its cookies for my user? That would be great but I doubt it.
IIRC an iframe contents is treated as a separate window, so cookies aren’t shared either
Sure, but the separate window can be on a different domain. Now you have a way to share cookies across multiple websites on different domains if all of them include an iframe to this external domain. And you can use in-browser messages (see window.postMessage()) to communicate between iframes and main window.
Indeed see sibling comment https://programming.dev/comment/11983146
That’s horrific WHY?
do not add any event listeners for
message
events. This is a completely foolproof way to avoid security problems. 🤡🤡🤡🤡🤡🤡🤡🤡🤡🤡🤡
Aren’t cookies already limited to the site at which they were created??
What the fuck? You mean to tell me sites have been sharing cookies?
I thought all browsers only delivered cookies back to the same site.
The problem is that a website is generally not served from one domain.
Put a Facebook like button on your website, it’s loaded directly from Facebook servers. Now they can put a cookie on your computer with an identifier.
Now every site you visit with a Facebook like button, they know it was you. They can watch you as you move around the web.
Google does this at a larger scale. Every site with Google ads on it. Every site using Google analytics. Every site that embeds a Google map. They can stick a cookie in and know you were there.
Put a Facebook like button on your website, it’s loaded directly from Facebook servers. Now they can put a cookie on your computer with an identifier.
Which is not allowed by GDPR btw, because they do that even if you don’t click them. There are plenty guides online, how to create your own, not tracking facebook like button.
How does GDPR fit in to Google Analytics and personalised ads?
I would have thought it went something like: random identifier: not linked to personal info, just a collection of browsing history for an unidentified person, not under GDPR as not personal info.
Link to account: let them request deletion (or more specifically, delinking the info from your account is what Facebook lets you do), GDPR compliant.
Both Google and Facebook run analytics software that tracks users. I presume letting people request deletion once it’s personally linked to them is probably what let’s them do it? But I don’t live in a GDPR country, so I don’t know a whole lot about it.
No, it should’ve been opt-in. But loophole with “vital interest” and politics being slow and surface-level like politics.
Is this also how they know which ads to feed you?
Yes, it’s the reason for the tracking. To sell more targeted ads.
If you’re up for reading some shennanigans, check out the book Mindf*ck. It’s about the Cambridge Analytica scandal, written by a whistleblower, and details election manipulation using data collected from Facebook and other public or purchased data.
Is that because the like button is an iframe?
It doesn’t have to be. Your browser sends the cookies for a domain with every request to that domain. So you have a website example.com, that embeds a Facebook like button from Facebook.com.
When your browser downloads the page, it requests the different pieces of the page. It requests the main page from example.com, your browser sends any example.com cookies with the request.
Your browser needs the javascript, it sends the cookie in the request to get the JavaScript file. It needs the like button, it sends a request off to Facebook.com and sends the Facebook.com cookies with it.
Note that the request to example.com doesn’t send the cookies for Facebook.com, and the request to Facebook.com doesn’t send the cookie for example.com to Facebook. However, it does tell Facebook.com that the request for the like button came from example.com.
Facebook puts an identifier in the cookie, and any request to Facebook sends that cookie and the site it was loaded on.
So you log in to Facebook, it puts an identifier in your cookies. Now whenever you go to other sites with a Facebook like button (or the Facebook analytics stuff), Facebook links that with your profile.
Not logged in? Facebook sets an identifier to track you anyway, and links it up when you make an account or log in.
How is Facebook able to know what site is requesting it? Is it in the referer header, or is it parameters in the javascript/image url?
There is a referer header sent, but depending on the exact code added to the page, it’s very likely they are loading a snippet of JavaScript that lets them collect other information and trigger their own sending of information to their server.
For example, Google Analytics has javascript added to the page, but loading fonts from Google’s CDN (which many sites do) will rely on the referer.
NO.
https://en.m.wikipedia.org/wiki/Third-party_cookies
Maybe it’s not allowed in your local jurisdiction? But it’s been a problem since forever.
Alright fine ill switch browsers AGAIN