More precisely: If content has a first-party origin,1 nothing changes. Content from a third-party origin only has cookie permissions if its origin already has at least one cookie set.
How does Firefox’s new policy compare to the other major browsers?
Chrome – Allows all cookies.
Internet Explorer – Cookie permissions vary by P3P compact policy. In practice, almost all third-party tracking cookies are allowed.2
Safari – First-party content has cookie permissions. Third-party content only has cookie permissions if the content already has at least one cookie set.
In short, the new Firefox policy is a slightly relaxed version of the Safari policy.3
Will the new Firefox policy break websites?
Just to be sure, the Mozilla privacy team is closely monitoring the policy before final release. The patch will spend about 6 weeks each in the pre-alpha, alpha, and beta builds. If you spot any oddities, please report them to Mozilla support!
How can I test whether my website has cookie permissions?
Easy: try to set a cookie. This approach can introduce cookie permissions into both server-side and client-side code.
If a Firefox user appears to have intentionally interacted with your content, take the same approach as for Safari users.4 Examples of content within this category include Facebook apps and comment widgets where a user has typed text.
If a user does not seem to have intentionally interacted with your content, or if you’re uncertain, you should ask for permission before setting cookies. Most analytics services, advertising networks, and unclicked social widgets would come within this category.
In sum, working around the policy’s technical limits may be reasonable in certain cases, but undermining the policy’s privacy purpose is never acceptable.
What happens to preexisting cookies?
The new policy does not make any special provision for preexisting cookies. Current Firefox users should clear their cookies to fully benefit from the new policy.5
There’s still plenty of work to do. Some possible directions that I’m interested in:
- Providing a uniform mechanism for requesting storage permissions.
Please share your ideas on the mozilla.dev.privacy mailing list!
All views are solely my own. I do not speak for Mozilla.
This was my first contribution to the Firefox codebase. Huge thanks to Sid Stamm, Monica Chew, Brendan Eich, Asa Dotzler, Josh Matthews, Justin Dolske, Daniel Veditz, and many other members of the Mozilla community for their advice, guidance, and tolerance of my inexperience.
An origin is determined by public suffix + 1. ↩
Many researchers have criticized Microsoft’s approach for being ineffective, convoluted, and relying on the de facto deprecated P3P standard. For background, see Token Attempt: The Misrepresentation of Website Privacy Policies Through the Misuse of P3P Compact Policy Tokens by Leon et al. ↩
The difference is primarily owing to engineering convenience. ↩
The most transparent practice is for you to redirect the user through your origin. You could also use a non-cookie storage technology, though alternatives may be limited by this policy in future. ↩
Conventional wisdom in the web privacy community is that users clear their cookies every few months. ↩