The New Firefox Cookie Policy

The default Firefox cookie policy will, beginning with release 22, more closely reflect user privacy preferences. This mini-FAQ addresses some of the questions that I’ve received from Mozillans, web developers, and users.

How does the new Firefox cookie policy work?

Roughly: Only websites that you actually visit can use cookies to track you across the web.

More precisely: If content has a first-party origin,1 nothing changes. Content from a third-party origin only has cookie permissions if its origin already has at least one cookie set.

How does Firefox’s new policy compare to the other major browsers?

Chrome – Allows all cookies.

Internet Explorer – Cookie permissions vary by P3P compact policy. In practice, almost all third-party tracking cookies are allowed.2

Safari – First-party content has cookie permissions. Third-party content only has cookie permissions if the content already has at least one cookie set.

In short, the new Firefox policy is a slightly relaxed version of the Safari policy.3

Will the new Firefox policy break websites?

Collateral impact should be limited. Safari’s cookie policy has been in place for over a decade, and it is included in both the desktop and iOS versions of the browser. A few websites may require a tiny code change to accommodate Firefox in the same way as Safari.

Just to be sure, the Mozilla privacy team is closely monitoring the policy before final release. The patch will spend about 6 weeks each in the pre-alpha, alpha, and beta builds. If you spot any oddities, please report them to Mozilla support!

How can I test whether my website has cookie permissions?

Easy: try to set a cookie. This approach can introduce cookie permissions into both server-side and client-side code.

Browser sniffing is generally disfavored since it can be unreliable and requires updating. Moreover, sniffing will not accommodate Chrome and Internet Explorer users who have switched from the default cookie policy.

I operate a third-party website that uses cookies. What should I do?

If a Firefox user appears to have intentionally interacted with your content, take the same approach as for Safari users.4 Examples of content within this category include Facebook apps and comment widgets where a user has typed text.

If a user does not seem to have intentionally interacted with your content, or if you’re uncertain, you should ask for permission before setting cookies. Most analytics services, advertising networks, and unclicked social widgets would come within this category.

In sum, working around the policy’s technical limits may be reasonable in certain cases, but undermining the policy’s privacy purpose is never acceptable.

What happens to preexisting cookies?

The new policy does not make any special provision for preexisting cookies. Current Firefox users should clear their cookies to fully benefit from the new policy.5

What comes next for the Firefox cookie policy?

There’s still plenty of work to do. Some possible directions that I’m interested in:

  • Extending the cookie policy to other storage technologies (e.g. HTML5 Web Storage).
  • Providing a uniform mechanism for requesting storage permissions.
  • Relaxing the cookie policy for websites that honor Do Not Track.

Please share your ideas on the mailing list!

All views are solely my own. I do not speak for Mozilla.

This was my first contribution to the Firefox codebase. Huge thanks to Sid Stamm, Monica Chew, Brendan Eich, Asa Dotzler, Josh Matthews, Justin Dolske, Daniel Veditz, and many other members of the Mozilla community for their advice, guidance, and tolerance of my inexperience.

1. An origin is determined by public suffix + 1.  ↩

2. Many researchers have criticized Microsoft’s approach for being ineffective, convoluted, and relying on the de facto deprecated P3P standard. For background, see Token Attempt: The Misrepresentation of Website Privacy Policies Through the Misuse of P3P Compact Policy Tokens by Leon et al.  ↩

3. The difference is primarily owing to engineering convenience.  ↩

4. The most transparent practice is for you to redirect the user through your origin. You could also use a non-cookie storage technology, though alternatives may be limited by this policy in future.  ↩

5. Conventional wisdom in the web privacy community is that users clear their cookies every few months.  ↩