More precisely: If content has a first-party origin,1 nothing changes. Content from a third-party origin only has cookie permissions if its origin already has at least one cookie set.
How does Firefox’s new policy compare to the other major browsers?
Chrome – Allows all cookies.
Safari – First-party content has cookie permissions. Third-party content only has cookie permissions if the content already has at least one cookie set.
In short, the new Firefox policy is a slightly relaxed version of the Safari policy.3
Will the new Firefox policy break websites?
Just to be sure, the Mozilla privacy team is closely monitoring the policy before final release. The patch will spend about 6 weeks each in the pre-alpha, alpha, and beta builds. If you spot any oddities, please report them to Mozilla support!
How can I test whether my website has cookie permissions?
Easy: try to set a cookie. This approach can introduce cookie permissions into both server-side and client-side code.
If a Firefox user appears to have intentionally interacted with your content, take the same approach as for Safari users.4 Examples of content within this category include Facebook apps and comment widgets where a user has typed text.
If a user does not seem to have intentionally interacted with your content, or if you’re uncertain, you should ask for permission before setting cookies. Most analytics services, advertising networks, and unclicked social widgets would come within this category.
In sum, working around the policy’s technical limits may be reasonable in certain cases, but undermining the policy’s privacy purpose is never acceptable.
What happens to preexisting cookies?
The new policy does not make any special provision for preexisting cookies. Current Firefox users should clear their cookies to fully benefit from the new policy.5
There’s still plenty of work to do. Some possible directions that I’m interested in:
- Providing a uniform mechanism for requesting storage permissions.
Please share your ideas on the mozilla.dev.privacy mailing list!
All views are solely my own. I do not speak for Mozilla.
This was my first contribution to the Firefox codebase. Huge thanks to Sid Stamm, Monica Chew, Brendan Eich, Asa Dotzler, Josh Matthews, Justin Dolske, Daniel Veditz, and many other members of the Mozilla community for their advice, guidance, and tolerance of my inexperience.