New Firefox Cookie Policy

Starting with the 22nd release, Firefox's cookie policy will be more in line with user preferences. This mini FAQ addresses some of the questions I received from Mozilla supporters, web developers, and users.

How do new Firefox cookie policies work?

In short: only sites that you actually visited can use cookies.

In more detail: if the site is the main ¹ , nothing will change. The content of third-party sites will have cookie permission only if you have visited these sites and they have set at least one value in the cookie.

What does the new Firefox policy look like compared to other major browsers?

Chrome - allows all cookies.

Internet explorer - cookie permissions are determined by the P3P policy . In practice, almost all third-party cookies are allowed ² .

Safari - the content of the main site (the site you are viewing - approx. Transl.) Has permission for cookies. The content of third-party sites has permission to cookie only if you visited these sites and they set at least one value in the cookie.

In general, the new Firefox policy is a slightly simplified version of Safari ³ policies .

Will the new Firefox policy break sites?

Side effects should be limited. Safari's cookie policies have been around for ten years, in both the desktop and iOS versions of the browser. Some sites may require minor code changes to work with Firefox as well as with Safari.

To make sure, the Mozilla privacy team closely monitors the work of the policy until the final release. The change will be present for about six weeks in pre-alpha , alpha and beta builds. If you find any errors, please report it to Mozilla Support ^{[ eng. ]} !

How can I check if my site has cookie permissions?

Easy: try setting a cookie. This method can demonstrate cookie permissions for both server and client code.
Browser-based methods are generally undesirable, as they can be unreliable and require constant updating. In addition, such methods do not take into account users of Chrome and Internet Explorer who do not use the default policy.

I work with a third-party website that uses cookies. What should I do?

If a Firefox user interacts directly with your content, use the same tactics as with Safari ⁴ users . Examples of such content are applications and widgets for sending comments to Facebook, in which the user enters text.
If the user does not directly interact with your content, or you are not sure about this in advance, you must request permission before setting a cookie. Most analytical services, ad networks, and non-interacting social network widgets fall into this category.
In general, in some cases, circumvention of the technical restrictions of the policies may be justified, but not for the purpose of circumventing the privacy policy.

What will happen to pre-existing cookies?

The new policy does not provide any conditions for existing cookies. Firefox users will need to clear the cookie in order to benefit from the new policies. ⁵

What awaits Firefox's cookie policy in the future?

There is still a lot of work to be done. Some areas I'm interested in:

• Extending cookie policies to other user-side storage technologies (e.g. HTML5 Web Storage ).
• Providing a unified mechanism for requesting storage permits.
• Policy relaxation for sites that adhere to the Do Not Track policy .

Share your ideas on the mozilla.dev.privacy mailing list !

---

All of the above is my point of view. I am not speaking for the entire Mozilla organization.
This was my first commit to Firefox code. Many thanks to the following people: Sid Stamm , Monica Chew, Brendan Eich , Asa Dotzler , Josh Matthews , Justin Dolske , Daniel Veditz and other members of the Mozilla community for their advice, guidance and patience with my inexperience.

Footnotes:
1. Defined as a public suffix +1 level.
2. Many have criticized Microsoft's approach for inefficiency, complexity, and dependence on the de facto outdated P3P standard. On the topic - read the distortion of the site’s privacy policies due to errors in the P3P key by Leon et al.
3. The difference mainly lies in the convenience for developers.
4. The most acceptable way is to redirect users through your site. You can also use non-cookie storage technologies, although this alternative will also be limited by future policies.
5. It makes sense to clear cookies every few months.

Upd . From a translator: in the pre-alpha version, you can already test the innovations yourself. The settings window with the new option looks like this . Selective translation from the mozilla.dev.privacy discussion:

Question : What is considered third-party content in this context? [any] iframe is third-party content?
Answer : the same as for the rest. [third-party content is considered] everything that the source does not have that of the parent document.

Question : What will be the behavior of the browser if the content, without permission, attempts to set a cookie?
Answer: silent failure. You could add an error message to the console, but I'm not sure what to do. For the web server, it will look as if the Set-Cookie header was lost in transit.

Question : Do I think correctly that as a result of these innovations, the centralization around large players in the targeting industry (Google / Yahoo / Facebook / etc.) will increase, which will become almost the only sites that can set cookies for almost all users? With associated interesting / ambiguous compromises (fewer players on the market - it is easier for the government to regulate them, etc.).
Jason
Answer: against any counter-measure, counter-counter-measures will always be taken, including the use of local storage: it can replace cookies, but cookie settings do not apply to it; redirecting users to circumvent restrictions; as well as what you voiced.
But does this mean that we should never try partial solutions? I don’t think so.

Question : What will be the heuristic level? What I mean: I visited www.socialnetwork.com and then try to set a cookie from api.socialnetwork.com. Will it work out?
The answer is yes. And with both old and new politicians. Third-party sites are those defined as the public suffix +1 (see mozIThirdPartyUtil)

Question : I visitwww.randomblog.com , which has a “+100500” button with api.socialnetwork.com. Will it work even though I have never visited api.socialnetwork.com directly?
Answer : the button will be displayed and will be pressed as usual. But, if the user never visited socialnetwork.com or his subdomain (more precisely, if the user never received a cookie from socialnetwork.com or his subdomain), then the button will not be able to set a cookie.

Question: how about online banking, where sites include third-party payment processing content in an iframe? You will never visit these third-party sites directly, although they are very necessary for the user to work on an important site. I remember Safari, the last time I opened such a site in Safari, the site reported that the Safari browser is not supported [sad smiley]
Answer : I have not come across sites incompatible with Safari for many years, presumably due to the increased popularity of iOS devices. In any case, indeed, services that use workarounds to support Safari will now need to use them for Firefox as well.