Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Mozilla Delays Default Third-Party Cookie Blocking In Firefox

Soulskill posted about a year and a half ago | from the even-foxes-like-cookies dept.

Mozilla 106

hypnosec writes "Mozilla is not going ahead with its plans to block third-party cookies by default in the Beta version of its upcoming Firefox 22. Mozilla needs more time to analyze the outcome of blocking these cookies. The non-profit organization released Firefox Aurora on April 5 with a patch by Jonathan Mayer built into it which would only allow cookies from those websites which the user has visited. The patch would block the ones from sites which hadn't been visited yet. The reason for Mozilla's change in plans is that they're currently looking into 'false positives.' If a user visits one part of a group of site, cookies from that part will be allowed, but cookies from related sites in the group may be blocked, and they're worried it will create a poor user experience. On the other side of the coin, there are 'false negatives.' Just because a user may have visited a particular site doesn't mean she is comfortable with the idea of being tracked."

Sorry! There are no comments related to the filter you selected.

Ummmm.. (1, Redundant)

click2005 (921437) | about a year and a half ago | (#43752477)

I found that usually the rest of the 'group' of sites usually host static images and other media so theres usually no reason these sites even need cookies.

Re:Ummmm.. (0)

Anonymous Coward | about a year and a half ago | (#43752543)

What about services like Google, where you can sign into YouTube?

Re:Ummmm.. (5, Insightful)

bazmail (764941) | about a year and a half ago | (#43752741)

Blocking third party cookies will not break cross site logins like Google have implemented between google.com and YouTube, as they use the redirect method. Sign into google and watch the address bar. they redirect to YouTube passing a one-time sign-in code in the query string. It has nothing to do with 3rd party cookies as the only cookies you get are from the sites in your address bar.

The only thing 3rd party cookies are useful for is tracking you. Anyone who says otherwise makes their living out of stripping you of your privacy.

Re:Ummmm.. (2)

Oo.et.oO (6530) | about a year and a half ago | (#43753009)

not for sites that use 3rd party commenting systems, et al. discus

i'm not saying i like this implementation, but surely this firefox feature will break this. i see it all the time using cookie monster plugin

Re:Ummmm.. (1)

Oo.et.oO (6530) | about a year and a half ago | (#43753063)

that should say "disqus"

Re:Ummmm.. (0)

Anonymous Coward | about a year and a half ago | (#43753555)

...and should not say "et al." :)

Re:Ummmm.. (1)

noh8rz10 (2716597) | about a year and a half ago | (#43758749)

google has already shown in its Safari hack that it will bypass any restrictions in place to protect user privacy.

Re:Ummmm.. (1)

bazmail (764941) | about a year and a half ago | (#43753171)

If you base your business model on iframes you're kind of asking for trouble.

Re:Ummmm.. (1)

TheDarkMaster (1292526) | about a year and a half ago | (#43755763)

Depends. Iframes are useful for me, when I need to put page "A" inside page "B" (both from the same site/server) without one interfering with another (for example, be able to use forms on both pages)

Re:Ummmm.. (1)

MobyDisk (75490) | about a year and a half ago | (#43753249)

Those sites just aren't doing it properly. By comparison, OpenID works fine without 3rd-party cookies. So do other commercial Single Sign On (SSO) solutions.

Re:Ummmm.. (3, Interesting)

Runaway1956 (1322357) | about a year and a half ago | (#43754425)

I block third party cookies. What happens when I land on a page that uses Disqus? I have to coax the browser to log me in to Disqus. And - that is just the way I want things to be. Disqus doesn't need to know where I browse, or what I'm reading, unless and until I CHOOSE to summon Disqus.

Children, if you're going to dabble in the arcane arts, you must learn to control those demons - or you will find that the demons control YOU!

Re:Ummmm.. (0)

Anonymous Coward | about a year and a half ago | (#43757563)

Considering Disqus requires javascript to merely *show* the comments, I'd say it has much worse problems than third party cookies in the first place.

Re:Ummmm.. (1)

elfprince13 (1521333) | about a year and a half ago | (#43753465)

oddly enough, I'm pretty sure it will break for Slashdot subdomains.

Re:Ummmm.. (1)

cheater512 (783349) | about a year and a half ago | (#43757317)

Subdomains are not affected. They are first party cookies not third party.

Re:Ummmm.. (1)

IamTheRealMike (537420) | about a year and a half ago | (#43758567)

The only thing 3rd party cookies are useful for is tracking you. Anyone who says otherwise makes their living out of stripping you of your privacy.

Reading fail! The summary itself says the policy is being delayed because of false positives, ie, things that they are blocking that is causing users to complain.

This is exactly what happened with Safari. Somebody decides that "privacy" can be viewed exclusively through the lens of particular technologies, that advertising is bad and they will "save the users" from targeted advertising that's wrecking the web (or relevant advertising that funds the web, depending on your perspective). Then they discover that 3rd party cookies are not exclusively used for advertising, and start punching holes in the policy, until it gets to the point where any site that wants to can set a third party cookie by writing their code in a different way. Then some company offers their users a feature they can opt in to that requires third party cookies, so the documented workarounds for the blocking policy are used to make it work, then there's a big media story about how said company is "working around privacy protections".

For example, this happened with Facebook and Safari. The Safari guys got bug reports that their users were being randomly logged out of Facebook but not when other browsers were used. After a long time, they tracked it down to third party cookie blocking interacting badly with the Like button, which is the sort of thing that uses them. So they added yet another heuristic to try and distinguish "good" stuff such as Like buttons from "bad" stuff such as adverts, and ended up making the policy so weak it could even be triggered by accident!

Re:Ummmm.. (1)

gl4ss (559668) | about a year and a half ago | (#43754105)

What about services like Google, where you can sign into YouTube?

that would be pretty great, if it isolated the cookies so that you would have different login for youtube..
and different login for google.com from gmail. it would be sweeeeeeeeeeeeeet. because google is shit poor guessing which account I want to use, if I want finnish localization or not and so forth.

Re:Ummmm.. (1)

robmv (855035) | about a year and a half ago | (#43753467)

Not always, some sites put user content on another domains, For example if those cookies are blocked you will not be able to download file attachments from Gmail

Re:Ummmm.. (1)

squiggleslash (241428) | about a year and a half ago | (#43753469)

Third party cookies are why systems like Disqus work.

Re:Ummmm.. (2)

Bill_the_Engineer (772575) | about a year and a half ago | (#43754311)

And blocking it is a bad thing?

Re:Ummmm.. (1)

squiggleslash (241428) | about a year and a half ago | (#43756479)

I'd say yes, it's a bad thing. But then I like commenting on articles occasionally.

Re:Ummmm.. (1)

bancho (621456) | about a year and a half ago | (#43754569)

...and nothing of value was lost.

Re:Ummmm.. (1)

xelah (176252) | about a year and a half ago | (#43753759)

Sometimes those sites might access an API by talking to a single shared API endpoint for the group, which might then not work well at all. It's possible to make it work (with proxies, or by not using cookies at the cost of making your site annoyingly forgetful for a user, or by using some JS to fetch the cookie value over the API and store it as a first-party cookie then pass it to each API call as a parameter), but there must be existing sites that weren't written with this in mind. They'll probably be broken already with Safari, though

Re:Ummmm.. (0)

Anonymous Coward | about a year and a half ago | (#43754003)

I have personnally seen New York State Department of X sites that require IE version 8 or 7 (not 9 or 10) that require ActiveX, Desktop Java, and 3rd party tracking cookies to function correctly. The problem is lazy developers. I have built sites 10 years ago that still function perfectly today without any 3rd party anything and they are not tied to a specific technology on the client side. They even work on mobiles. The only pitfalls have been browser detection to correct for the infamous IE 6 and IE 7 CSS "standards" that microsoft invented.

Re: Ummmm.. (0)

Anonymous Coward | about a year and a half ago | (#43754051)

Usually doesn't cut it when dealing with privacy.

Re: Ummmm.. (0)

Anonymous Coward | about a year and a half ago | (#43754101)

Usually, almost or perhaps does not cut it when dealing with privacy.

Re:Ummmm.. (1)

noh8rz10 (2716597) | about a year and a half ago | (#43758741)

I am a free slashdotter. I will not be modded, blogged, DRM'd, patented, podcasted or RFID'd. My life is my own.

ahh, but you will be modded... modded DOWN, that is!

They can do more (1)

Anonymous Coward | about a year and a half ago | (#43752529)

They should just install the ghostery plugin by default.

Re:They can do more (0)

Anonymous Coward | about a year and a half ago | (#43757593)

Or integrate it into the browser directly rather than making it a plug-in.

No issue. (5, Insightful)

magic maverick (2615475) | about a year and a half ago | (#43752567)

I have third-party cookies (indeed, all cookies, except those from domains specifically whitelisted) blocked. I've never noticed a problem with blocking third-party cookies. I have a heck of a lot more issues with third-party JavaScript (people using Google-hosted or similar JQuery for example).

So, Firefox, take note, there are not going to be any problems for the vast majority of people.

(I use CookieMonster, it works real nice like.)

Re:No issue. (5, Insightful)

rudy_wayne (414635) | about a year and a half ago | (#43752943)

I have third-party cookies (indeed, all cookies, except those from domains specifically whitelisted) blocked. I've never noticed a problem with blocking third-party cookies. I have a heck of a lot more issues with third-party JavaScript (people using Google-hosted or similar JQuery for example).

So, Firefox, take note, there are not going to be any problems for the vast majority of people.

I find it laughable that one of Mozilla's excuses for not doing this is "they're worried it will create a poor user experience". Over the last few years Mozilla has made a number of changes to Firefox that were met with user complaints, and continue to be a source of user complaints and the developer's response is always a resounding "fuck you".

As far as cookies go, don't forget that Mozilla currently gets $300 Million a year from Google, whose entire gazillion-dollar-a-year business model is based on tracking people.

Re:No issue. (0)

Anonymous Coward | about a year and a half ago | (#43753543)

Meanwhile, Safari has been blocking 3rd party cookies by default for years. (And google has been caught trying to circumvent that).

Re:No issue. (1)

IamTheRealMike (537420) | about a year and a half ago | (#43758595)

No, it hasn't been blocking third party cookies for years. This is the core of why such policies are a bad idea. It says it blocks third party cookies, but there are actually lots of exceptions [webkit.org] to that rule in order to avoid as the summary says "false positives". You can read about what really happened with Google on Lauren Weinstein's blog [vortex.com] , it's very different to how you paint it (there was no "trying to circumvent" involved).

Re:No issue. (1)

Oo.et.oO (6530) | about a year and a half ago | (#43753043)

so you have exactly the same usage as "the vast majority" of people?

Re:No issue. (1)

Inf0phreak (627499) | about a year and a half ago | (#43753461)

The worst kind of 3rd party javascript is the stuff from *.cloudfront.net, where * appears able to be any random string. It (and amazon web services) are the bane of trying to keep a neat whitelist of domains for NoScript.

Re:No issue. (0)

Anonymous Coward | about a year and a half ago | (#43753687)

This is why you should run version 1.x of RequestPolicy. It has wildcards, and it is not limited to JavaScript.

Of course you still need NoScript since it does so much more, and since you might only want JavaScript on a couple of the sites you visit. Nevertheless, I can live with JavaScript enabled a great deal more than having third party content messing up the sites I browse.

The next step, for me, is to host a copy of the javascripts from ajax.googleapis.com (and possibly gstatic.com) that everyone seems to love on my own server, which I then add to the hosts files of the computers I use.

Re:No issue. (0)

Anonymous Coward | about a year and a half ago | (#43754041)

I have all images, style sheets and embeds blocked. I've never noticed a single problem with surfing like it's 1995. :P

Not saying there is one. Just saying: You are aware that there is a difference between what you noticed and what there actually is.

Who knows what you missed out on but never knew existed?
Like tons of blinking full-screen Flash advertisements with sound that contain your Facebook fiends and the size of your penis in comparison unless you click the silly monkey five times.. ;))

Re:No issue. (0)

Anonymous Coward | about a year and a half ago | (#43756831)

Firefox devs are still refusing to honor jpg EXIF flag for rotating images on the ground it will break the internet. Crazy conservative.

I block 3rd party cookies by default (3, Interesting)

Anonymous Coward | about a year and a half ago | (#43752621)

The only thing I notice is I can't comment on Disqus (a 3rd party site that handles comments on some blogs). I don't care about it, block them.

Firefox should focus on privacy, its their usp. Google for example, doesn't let you accept cookies for the 'session only', you accept them or not on their Android browser. At some point you have to accept cookies, so this is a fake choice, you'll end up with that feature always on because its too much fuss to turn it on when its needed.

Firefox 'accept cookies for session only' option is my default, it lets me work on sites that use cookies, but throws them away when I close the browser.

Things like this are why I use Firefox.

Re:I block 3rd party cookies by default (1)

Oo.et.oO (6530) | about a year and a half ago | (#43753103)

a "session cookie" is literally a different type of cookie as sent from the server.
aka "transient cookies"
they are typically to follow you around that "session" on the website. not the session in the browser.
but yes, the browsers happen to trash them when you exit. but if you run out of cookie memory, they'll page them out or scrap the old ones entirely.

Re:I block 3rd party cookies by default (1)

Agent ME (1411269) | about a year and a half ago | (#43753979)

Firefox has the ability to treat all cookies as session cookies. It's a useful feature.

Re:I block 3rd party cookies by default (2)

flimflammer (956759) | about a year and a half ago | (#43755325)

The problem Mozilla finds itself in now is that since a large number of people use it, it's harder to make such changes. You might think this is a no brainer, but people who use Disqus or other services which are built around third party cookies, of which there are many, might disagree with their page or sites they visit breaking and either not knowing the cause, or not being knowledgeable enough to fix it.

This wasn't such a problem when using Firefox was more of a techie thing. Now they need to tread lightly. It'll happen; they just need to consider what happens to the users who are affected negatively by this.

Re:I block 3rd party cookies by default (1)

wvmarle (1070040) | about a year and a half ago | (#43759729)

The easy way out of that is to include a default white list. Which of course should be open and configurable (add/remove sites from whitelist; disable whitelist completely).

I have been blocking third-party cookies since I found out Mozilla (yes, back then) allowed me to do so. And when switching to Firefox when it became useful I did the same. Never had any problems with it.

Enable it already! (1)

Anonymous Coward | about a year and a half ago | (#43752709)

Mozilla should enable it, poorly designed websites need to get in line and clean up their messy cross linking stuff.

Then again I'm an old fart who misses the 90s world wide web with its simple and direct approach without java and flash.

Re:Enable it already! (1)

telchine (719345) | about a year and a half ago | (#43753213)

Then again I'm an old fart who misses the 90s world wide web with its simple and direct approach without java and flash.

You're talking about 1992-1995 then?

The web was so small then that it'd probably fit on a modern desktop hard drive!

Re:Enable it already! (1)

Arker (91948) | about a year and a half ago | (#43756335)

It was all information then. Nowadays it's a lot bulkier but 98% of it is crap. There may be as much useful information on it but it's a lot harder to find it when every search brings up millions of pages of bullshit. And the 'improvements' in the search engines have been quite negative on balance as well.

Re:Enable it already! (1)

timmyf2371 (586051) | about a year and a half ago | (#43758859)

As someone who experienced the web in the early 90s and has continued to use it since, I prefer today's version.

If someone wants to see the 98% of crap, they can easily watch their cat videos. I personally find it easy enough to drown out the noise.

I've been blocking 3P cookies for years (5, Insightful)

KeithH (15061) | about a year and a half ago | (#43752719)

and have never noticed a problem. This has always struck me as a no-brainer and it's annoyed the hell out of me that I have to modify the setting on every platform for each of my five family members.

I can't wait for them to change the default behaviour and I'll be very interested to see if they uncover any side effects that could conceivably be considered undesirable by the user.

My biggest worry is what the websites might do to circumvent the change.

Re:I've been blocking 3P cookies for years (1)

Errol backfiring (1280012) | about a year and a half ago | (#43752955)

Agreed. Allowing 3rd party cookies is just a security bug. It is just like all other cross-site attacks: sensitive data can be leaked to sites that the user did NOT want to visit or leak his info to. Thank goodness there are extensions to work around this bug.

Re:I've been blocking 3P cookies for years (1)

Anonymous Coward | about a year and a half ago | (#43753795)

Don't worry, we still track people who don't clear history through the use of 1x1 pixel images, display:none anchors, and javascript checking the visited property, and server side analysis of whether or not your browser has cached dynamically generated names.

A bit of jquery doing some XHR & a binary search on :visited goes a long way to getting and setting unique id's.

(block those third party javascripts...)

Re:I've been blocking 3P cookies for years (1)

TubeSteak (669689) | about a year and a half ago | (#43753061)

My biggest worry is what the websites might do to circumvent the change.

Flash cookies have the potential for great evil.

Re:I've been blocking 3P cookies for years (0)

Anonymous Coward | about a year and a half ago | (#43753151)

My biggest worry is what the websites might do to circumvent the change.

Send the tracking data between the servers instead, probably. The only reason they haven't started doing that already is that bandwidth costs money and it's cheaper for them if the client handles its own tracking, as long as most people don't have third-party cookies and other tracking techniques disabled.

Re:I've been blocking 3P cookies for years (0)

Anonymous Coward | about a year and a half ago | (#43753333)

Ditto - mod parent up

Been doing it for years, never had any issues.

Re:I've been blocking 3P cookies for years (0)

Anonymous Coward | about a year and a half ago | (#43754801)

If you've never noticed a problem, then you've obviously never tried to buy minutes more minutes on a T-Mobile prepaid plan. They redirect you to a 3rd party, so I have to enable 3rd party cookies once/year. :/

Bullshit (3, Interesting)

fustakrakich (1673220) | about a year and a half ago | (#43752753)

They caved to pressure from advertisers

Re:Bullshit (0)

Anonymous Coward | about a year and a half ago | (#43753221)

You mean the guys who fund the development?

Re:Bullshit (1)

fustakrakich (1673220) | about a year and a half ago | (#43755901)

Actually they pay for product placement, though I'll grant that the developers can skim a little off the top.

Alternative approach (0)

Anonymous Coward | about a year and a half ago | (#43752791)

Rather than block third party cookies, what about limiting their persistence to the end of the browsing session?

Mozilla should also present the user with the option of Do Not Track on first time installations.

Partial remedy (0)

Anonymous Coward | about a year and a half ago | (#43752795)

Divide the option into two: one for subdomains (allow by default) and the rest (block by default).

Re:Partial remedy (0)

Anonymous Coward | about a year and a half ago | (#43752877)

You forgot an option for persist until I close my browser for either option.

An example would be, third party cookies allowed until I close my browser, whilst first party cookies could persist forever if I wanted.

But I do agree with your point about splitting the definition of 'third party' into subdomains and off site domains with the latter being blocked with impunity to the browsing experience (in theory)

Um ... (0)

andreev (1998552) | about a year and a half ago | (#43752925)

Why is the user a she?

Re:Um ... (0)

Deltaspectre (796409) | about a year and a half ago | (#43752975)

Why not?

Re:Um ... (1)

andreev (1998552) | about a year and a half ago | (#43753029)

Why not?

'Cause I for one am not a she, it should've been 'they'.

Re:Um ... (1)

rudy_wayne (414635) | about a year and a half ago | (#43753275)

Why not?

'Cause I for one am not a she, it should've been 'they'.

Because there are no women on the Internet. Only men pretending to be women. Everyone knows that.

Re:Um ... (1)

jader3rd (2222716) | about a year and a half ago | (#43754143)

Because there are no women on the Internet. Only men pretending to be women.

That may have been true, up until the advent of Pintrist.

Re:Um ... (0)

Anonymous Coward | about a year and a half ago | (#43753521)

The hypothetical person used in the example is neither you, nor multiple people. "She" is fine.

Re:Um ... (2)

neminem (561346) | about a year and a half ago | (#43754237)

I'd give you mod points if I had them: +1 for singular they. Using a gendered word for a person of unknown gender is dumb, and singular they is a perfectly reasonable workaround.

Re:Um ... (0)

Anonymous Coward | about a year and a half ago | (#43753005)

She author perhaps?

Re:Um ... (0)

Anonymous Coward | about a year and a half ago | (#43753069)

Why not?

Hasn't been a problem for me (4, Insightful)

IntermodalAgain (2926007) | about a year and a half ago | (#43753127)

I've been managing my cookies with extensions for years. Even most first-party sites have no business leaving cookies and are seldom a problem. I look forward to this becoming standard.

Disqus is the problem (5, Insightful)

MobyDisk (75490) | about a year and a half ago | (#43753295)

There is one very large product that relies on 3rd-party cookies: Disqus. It is used by a lot of popular sites such as Thingiverse and StackOverflow. Disqus simply needs to fix the problem. There is actually a discussion on StackOverflow about this: http://meta.stackoverflow.com/questions/126764/why-does-registration-require-third-party-cookies-to-be-enabled [stackoverflow.com]

The last time I looked at it it claimed the problem was fixed, but I just now tried to register and it says this:

Third Party Cookies Appear To Be Disabled
This site depends on third-party cookies, please add an exception for https://openid.stackexchange.com/ [stackexchange.com] .

Re:Disqus is the problem (1)

squiggleslash (241428) | about a year and a half ago | (#43753559)

How is Disqus supposed to fix the problem? The entire selling point of Disqus is that it's a single-login discussion system that can be added to any website without any need for server support. Just add the Javascript to the page and bingo, you have a discussion system.

Without "third party cookies", Disqus has no way to provide anything resembling a single login or respect for your own preferences. About the nearest thing I can think of is that it could pop-up a new window whenever you want to respond to a comment, but given that would, by itself, be broken by a kajillion different pop-up blockers, I wouldn't describe that as an improvement.

Re:Disqus is the problem (0)

Anonymous Coward | about a year and a half ago | (#43753789)

I was under the impression that webmasters could enable third party cookies using Cross Origin Resource Sharing (CORS). They simply need to put something like "Access-Control-Allow-Origin: http://www.disqus.com" in their HTTP headers.

Re:Disqus is the problem (0)

Anonymous Coward | about a year and a half ago | (#43754395)

Access-Control-Allow-Origin: http://google.com

Re:Disqus is the problem (0)

Anonymous Coward | about a year and a half ago | (#43753839)

Relying on the user to have configured their browser a certain way in order to use your service sounds like a fundamental flaw in design. It's fine if you have some control over the client (e.g. in SOEs) but on the public internet it's a bad idea. Particularly if such requirements underpin one's entire business model.

Granted, most web sites these days do this by expecting javascript to be enabled. It's poor design but there's not much that can be done due to the sheer number of sites that simply don't work at all without it. Ironically, the StackExchange group of sites is one set of sites designed specifically to provide a good non-javascript experience.

The browser is under the control of the user. Web programmers seem to have forgotten that - although at least we don't have arrogant webmasters demanding we alter the resolutions of our screens to suit their web site anymore.

Re:Disqus is the problem (2)

MightyYar (622222) | about a year and a half ago | (#43753873)

I'm sure that I'm naive, but can't they just run a little script that detects the cookie, and if not found asks the user to click a link to enable comments? Then the user would have visited the site (Disqus) and the Firefox block would be removed forever forward.

Re:Disqus is the problem (2)

gl4ss (559668) | about a year and a half ago | (#43754137)

...by providing a login button that does the redirect dance back and forth.

that's how such system would have been meant to be used in the first place. of course they wouldn't get random visitor tracking as their business model that way but meh, those are the breaks.

Re:Disqus is the problem (1)

squiggleslash (241428) | about a year and a half ago | (#43756439)

You're going to have go into more detail. At the very least:

1. Explain how having to reload the page (Jump to Disqus and then bounce back) going to be positive for the user's experience. I certainly don't see how it would be remotely positive.

2. How is this going to work without the host installing something on their server? As I said, a selling point of Disqus is that it doesn't need anything on the hosts' server at all, just some boiler plate HTML that inserts the Disqus Javascript script.

I don't see your solution as being "How they should have done it all along". It's inefficient, kludgy, and fails the ease-of-installation test.

Re:Disqus is the problem (2)

gl4ss (559668) | about a year and a half ago | (#43758715)

You're going to have go into more detail. At the very least:

1. Explain how having to reload the page (Jump to Disqus and then bounce back) going to be positive for the user's experience. I certainly don't see how it would be remotely positive.

2. How is this going to work without the host installing something on their server? As I said, a selling point of Disqus is that it doesn't need anything on the hosts' server at all, just some boiler plate HTML that inserts the Disqus Javascript script.

I don't see your solution as being "How they should have done it all along". It's inefficient, kludgy, and fails the ease-of-installation test.

the solution can entirely be javascript included in the page source, mostly as it is. the only thing that would break with breaking of cross site cookies/storage would be that you wouldn't be already logged in when you go to another disqus enabled site.

though, admittedly, I viewed it as a bonus that the login is intrusive and the user has to visit the site of the service he's authenticating to. think of it as one-click-sign-on instead of already logged in when you go to a new site single-sign-on.. the page could be redirected automatically to go through disqus and back of course causing slight inconvience.

they would still have cross site tracking of everyone who logged in - moved the tracking information from disqus domain to the domain of the site, that's what the login is - and yes this does not need anything running on the server just javascript on the page that gets the data and saves it in cookie or localstorage on return from the login.

mainly the point was the disqus wouldn't _totally_ break from breaking 3rd party cookies.

Re:Disqus is the problem (0)

Anonymous Coward | about a year and a half ago | (#43754349)

How is Disqus supposed to fix the problem?

By dying in a fucking fire. They *are* the problem.

Re:Disqus is the problem (0)

Anonymous Coward | about a year and a half ago | (#43755853)

No, they are not a problem. They are facing one, and you are an idiot.

Re:Disqus is the problem (1)

MobyDisk (75490) | about a year and a half ago | (#43754421)

As far as I know, this problem is not intrinsic to the design of OpenID itself. It is designed to use redirections to basically pass data back and forth between the OpenID provider and the web site. I don't think other OpenID implementations have this problem. I don't know enough details about OpenID to describe exactly how, but I think the answer comes down to "follow the specification" and "do what other sites do."

Re:Disqus is the problem (4, Interesting)

Luthair (847766) | about a year and a half ago | (#43753761)

Really, who cares about Disqus? I immediately added a filter for them to adblock when I noticed a suggested thread 'Soandsos baby mama' on the AngularJS API docs.

Anyone the least bit privacy conscious should be blocking Disqus along with G+, Facebook, Twitter, etc. on their party sites.

Re:Disqus is the problem (2)

EXTomar (78739) | about a year and a half ago | (#43755595)

Disqus is only an example but the point is that there are "third party web components" that will be effected by a platform wide block. For cases like this it is good to give legitimate component software a "transitional grace period" to move away from the deprecated behavior before locking it out from modern versions onward.

I view control over "third party sources" in web content as a serious security issue but I also admit that I don't know the full ramifications of an outright ban either where taking the grace period to do some metrics is probably a good idea. What I would like Mozilla to do is allow it in Firefox 22 but expose it an option under Options/Advanced so it can be toggled with removing the option and enabling it later.

Re:Disqus is the problem (0)

Anonymous Coward | about a year and a half ago | (#43756391)

If you're THAT paranoid, get off the Internet.

Re:Disqus is the problem (0)

Anonymous Coward | about a year and a half ago | (#43760173)

The Ghostery add-on for Firefox automatically blocks Disqus.

Re:Disqus is the problem (0)

Anonymous Coward | about a year and a half ago | (#43754671)

document.createElement('iframe');

Firewho? (0)

Anonymous Coward | about a year and a half ago | (#43753617)

Who?

TLS vee1.1 and 1.2 (1)

WaffleMonster (969671) | about a year and a half ago | (#43754805)

Now that your delaying third party cookies hows about using the extra time to add support for new versions of TLS? Why is IE the only browser supporting TLS v1.1 and 1.2? Even chrome supports 1.1 and it uses NSS too.

We are still dealing with a few lazy nessus wielding compliance jackasses invoking BEAST to get EVERYONE to use broken RC4 ciphers because a few users still have not updated their browsers to fix a known problem solved over a decade ago.

It would be nice to one day be in a position to start to get everyone off TLS 1.0.

Re:TLS vee1.1 and 1.2 (0)

Anonymous Coward | about a year and a half ago | (#43755887)

Safari 6.0 on iOS and Mountain Lion also supports TLS 1.1 and 1.2, and unlike MSIE, they support them by default.

Re:TLS vee1.1 and 1.2 (0)

Anonymous Coward | about a year and a half ago | (#43756139)

Safari 6.0 on iOS and Mountain Lion also supports TLS 1.1 and 1.2, and unlike MSIE, they support them by default.

Apple is the only reason this is still an issue. OSX = not fixed, IOS = not fixed. Apple = Fail.

Are they really that bad? (2)

roosauce (2652911) | about a year and a half ago | (#43754955)

I've been in digital advertising for over 14 years, and have always been involved in tracking / targeting of ads. I don't bother to block cookies, simply because I honestly don't see much privacy infringement. At the back end of our tracking systems I just see a bunch of numbers. I've never once seen a name and honestly I have no desire to target or track an individual ... there's no money in such a tight target group, but we purposely don't try in any case.

All this Mozilla change means to me is that a lack of data will mean I pay web publishers less ... and I deliver nappy ads to pensioners :P

What worries this little advertising stalwart is credit checking firms, they're much more likely to have the data you're looking to protect and none of it comes from third party cookies.

Peace out ...

Re:Are they really that bad? (1)

csumpi (2258986) | about a year and a half ago | (#43755619)

Yes. I mean no, much worse than that.

From the cookie monster himself (1)

montulli (658308) | about a year and a half ago | (#43755493)

I am the monster who unleashed the cookie beast into the wild. I wrote a short blog about this issue recently. The quick summary is that I think turning off 3rd party cookies for everyone will end up being a bad thing, especially for those of you who care about turning off 3rd party cookies. http://www.montulli-blog.com/2013/05/why-blocking-3rd-party-cookies-could-be.html [montulli-blog.com]

IE used to do it right (0)

alexo (9335) | about a year and a half ago | (#43755539)

Long before Firefox existed, IE6 allowed blocking 3rd party cookies.
However, it would display an icon on the status-bar and when I clicked on it, it would show me a list of blocked items and allow me to white-list them.

Why can't FF do the same? Or is there an extension to do it?

Analyze this, Mozilla. (2)

UltraZelda64 (2309504) | about a year and a half ago | (#43756149)

I've been blocking third-party cookies for years with absolutely no hint of any site failing to load correctly. If there is ever a problem, it is scripting, and choosing to disable NoScript on one or more sites typically sorts that out. Get the advertising industry's dick out of your ass and just fucking block third-party cookies already, Mozilla. It should have been done a hell of a long time ago. This new versioning system can be so amazingly retarded; we're at Firefox 21 already, already talking about Firefox 22, and Mozilla is still dragging their feet around on something as simple as the default fucking setting of a checkbox regarding third-party cookies. Talk about illusion of progress! You know that by this point, Mozilla no longer gives a shit about their actual users and seems to have their priorities in the advertisers; otherwise there would be no question, no delay. Why hasn't there been a fork of Firefox yet? IMO, it's been needing one free of Mozilla's bullshit since the 2.x.x days at the very least, or possible 3.x. This is getting ridiculous.

Once, long ago (2)

Arker (91948) | about a year and a half ago | (#43756181)

Cookies used to be really easy to deal with using mozilla, it wrote them all to cookies.txt. You just went in, deleted cookies.txt once, then mkdir cookies.txt. Then set it to allow cookies across the board. All websites worked fine, but anytime you restarted the browser they were all gone. Not 100% ideal but still a quick and relatively foolproof way to assert some sanity. So of course they changed that.

Now... let me get this straight, they are thinking about maybe, eventually, blocking third party cookies by default. Better late than never I guess, but it seems pathetic both in timing and scope as well, since they appear to be worried only about cookies(!) rather than scripting. Third party scripts are a much bigger problem. Both cases should have been blocked by default 10 years or more ago. At this point, yes, I would imagine some problems.

Re:Once, long ago (0)

Anonymous Coward | about a year and a half ago | (#43758473)

You just went in, deleted cookies.txt once, then mkdir cookies.txt. Then set it to allow cookies across the board. All websites worked fine, but anytime you restarted the browser they were all gone.

Set network.cookie.lifetimePolicy = 2
ref: http://www-archive.mozilla.org/projects/netlib/cookies/cookie-prefs.html [mozilla.org]

In SeaMonkey, this can be set via the preferences GUI under Privacy->Cookies. Not sure if such exists in the FireFox GUI.

Does no one here use PayPal? (0)

Anonymous Coward | about a year and a half ago | (#43756329)

PayPal requires 3rd party cookies.

Domain weirdness? (1)

Todd Knarr (15451) | about a year and a half ago | (#43758265)

I see in Eich's comment where he talks about a site "foo.com" including content from a separate domain "foocdn.com" belonging to the same company. My question is why they're using a separate domain? Why not "cdn.foo.com" which would automatically indicate that this domain's part of "foo.com". Or is this a case of "Doc, I don't want to stop hitting myself in the head with a hammer. I just want you to make it stop hurting."?

Re:Domain weirdness? (1)

wvmarle (1070040) | about a year and a half ago | (#43759907)

Because the cdn is probably (hosted at) a different company; not hosted on your own server (that has the database and provides all dynamic content and user logins and whatnot - keeping all that important information in house), but that seriously bandwidth-eating stuff comes from say Amazon or some cloud server.

Now why such foocdn would need cookies, that'd be the real question. That's supposed to be static content, downloaded via direct links in the main html.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?