- cross-posted to:
- librewolf@lemmy.ml
- privacy@lemmy.ml
- firefox@lemmy.ml
- cross-posted to:
- librewolf@lemmy.ml
- privacy@lemmy.ml
- firefox@lemmy.ml
You must log in or register to comment.
Get fucked, advertisers.
Advertisers track you with device fingerprinting and behaviour profiling now. Firefox doesn’t do much to obscure the more advanced methods of tracking.
Don’t all the advanced ways rely on JavaScript?
Lots do. But do you know anyone that turns JS off anymore? Platforms don’t care if they miss the odd user for this - because almost no one will be missed.
“Anymore”? I’ve never met a single soul who knows this is even possible. I myself don’t even know how to do it if I wanted to.
I do use NoScript, which does this on a site-by-site basis, but even that is considered extremely niche. I’ve never met another NoScripter in the wild.
Why not just use ublock medium mode?
Roughly similar to using Adblock Plus with many filter lists + NoScript with 1st-party scripts/frames automatically trusted. Unlike NoScript however, you can easily point-and-click to block/allow scripts on a per-site basis.
https://github.com/gorhill/uBlock/wiki/Blocking-mode:-medium-mode
Am I in the wild? I use it.
It’s really strange how they specifically mention HTML5 canvas when you can run any fingerprinter test on the internet and see that Firefox does nothing to obfuscate that. You can run a test in Incognito mode, start a new session on a VPN, run another test, and on Firefox your fingerprint will be identical.
Honestly would be hard to do. There a perfectly legitimate and everyday uses for pretty much everything used in fingerprinting. Taking them away or obscuring them in one way or another would break so much.
Librewolf has Resist Fingerprinting which comes pretty far.
Every Librewolf browser uses the same windows user agent, etc. But there are downsides, like time zones don’t work, and sites don’t use dark mode by default.
And even then, EFF’s Cover Your Tracks site can still uniquely identify me, mainly through window size. That’s one of the reasons why Tor Browser uses letterboxing to make the window size consistent.
Librewolf supports letterboxing as well, though the setting might be disabled by default
Oh neat! I just tried it, and it seems it’s broken on Gnome when using 125% scaling :/ Cool to have the feature there, though.
I also just figured out how to expose dark mode and my timezone though with RFP, so that’s nice.
I don’t know what letterboxing is. But if window size is used to identify me, can’t it be circumvented simply by using the window in restored size, and not maximised?
Your restored window size is even more unique than your maximised window size!
The correct solution is to just not make the window size available to JS or to remotes at all. There’s no reason to ever need specifics on window size other than CSS media-queries, and those can be done via profiles.
There is still plenty of fish for advertisers, sadly.
For those who don’t care to read the full article:
This basically just confines any cookies generated on a page, to just that page.
So, instead of a cookie from, say, Facebook, being stored on site A, then requested for tracking purposes on site B, each individual site would be sent its own separate Facebook cookie, that only gets used on that site, preventing it from tracking you anywhere outside of the specific site you got it from in the first place.
Hahahahaha so it doesn’t break anything that still relies on cookies, but neuters the ability to share them.
That’s awesome
Honestly, I thought that’s how it already worked.
Edit: I think what I’m remembering is that you can define the cookies by site/domain, and restrict to just those. And normally would, for security reasons.
But some asshole sites like Facebook are cookies that are world-readable for tracking, and this breaks that.
Someone correct me if I got it wrong.
They’ve been doing this with container tabs, so this must be the successor to that idea (I’m going to assume they’ll still have container tabs).
Container tabs are still a thing in FF. This is based on that work, if I remember correctly.
I love container tabs. It’s one of the reasons I went back to FF.
Total Cookie Protection was already a feature, (introduced on Feb 23st 2021) but it was only for people using Firefox’s Enhanced Tracking Protection (ETP) on strict mode.
They had a less powerful third-party cookie blocking feature for users that didn’t have ETP on strict mode, that blocked third party cookies on specific block lists. (i.e. known tracking companies)
This just expanded that original functionality, by making it happen on any domain, and have it be the default for all users, rather than an opt-in feature of Enhanced Tracking Protection.
That’s not what I was thinking of, which was even more fundamental. But that’s good info (and another way to cover stuff in the article).
Edit: what I was thinking originally was really stupid, that 3rd-party cookies weren’t allowed at all. Which was really dumb since of course they are.
Basically creates a fake VM like environment for each site.
For those who don’t care to read the full article
Or even the whole title, really
I don’t know why this wasn’t the case long ago.
Good to see Firefox still has value to provide
Firefox is awesome.
Yup. Nobody else gets those cookies.
Why are we posting 2 year old articles as though they are new?
I guess it says updated, but hey. PR for Firefox is cool, until the imminent enshittification.
The moment that Firefox goes too far, it’ll immediately be forked and 75% of the user base would leave within a few months. Their user base is almost entirely privacy-conscious, technologically savvy people.
I agree, but something will have to change because chrome will swallow ALL that. Just today some back-end problem was messing up all my stuff, and co-workers were asking, " did you try a different browser? " botch no I did not try Netscape
Looks like the article was updated today. I’m guessing this was originally covering an announcement for a future rollout and now it’s finally happening?
this article has not been edited, is from 2022, and says the feature was rolled out in June.
I think this tips it over the edge for me to switch to Firefox
I hope so! It’s a wonderful side of the Internet to be on
I miss Mozilla the product.
I unironically miss Netscape Communicator. Yes most of that went into Firefox but not all and I really miss the frame layout.
I used the shit out of their WYSIWYG HTML editor when I was an up and coming little script kiddie.
Really? This is what does it for you?
Ur… Yeah?
I prefer waterfox. Hard to trust Mozilla Corpos.
As long as it’s not Chromium, I’m happy people aren’t just handing over the keys to the Internet to Google.
Yeah, Waterfox is just another browser built on top of the Mozilla’s GECKO engine. But without all the AI dickriding.
How terrible to offer client-side translation or webpage description for differently abled people!
Client side incorrect translations*
How incorrect is it?
Sentences are a lot like math problems. An incorrect part changes the entire outcome.
Aren’t cookies already limited to the site at which they were created??
What the fuck? You mean to tell me sites have been sharing cookies?
I thought all browsers only delivered cookies back to the same site.
The problem is that a website is generally not served from one domain.
Put a Facebook like button on your website, it’s loaded directly from Facebook servers. Now they can put a cookie on your computer with an identifier.
Now every site you visit with a Facebook like button, they know it was you. They can watch you as you move around the web.
Google does this at a larger scale. Every site with Google ads on it. Every site using Google analytics. Every site that embeds a Google map. They can stick a cookie in and know you were there.
Is this also how they know which ads to feed you?
Yes, it’s the reason for the tracking. To sell more targeted ads.
If you’re up for reading some shennanigans, check out the book Mindf*ck. It’s about the Cambridge Analytica scandal, written by a whistleblower, and details election manipulation using data collected from Facebook and other public or purchased data.
Is that because the like button is an iframe?
It doesn’t have to be. Your browser sends the cookies for a domain with every request to that domain. So you have a website example.com, that embeds a Facebook like button from Facebook.com.
When your browser downloads the page, it requests the different pieces of the page. It requests the main page from example.com, your browser sends any example.com cookies with the request.
Your browser needs the javascript, it sends the cookie in the request to get the JavaScript file. It needs the like button, it sends a request off to Facebook.com and sends the Facebook.com cookies with it.
Note that the request to example.com doesn’t send the cookies for Facebook.com, and the request to Facebook.com doesn’t send the cookie for example.com to Facebook. However, it does tell Facebook.com that the request for the like button came from example.com.
Facebook puts an identifier in the cookie, and any request to Facebook sends that cookie and the site it was loaded on.
So you log in to Facebook, it puts an identifier in your cookies. Now whenever you go to other sites with a Facebook like button (or the Facebook analytics stuff), Facebook links that with your profile.
Not logged in? Facebook sets an identifier to track you anyway, and links it up when you make an account or log in.
How is Facebook able to know what site is requesting it? Is it in the referer header, or is it parameters in the javascript/image url?
Thank you for the explanation!
NO.
https://en.m.wikipedia.org/wiki/Third-party_cookies
Maybe it’s not allowed in your local jurisdiction? But it’s been a problem since forever.
I know Facebook and Reddit are in cahoots.
I went to visit Reddit a couple weeks back to read the Deadpool & Wolverine comments, but used the wrong container tab and now Facebook feeds me endless Marvel related stuff.
A lot of it is culture war bullshit too. Hmmmmm 🤔
No, you don’t know anything. Just because you have a suspicion because something happened to you once doesn’t mean you are sure in any way.
Nah I’m sure.
I never once saw a post about Marvel fed to me by Facebook and now it’s constant
Did it start after the extremely popular marvel movie “Deadpool and Wolverine” released?
Lol that’s your argument for why you think they don’t know what they’re talking about? Because all you did is make yourself seem like you have no idea how cookies work 🤣
It’s just one single person who noticed something once.
That’s an awful awful sample size absolutely filled with bias and thought fallacies.
Before. “Couple weeks” is more like 5 months at this point now that I think about it.
I don’t mind some of it much, but the obvious culture-war bait is infuriating.
It’s not because the movie just came out. I’ve been diligent about keeping Facebook and Reddit in their container tabs for years. It’s just Marvel stuff, not just the movies. Marvel’s been putting out huge movies for years and this hasn’t happened around any of their other releases.
Why aren’t you just using the official automatic Facebook container?
I made it before that was a thing. Habit I guess. 🤷♂️
This is old news, from 2022!!
From the blog post:
“June 14, 2022”
“Updated Aug. 28, 2024”
“And starting in 2024, all our users can look forward to Firefox blocking even more third party cookies.”
Take that, cookie monsters!
Does this stop me from adding to my website an iframe to facebook where facebook can keep its cookies for my user? That would be great but I doubt it.
IIRC an iframe contents is treated as a separate window, so cookies aren’t shared either
Sure, but the separate window can be on a different domain. Now you have a way to share cookies across multiple websites on different domains if all of them include an iframe to this external domain. And you can use in-browser messages (see window.postMessage()) to communicate between iframes and main window.
Article from JUNE 14, 2022
updated August 28th
I’m curious how this will affect OAuth (if at all). Does it use an offsite cookie to remember the session, or is that only created after it redirects back to the site that initiated the login?
Starting in what versions?
Is this the reason why I have to “confirm it’s you” every time I sign into a Google service now? I appreciate the fact that Firefox’s protection is so good that Google doesn’t recognize my PC anymore, but it’s extremely annoying to have to pull out my phone every time I want to watch YouTube.
This might be what finally convinces me to ditch Google for good. Good job, Firefox devs.
This wouldn’t make you have to log in every time you watch YouTube. It means by signing in to google.com, youtube.com can’t tell that you’re signed in. If you sign in on youtube.com, you’ll stay signed in on youtube.com unless you have something else deleting your cookies.
Well have had my cookies set to delete every time I close the browser for several years now but FF only now started doing this verification thing. A week ago all I had to do was enter my email and password.
If you’re already deleting all your cookies every time you close, then this new change should be identical to your first login of the day when your browser has no cookies. If you’re only getting 2fa requests after this change, then maybe you weren’t actually deleting every cookie, and Google was still fingerprinting you somehow.
No. That’s just Google trying to pester you into using Chrome.
but it’s extremely annoying to have to pull out my phone every time I want to watch YouTube
This sounds wild. What is your setup? You are using Youtube directly and unmitigated?
They call it TCP. All we need now is IP, and we’ll be set lol
