Mozilla’s Total Cookie Protection Feature Blocks Invasive, Cross-Site Tracking
Mozilla has released its latest version of the Firefox web-browser, Firefox 86, which comes with new privacy protections to guard against cross-site cookie tracking, as well as numerous other security vulnerability fixes.
Firefox 86, released on Tuesday, includes a privacy-bolstering feature called Total Cookie Protection. This new feature isolates each cookie assigned by each website, preventing websites from tracking internet users in an invasive, cross-site manner.
HTTP cookies are small data files stored by web browsers while users visit various websites. These are used as a unique identifier to improve web browsing experience and enable user-specific ads, an increasingly necessary part of the internet economy. However, tracking cookies can also pose a “serious privacy vulnerability,” said Mozilla, because third-party companies – like data brokers, affiliate networks and advertising networks – can use them to track users’ browser activity – even when they visit other websites. Advertisers can then use the tracking cookies to better understand which websites that users visit – whether those are social media websites or otherwise – and ultimately piece together a digital picture of who users are. Those details can also be transferred to a third party and stored on remote servers.
This type of cookie-based tracking has since grown to be the most prevalent method for gathering information on those who use the internet and is used by advertising companies to create targeted ads, as well as build a detailed, personal profile of users. Total Cookie Protection aims to reign in some of these privacy concerns by creating what Mozilla calls a separate “cookie jar” for each website that a user visits.
Each time a user visits a website, the website (or third-party content embedded in the website) will deposit the cookie in the user’s browser. That cookie is then confined to the “cookie jar” assigned to that website – but it is not allowed to be shared with any other website. This would prevent invasive cross-site tracking by various third-party companies.
Mozilla said that Total Cookie Protection does make “a limited exception” for cross-site cookies when they are needed for non-tracking purposes – including those used by popular third-party login providers.
“Only when Total Cookie Protection detects that you intend to use a provider, will it give that provider permission to use a cross-site cookie specifically for the site you’re currently visiting,” said Tim Huang, Johann Hofmann and Arthur Edelstein with Mozilla. “Such momentary exceptions allow for strong privacy protection without affecting your browsing experience.”
Firefox 86 also comes with three security fixes for high-severity flaws. Two of these flaws exist in the Content Security Policy (CSP), a security mechanism for browsers that prevents cross-site scripting, clickjacking and other code injection attacks. The first vulnerability (CVE-2021-23969) could allow a remote attacker to obtain sensitive data. In the process of creating a violation report for CSP, Firefox’s implementation of the process incorrectly set the source file to be the destination of the redirects.
Further Reading: