Discussion: Full Third-Party Cookie Blocking

[ghost]

Description

Apple's Safari has started to fully block third party cookies by default. It is funny because Cliqz did this years ago with their products and called this "a simple approach". Now I don't know how much it will take Firefox or others to follow up but Safari doing it should be able to force the majority of websites to become compatible with the update.

As Firefox already blocks a big chunk of third party cookies, maybe Ghostery should be the extension to take it one step further and implement this as anyone who installs an extension to further their privacy should expect this kind of protection. Or maybe, waiting for other browsers to take action would be the better thing to do as then you wouldn't have to modify your code for anti-tracking multiple times. What do you think?

Edit: I've seen the recent update to the browser-core which makes cookie blocking more aggressive. IMO fully blocking them should still be discussed.

[sammacbeth]

Switching Ghostery to full 3rd party cookie blocking (with some compatibility exceptions) is simple - there is a config option in enhance anti-tracking to do this. I'm not sure we'd be able to turn this on for all users at present because of the amount of sites it breaks. Hopefully Safari's changes will help improve this situation though. We cloud look at exposing this as a setting for users who want that extra protection though (cc @christophertino).

Note, however, that Ghostery cookie blocking is limited to HTTP cookies. At the moment we do not block cookies created from DOM APIs (i.e. document.cookie). This is because webextension API limitations make it difficult to do this properly while including other Ghostery features such as per site and per tracker whitelisting. Upcoming changes to extension APIs in chrome may also make what we do at present no longer possible there.

All browsers do support native 3rd party cookie blocking though, which will block the DOM cookie API, and also localStorage and indexedDB in 3rd party contexts. This is however at the cost of being able to whitelist specific sites, or benefit from the compatibility rules and heuristics we use in Cliqz and Ghostery to prevent things like OAuth logins and Office365 from breaking.

[ghost]

@sammacbeth Thanks for the response,
After Safari's strict change I wonder what Office 365 and others will do. You are probably right saying you should wait and see how it plays out long-term.

For Ghostery, honestly, I didn't know how these settings would affect other modules. Even though I would love to see it become the extension version of Cliqz Browser, not being able to fully achieve that was the reason why you started building your own browser. As long as it strips out PII from third-party requests with anti-tracking, I'm fine with it giving compromises.

[ghost]

@sammacbeth Quick question then, if I set Firefox to block third party cookies, will that affect Ghostery's heuristics for anti-tracking? (Not talking about cookie blocking obviously but the PII removal.)

[sammacbeth]

@sammacbeth Quick question then, if I set Firefox to block third party cookies, will that affect Ghostery's heuristics for anti-tracking? (Not talking about cookie blocking obviously but the PII removal.)

No. The unsafe data removal system runs irrespective of cookie setting.

[ghost]

Hey @sammacbeth, I did set Firefox to block all third party cookies which also broke Ghostery's login functions in the sense that it logged me out from the extension and even if I log in it instantly logs out. You think this is fixable?

[christophertino]

You'll need to set an exception in FF to fix this. From about:preferences#privacy > Cookies & Site Data > Manage Exceptions > Manage Permissions > Add an "Allow" exception for https://consumerapi.ghostery.com

[ghost]

Thanks for your help. Closing the issue for now then. If someone’s gonna take this step, it should be the browsers anyway.