Mozilla postpones default blocking of third-party cookies in Firefox

A patch to only allow cookies from sites visited still needs more work, Mozilla's CTO said

Mozilla has postponed blocking third-party cookies by default in Firefox 22, "to collect and analyze data on the effect of blocking some third-party cookies."

The nonprofit organization is, however, not softening its stand on protecting privacy and putting users first, Brendan Eich, Mozilla's CTO and senior vice president of engineering, wrote in a blog post Thursday.

Mozilla has been testing a patch from Jonathan Mayer, a graduate student at Stanford University in computer science and law and online privacy activist, which like Apple's Safari browser allows cookies from websites already visited, but blocks cookies from sites not visited yet.

A pre-build version of the browser, called Firefox Aurora, was released on April 5, and included the patch to only allow cookies from sites visited. Aurora is a preliminary stage in the development cycle before Beta and Release of a version of Firefox.

The default preference will be kept to allow third-party cookies in the Beta and Release channels, Mozilla said in an update on its developer network.

The plan by Mozilla to block third-party cookies by default in upcoming Firefox releases was criticized by the online advertisement industry, some of whom said that cookies serve other purposes like data theft protection and analytics besides advertising. The move will affect small businesses that make up the diversity of content and services online and consumers' ability to manage their own privacy, said the Interactive Advertising Bureau, which called on Mozilla in March to withdraw the planned changes to the Firefox browser.

Mozilla is now worried about "false positives," such as if the patch blocks cookies from websites associated with a site the user has visited. If a user visits a site named foo.com, which embeds cookie-setting content from a site named foocdn.com, as a result of the patch, Firefox will set cookies for foo.com, but block cookies from foocdn.com because it was never visited directly, even though there is one company behind both sites, Eich wrote.

On the flip side, just because an user visited a website, he may not be comfortable being tracked all over the Internet and on unrelated sites, which is a "false negative" that the patch could allow.

Mozilla said it needs more data and refinements to the patch before it can ship a version of it which blocks cookies from unvisited sites by default, and has asked for volunteers from its Beta and Aurora releases. The Beta for Firefox 22 was released Thursday.

"Our next engineering task is to add privacy-preserving code to measure how the patch affects real websites," Eich wrote.

The patch has been moved to the Beta release channel of Firefox 22 but is not on by default. It remains in the Aurora build of Firefox 22, though it is turned on by default.

"The patch as-is needs more work," said Eich, promising an information update in six weeks.

Firefox 22 is scheduled to move to Released in the week of June 24.

John Ribeiro covers outsourcing and general technology breaking news from India for The IDG News Service. Follow John on Twitter at @Johnribeiro. John's e-mail address is john_ribeiro@idg.com

FREE Computerworld Insider Guide: IT Certification Study Tips
Join the discussion
Be the first to comment on this article. Our Commenting Policies