FF44 third party cookies

Discussion of general topics about Mozilla Firefox
User avatar
Scarlettrunner20
Posts: 1016
Joined: February 13th, 2003, 5:06 pm

Re: FF44 third party cookies

Post by Scarlettrunner20 »

Frank Lion wrote:
Scarlettrunner20 wrote: Page source has nothing to do with this problem
Through the fog of your mind, could you at least try to read just two words correctly? Page Info is not Page source.
All these years and you sti
Try to focus. It was you who asked for this -
. Mozilla could have fixed it - partial fix at least - by setting a mechanism (button maybe?) that the user could hit if a site refused to honor (after say 10 tries at the most) the user's choice for cookies and that button would force the user's choice on the errant site
...and me who told you how that already existed using Page Info > Permissions, where you can block all cookies from an individual site forever. If you don't like what it does then don't ask for it or use it.
I have several cracked ribs and an injured back. Sorry if I typed the wrong word.

I can also block all cookies from Fx Options but NOT in real time so neither is acceptable. They are passive ways AFTER THE FACT.
User avatar
Frank Lion
Posts: 21173
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom
Contact:

Re: FF44 third party cookies

Post by Frank Lion »

Scarlettrunner20 wrote:I have several cracked ribs ...
...you've been reading through some of your old posts again, eh?
Scarlettrunner20 wrote:I can also block all cookies from Fx Options but NOT in real time
Think outside the box and block them all by default and then allow just the ones you want. If people had not made assumptions then I would have gone into more detail on that.
Scarlettrunner20 wrote:ssive ways AFTER THE FACT.
There is no AFTER THE FACT. Within nanoseconds of visiting a website your IP and device details are recorded in the logs (don't forget I have websites, so none of this is theory). The initial cookie/s just takes these details, also often the page you are visiting, and adds a unique identifier (Client or User) to those details. That's it. Thus, that cookie can be deleted/blocked AFTER THE FACT and the site will still have your IP and device details, but can do nothing with that original cookie because it contained, er, nothing. Unless blocked from doing so, once deleted all the site can do is to reissue another cookie with a brand new Unique Identifier and so on...

The 'danger' with 1st party cookies is not with the initial cookies, but with the persistence of them across different sessions, which is how a tracking history/user profile is built up. So, it doesn't matter if they are deleted before/during/after they are set just so long as they are deleted and not allowed to persist, i.e. -

Delete initial cookie 5 minutes later = No AFTER THE FACT
Delete cookie 3 months down the line = AFTER THE FACT

In either case, the site will still have your IP and device details. Incidentally, my websites set no cookies as I allow no ads at all. However, law enforcement agencies could still compel me to hand over the visitor IP/device logs (which is why I routinely delete the logs)

Quick novice Cookie 'How To' -

In Options/Preferences -
#1. Block Third Party Cookies. (be aware that some bank sites do require these to be enabled)
#2. Set Cookies to 'Allow for Session'/'Expire when I close..'
#3. Set Private Data/Custom Settings to clear Cookies and optionally Cache, on Exit. (use, if required, Ctrl + Shift + Delete during session.)
#4. Use Page Info (Ctrl + i) to adjust cookie permissions for individual sites, if so required.

There can be more to it than that, but do the above and you can set this stuff, forget about it and the world will not end. Good to know if you use multiple profiles/different browsers/have better things to do.

***

Whatever else you do, just don't ever get into this position :) -
Scarlettrunner20 wrote:The badly coded sites try upwards to 100 times (that is a LOT of clicking and yes I have actually counted that many clicks on a few sites) to get you to accept their cookies.....

....I have never given in though....I have clicked until my fingers were half numb but the sites always finally give up trying to set cookies.
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)
.
User avatar
polidobj
Posts: 3147
Joined: March 31st, 2004, 9:10 am
Location: Maryland USA - im in ur tinderbox, crashtesting ur firefox

Re: FF44 third party cookies

Post by polidobj »

Frank Lion wrote: #4. Use Page Info (Ctrl + i) to adjust cookie permissions for individual sites, if so required.
The problem is this is likely not enough. I block all cookies and allow the ones I need to login to sites. This was easy when you could get Firefox to ask when setting cookies. Then you could get the proper allow exceptions. I tried to login to meetup.com but couldn't figure out how to get it to work in FF44. I had to use FF43 to find the correct exceptions I needed. The cookies were set for meetup.com, but they were being set by http://www.meetup.com and https://secure.meetup.com.

Is there an extension that would help me figure out the proper exceptions I need?
Brian J Polidoro - Today's bugs brought to you by Raid. :P
Windows7 - Firefox user since ~Feb 2002
User avatar
Frank Lion
Posts: 21173
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom
Contact:

Re: FF44 third party cookies

Post by Frank Lion »

polidobj wrote: I tried to login to meetup.com but couldn't figure out how to get it to work in FF44.
The trick here is to keep an eye on the addressbar. To demonstrate (I don't have an account at 'meetup') I'll be using here and Ebay -

First, I changed my settings to block all cookies.

#1. Visit mozillazine > Ctrl + i > Permissions > cookies to allow for session.
#2. Try login here > no https on addressbar > Login successful.

#3. Visit Ebay > Ctrl + i > Permissions > cookies to allow for session.
#4. Try login Ebay > https and signin address on addressbar > Ctrl + i > Permissions > cookies to allow for session.* > Login successful.

* Usually you need to refresh the login page, so it understands that things have changed.

Only has to be done once and is then remembered. Incidentally, most proper password logins on websites will be https.

You can use extensions, if you prefer, but even the dev notes for them tend to read as long as 'War and Peace'. Some also don't work if you block all cookies by default, like SDC, etc.

I'm not saying it was a great idea for Mozilla to remove the 'Ask' stuff (I would have left it) All I'm saying is that users can, if they want to, work around that on a default setup, without needing extensions. Obviously, there will be exceptional needs that do, as there are with everything.
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)
.
User avatar
glnz
Posts: 30
Joined: August 11th, 2007, 10:52 am

Re: FF44 third party cookies

Post by glnz »

Mozilla - have you gone out of your mind?

How can you get rid of "ask me every time" to block cookies? This is an essential feature. This is the number 1 reason why I adopted FF and stuck with it for -- what? -- ten years.

And you didn't even tell us.

Who are you now? I thought privacy and concern for the user rather than the abuser was core to your mission. This is why I have responded to your campaigns and contributed three years now.

Don't write here about workarounds - you have nothing that works like "ask me every time".

So now I am flooded by cookies - no way to control anything at the level needed.

You are now the same as Google Chrome.

How can you do this?
Last edited by LIMPET235 on February 21st, 2016, 6:06 am, edited 1 time in total.
Reason: Removed the un-necessary bolded text.
glnz
User avatar
LIMPET235
Moderator
Posts: 39936
Joined: October 19th, 2007, 1:53 am
Location: The South Coast of N.S.W. Oz.

Re: FF44 third party cookies

Post by LIMPET235 »

"We" cannot do anything in/with Firefox.
We are just a user-to-user help site.
---------------------------------------------------------------------->>>

&, You might want to read this entire thread for a few tips.


Go complain to "them."
Help > Submit feedback.
[Ancient Amateur Astronomer.]
Win-10-H/64 bit/500G SSD/16 Gig Ram/450Watt PSU/350WattUPS/Firefox-115.0.2/T-bird-115.3.2./SnagIt-v10.0.1/MWP-7.12.125.

(Always choose the "Custom" Install.)
frg
Posts: 1361
Joined: December 15th, 2015, 1:20 pm

Re: FF44 third party cookies

Post by frg »

Well I am quite sure that thanks to the open and transparent nature of the Mozilla project this option won't come back. All further attempts to restore it are a waste of time.

The discussions on the official channels remind me of the old wrong-way driver traffic warning joke:

What only one driver driving the wrong way? No I see hundreds of them!

I backed out the change in my private Seamonkey build and hope that somebody comes up with an extension for it.

FRG
User avatar
glnz
Posts: 30
Joined: August 11th, 2007, 10:52 am

Re: FF44 third party cookies

Post by glnz »

How do I get back the earlier Firefox? I think it was still working in FF 43.

This is really bad.
glnz
frg
Posts: 1361
Joined: December 15th, 2015, 1:20 pm

Re: FF44 third party cookies

Post by frg »

Yes it was removed starting with FF 44. You can find the latest 43.x version here:

https://archive.mozilla.org/pub/firefox ... es/43.0.4/

You need to disable automatic updates for this to work. The usual reminder that 44.x fixes a few security bugs and using an older version will expose you to the dangers of the internet.

The latest ESR still contains the option but this is only a temporary solution too. ESR 45 is on the way soon.

https://archive.mozilla.org/pub/firefox ... 38.6.1esr/

FRG
User avatar
Frank Lion
Posts: 21173
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom
Contact:

Re: FF44 third party cookies

Post by Frank Lion »

frg4711 wrote:I backed out the change in my private Seamonkey build and hope that somebody comes up with an extension for it.
Unlikely, as they ripped out the back end for it.

However, no great problem. When I was helping above - http://forums.mozillazine.org/viewtopic ... #p14512145 I blocked all cookies to test (usually I allow 1st party for session, block 3rd party, clear cookies and cache on exit) - works fine and I was surprised how little difference it made to sites.

Obviously I use Ctrl + i for individual site cookie permissions where I need to login, etc (Youtube also needs 1st cookies for session permission or you don't see the comments) and it all went fine with the exception of the Daily Mail site and GMail, which I easily worked around.

So...I'm keeping the block all cookies setting from now on.
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)
.
frg
Posts: 1361
Joined: December 15th, 2015, 1:20 pm

Re: FF44 third party cookies

Post by frg »

>> Unlikely, as they ripped out the back end for it.

I think with a cookie observer it can be done. The cookie would only be visible for a short time this way.

FRG
User avatar
glnz
Posts: 30
Joined: August 11th, 2007, 10:52 am

Re: FF44 third party cookies

Post by glnz »

Frank Lion and frg -

Sorry, but what do you mean by ctrl + i ? When I try that, I get a side bar for bookmarks.
glnz
User avatar
Frank Lion
Posts: 21173
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom
Contact:

Re: FF44 third party cookies

Post by Frank Lion »

glnz wrote:Sorry, but what do you mean by ctrl + i ? When I try that, I get a side bar for bookmarks.
On Firefox 47 and earlier, plus SeaMonkey, Ctrl + I is the hotkey for Page Info. You can also find it by right clicking on any webpage and it's on the context menu there. Another, less well known, method of locating is this -
This next bit may help you or not, but it's little known. You can also set individual site settings by the following method - click the identity box at the left end of the addressbar (where the site favicon used to be) then click the right arrow on the popup that appears and finally 'More Information'. There you can set all sorts of preferences for an individual site and you only have to do it once.
Anyway - Page Info > Permissions > Cookies and you can allow/block/just session for individual sites. Maybe not ideal, but it wasn't my idea to get rid of the other stuff.
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)
.
User avatar
Drumbrake
Posts: 1177
Joined: February 14th, 2011, 2:34 am

Re: FF44 third party cookies

Post by Drumbrake »

Frank Lion wrote:
Regarding your scaremongering silent JS stuff, you really think I don't have these computers and routers being continually scanned and would not know immediately of any JS exploits, really? Really? 12 years I've waited, where are they?

Take up your JS concerns with the browser makers who have it enabled by default.
Well, for some reason you are apparently taking this the wrong way, not much I can do about it other than emphasizing I'm not trying to look smarter here or proving you wrong for any special reason: what prompted my original reply was that you actually stated that with “JS enabled, a very basic adblocker and a short hostfile” you never or rarely see ads and furthermore you don't think there is an underlying javascript abuse issue worth worrying about, or noticeable enough that it could eventually be a sensible choice blocking JS - or, more correctly IMHO, curb it with NoScript .

As for the ads thing, nothing I can do but say once again that if I had to follow such guidelines, I'd be seeing ads everywhere: I have a hostfile that keeps constantly growing, I use lots of custom filters with my adblockers, have JS managed with NoScript, and yet I still see ads popping here and there.

Then you go on labeling general concerns (which I would call “awareness”) about security as “fearmongering” , which of course I completely disagree with.

Would you call this https://blog.mozilla.org/security/2015/ ... -the-wild/ just "fearmongering" ?
The vulnerability comes from the interaction of the mechanism that enforces JavaScript context separation (the “same origin policy”) and Firefox’s PDF Viewer(...)
The files it was looking for were surprisingly developer focused for an exploit launched on a general audience news site, though of course we don’t know where else the malicious ad might have been deployed. On Windows the exploit looked for subversion, s3browser, and Filezilla configurations files, .purple and Psi+ account information, and site configuration files from eight different popular FTP clients. On Linux the exploit goes after the usual global configuration files like /etc/passwd, and then in all the user directories it can access it looks for .bash_history, .mysql_history, .pgsql_history, .ssh configuration files and keys, configuration files for remina, Filezilla, and Psi+, text files with “pass” and “access” in the names, and any shell scripts. Mac users are not targeted by this particular exploit but would not be immune should someone create a different payload. [Update: we’ve now seen variants that do have a Mac section, looking for much the same kinds of files as on Linux.]
The exploit leaves no trace it has been run on the local machine. If you use Firefox on Windows or Linux it would be prudent to change any passwords and keys found in the above-mentioned files if you use the associated programs. People who use ad-blocking software may have been protected from this exploit depending on the software and specific filters being used.

How do you know for sure in this case , that you haven't been targeted?

Then how about the well-known router attacks via CSRF vulnerabilities? Like this one:

http://arstechnica.com/security/2014/03 ... s-changes/

It is also sounds somehow contradictory to me first giving the general advice to don't bother with such issues, then state that you have your routers and systems “routinely scanned” : the average user doesn't do that, which makes even more important for them to use adblockers and manage JS.

Then again,
I'm not trying to look smarter here or proving you wrong for any special reason
we're just discussing things here.
User avatar
Frank Lion
Posts: 21173
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom
Contact:

Re: FF44 third party cookies

Post by Frank Lion »

Drumbrake wrote:we're just discussing things here.
Nope, you're discussing things here, meanwhile I've been discussing cookies, which is the subject of this thread.

Meantime, you've latched onto what I mentioned about my experiences with JS. That's your choice, but doesn't mean I want to discuss it.
Frank Lion wrote:All I can do is to write the truth and people can make of it what they will and the truth is that I've had JavaScript enabled ever since 2004 and never had a problem.

Hardly unique as that is default in browsers. The elephant in the room is where are all those supposedly inevitably compromised JS users hiding?
What do you want from me? I not saying it is the only way, I not advising anyone to do the same. I'm saying that is my personal experience of JS stuff for over 10 years. You want me to lie and pretend that's not what has happened?

Again, why tackle me on this, when millions of other people are doing exactly the same, if only because JS is enabled by default?


..you are apparently taking this the wrong way, not much I can do about it other than emphasizing I'm not trying to look smarter here or proving you wrong for any special reason
We're cool, you should know by now my writing style on public forums. :)
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)
.
Locked