Skip to content

Firefox locks the cookie jar

Way back in 2019, I wrote about Enhanced Tracking Protection (ETP), Firefox’s take on anti-tracking tech they were building into their browser. Mozilla has continued to enhance the features of ETP the years since, introducing tech to combat ‘Supercookies’ back in Firefox 85, and Total Cookie Protection for those users running ETP in ‘Strict’ mode in Firefox 86.

This tech has allowed the Firefox developers to effectively partition the network state to limit the ability for sites to engage in cross-site tracking through popular fingerprinting techniques. While this was certainly a boon for users who care about privacy, the Total Cookie Protection feature, which creates a separate “cookie jar” for each website a user may visit remained locked behind the ‘Strict’ Mode toggle – and not enabled by default.

Last month, in June of 2022, Mozilla announced plans to enable Total Cookie Protection for all users by default. This would bring the feature which had been tested over the past year in ETP ‘Strict’ Mode, Private Windows and then in Firefox Focus to the general public without any user action required.

Yesterday, Mozilla released Firefox version 103 and the release notes had this to say:

Your information now has increased protection from online tracking via Total Cookie Protection enabled by default. All third-party cookies are now isolated into partitioned storage.

https://www.mozilla.org/en-US/firefox/103.0/releasenotes/

So now users get enhanced privacy and brands need to account for this feature in design, development, measurement and marketing efforts.

So what does this mean?

From a technical perspective this brings Firefox (mostly) in line with what we’re seeing out of other browser vendors. Practically speaking however – this isn’t as disruptive as it sounds for a few reasons.

First, Firefox retains a low market share, at the time of writing, a mere 3.26% of the global market per Statcounter. While specific sites and industries may see more Firefox traffic on a case by case basis, as a industry impact, changes made to Firefox would affect the industry at large to a smaller extant than changes to say, Safari or Chrome.

Second, Enhanced Tracking Protection, which is enabled by default, heavily restricts known trackers already, and so while this feature is notable in that it restricts vendors further, the real advantage is in that Total Cookie Protection protects against new or emergent vendors and doesn’t require a list to be updated by a external service.

So, while the feature doesn’t go as far as the Webkit team and their banning of 3rd party cookies entirely as part of Intelligent Tracking Prevention, It does further limit existing tracking which occurs with 3rd party cookies, and it does protect against emerging threats seeking to use 3rd party cookies as a vector for tracking.

Impact to Business

In the event Enhanced Tracking Protection wasn’t already breaking measurement or functionality, and that functionality relies on 3rd party cookies (but isn’t related to known 3rd party login providers) – I would expect that measurement or functionality to cease working as intended.

Realistically, this means that 3rd party targeting, tracking and conversion measurement is going to be adversely impacted for this market segment and there is a heightened chance that marketing tactics such as Remarketing cease working for Firefox users in all cases that relied on an anonymous ID. CRM based advertising lists should continue to work as expected, but have their own limitations (such as the user having to self identify on multiple sites).

Any cross-domain measurement solution which relies on 3rd party cookies, such as say TikTok’s bizarre foray into 3rd party cookies recently, is likely in for rough times and I would expect to cease working for Firefox users. Further, this may & depending on the integration, adversely affect existing affiliate and commission based vendors / programs resulting in difficulty calculating commission in some configurations.

Final Thoughts

The Ad industry is rightly concerned about Google’s planned phase out of 3rd party cookies in 2023. What I believe the largely industry fails to realize however is how restricted 3rd party cookies already are.

They don’t work at all on Webkit browsers (Desktop Safari, all iOS, all iPad browsers) and both Firefox and Edge heavily restrict them with built in anti-tracking tech. Further, this recent change by Mozilla to further restrict them isn’t surprising or unexpected. So while the feature is notable – it needs to be realized that if Total Cookie Protection broke something critical, that item already wasn’t working correctly in a number of scenarios.

So while this may be problematic for the ad industry short term, the sky isn’t fully falling just yet. It is certainly however in a moderate downpour and it’s time to face the writing on the wall that cross-domain measurement is difficult and will continue to get harder. That’s to say nothing of all the pending regulatory changes on deck for which promise to change the ad industry in ways we can only theorize about right now.

Published inBrowser UpdatesPrivacy