My pleasure ... but it's not just my work. Firefox privacy & security and add-ons engineering teams have poured a ton of effort into Firefox Quantum to make features like this possible and easy.
Yes please. Third party cookies and the like are the plague. They have so few legitimate use cases.
Make it a long deprecation if you have to. Give even longer exemptions to the really big players / the big breakage / the legitimate use cases while we find better ways. But it is up to the browser vendors to remove the weapons here.
I don't think OAuth requires third-party cookies, and SAML definitely does not. The authentication parts use HTTP POSTs or redirects from the IdP to SP. You probably do want cookies to track the sessions on each end, but those would be first-party.
It's possible for your IdP to track the SPs you authenticate to regardless of protocol or cookie use, of course.
Can you elaborate? Is there some reason that running every Google property except google search (unless desired, but I prefer non-tailored results) in one container wouldn't work?
That is mostly the case. However, other websites may ask your browser to make requests to Facebook domains (to load in social buttons or tracking scripts/pixels). Those requests will include any cookies your browser has for Facebook as they're direct to Facebook domains.
This extension gives Firefox selective amnesia: if you're in a Facebook container tab, it'll remember and send those cookies. If you're not, it won't!
An alternative solution is to never make those third party requests in the first place, but you might need some of them for content you're actually interested in viewing. Using both a blocking extension and this container extension should improve your privacy towards Facebook.
It breaks things like "sign-in with github credentials" in CIs. But you know, these should be exceptional, therefore the default should be to load third-party content without cookies. The problem is that some content is loaded without your having to click on something (where you'd have a chance to right-click and request loading with selected credentials).
Not necessarily: OAuth Basic Flow does not require third-party cookies. With Basic Flow, you'd get redirected to github.com, making it a first party request. Github will then redirect you back passing an authentication code as a URL parameter.
I use uMatrix for this purpose, and to block third-party frames to defend against clickjacking. That said, Multi-Account Containers still are very useful.
> Why can’t my browser always send zero cookies for all third party requests in all tabs?
It can. Blocking third-party cookies is available in the browser settings of at least Firefox, Chrome, and Safari. I think it’s even on by default in the latter.
I’ve been using it for years and never seen a broken page as a result.
The main thing I notice break when I enable things like "no cross origin cookies" is history on the AWS console. Stuff like "roles you've switched to" and "services you've used recently" get forgotten.
I mean it's too late now but there's nothing fundamental about the current SSO design. If browsers shipped with FPI from the beginning SSO would still work, it would just look different.
There’s uMatrix for that of course but is uBlock Origin and PrivacyBadger combo enough with this extension? As the de-facto tech guy in my family I know how to take care of my own privacy but I’m always searching for the most hands off solution for the tech illiterate family members who come to me asking to “fix their laptops”.
There's a "Same-Site" cookie flag that helps prevent CSRF by preventing cookies being sent in that scenario. Can the browser be made to treat all cookies as "same-site" for a quick 'fix' to this issue?
Obviously this would need a white-list (and a pair<from,to> whitelist, not just "this domain is OK list) to allow SSO scenarios.
Yes, but as you say this breaks a large number of applications. The web browsers aren't super likely to break existing behavior since people simply blame the browser that whatever thing doesn't work.
> I don't understand why the default behavior isn't to isolate every website from every other website? Why is least privacy the default?
Default privacy settings are tough to manage.
Some people want privacy, and will accept broken websites if it keeps their data and online movement private.
Other people just want their usual websites to work, don't understand or care to think about privacy, and if some random content farm looks busted in Firefox, will just switch to another browser.
Aside from picking a sensible default, Firefox also offers to educate users where it makes sense. For example, when you open a new private browsing window in Firefox, the tracking protection section includes a "See how it works" button that takes you to a tour-style walkthrough of how tracking protection works.
This add-on's options include opening each (sub)domain in its own container. These containers are temporary: they're deleted a short time after you close their last tab, so you have to log back into each site on each visit. (This may be something you do anyway.)
I don't (yet?) know of an add-on that automatically assigns each domain you visit to its own permanent container, and automatically creates new containers for each new domain.
you can do that with the firefox Multi-Account containers extension. I don't go to that extreme, but its nice to have a few key profiles. I have work and personal, plus a few others (like banking).
What is really nice, is you can tell it to ALWAYS open your banks website in a particular container, and it will. If you go to that URL from a tab in your work profile, it will switch to the banking profile for you.
