Firefox 86 Introduces Total Cookie Protection

blog.mozilla.org/security/2021/02/23/total-cookie-protection

Today we are pleased to announce Total Cookie Protection, a major privacy advance in
Firefox built into ETP Strict Mode. Total Cookie Protection confines cookies to the site
where they were created, which prevents tracking companies from using these cookies to
track your browsing from site to site.

Cookies, those well-known morsels of data that web browsers store on a website’s behalf,
are a useful technology, but also a serious privacy vulnerability. That’s because the
prevailing behavior of web browsers allows cookies to be shared between websites,
thereby enabling those who would spy on you to “tag” your browser and track you as you
browse. This type of cookie-based tracking has long been the most prevalent method for
gathering intelligence on users. It’s a key component of the mass commercial tracking that
allows advertising companies to quietly build a detailed personal profile of you.

In 2019, Firefox introduced Enhanced Tracking Protection by default, blocking cookies

from companies that have been identified as trackers by our partners at Disconnect. But
we wanted to take protections to the next level and create even more comprehensive
protections against cookie-based tracking to ensure that no cookies can be used to track
you from site to site as you browse the web.

Our new feature, Total Cookie Protection, works by maintaining a separate “cookie jar”
for each website you visit. Any time a website, or third-party content embedded in a
website, deposits a cookie in your browser, that cookie is confined to the cookie jar
assigned to that website, such that it is not allowed to be shared with any other website.

1/3
 Total Cookie Protection creates a separate cookie jar for each website you visit. (Illustration: Meghan
Newell)

In addition, Total Cookie Protection makes a limited exception for cross-site cookies when
they are needed for non-tracking purposes, such as those used by popular third-party
login providers. Only when Total Cookie Protection detects that you intend to use a
provider, will it give that provider permission to use a cross-site cookie specifically for the
site you’re currently visiting. Such momentary exceptions allow for strong privacy
protection without affecting your browsing experience.

In combination with the Supercookie Protections we announced last month, Total Cookie
Protection provides comprehensive partitioning of cookies and other site data between
websites in Firefox. Together these features prevent websites from being able to “tag” your
browser, thereby eliminating the most pervasive cross-site tracking technique.

To learn more technical details about how Total Cookie Protection works under the hood,
you can read the MDN page on State Partitioning and our blog post on Mozilla Hacks.

Thank you
Total Cookie Protection touches many parts of Firefox, and was the work of many
members of our engineering team: Andrea Marchesini, Gary Chen, Nihanth Subramanya,
Paul Zühlcke, Steven Englehardt, Tanvi Vyas, Anne van Kesteren, Ethan Tseng, Prangya
Basu, Wennie Leung, Ehsan Akhgari, and Dimi Lee.

We wish to express our gratitude to the many Mozillians who contributed to and
supported this work, including: Selena Deckelmann, Mikal Lewis, Tom Ritter, Eric
Rescorla, Olli Pettay, Kim Moir, Gregory Mierzwinski, Doug Thayer, and Vicky Chin.

Total Cookie Protection is an evolution of the First-Party-Isolation feature, a privacy

protection that is shipped in Tor Browser. We are thankful to the Tor Project for that close
collaboration.

2/3
We also want to acknowledge past and ongoing work by colleagues in the Brave, Chrome,
and Safari teams to develop state partitioning in their own browsers.

3/3