Total Cookie Protection comparison

[sam-goode]

Firefox 86 introduces Total Cookie Protection. To what extent does this overlap with the functionality provided by multi-account containers?

[groovecoder]

I'm summoning the engineers who worked on Total Cookie Protection to this issue to also discuss this.

As I understand it, Total Cookie Protect is a product name and evolution of dynamic first-party isolation. In dFPI Firefox isolates cookies to the first-party domain, with an exception (the "dynamic" part) for certain user-initiated resource requests like those used in Single Sign-On implementations.

In addition, Total Cookie Protection is not enabled by default - but when Firefox Enhanced Tracking Protection is set to "Strict".

Finally, I believe a goal of TCP/dFPI provides a UX enhancement for users of sites that currently rely on cross-site cookies for things like SSO. A longer-term, cross-browser solution is for sites to use the Storage Access API to request such first-party storage permission from users.

That last point has the most overlap with Containers.

When users access multiple sites in the same Container, all those sites share the same storage access. So, for example, if you are signed into GitHub in a Container, you should have no problem using "Sign in with GitHub" when you visit another site in the same Container.

What I think this means is ...

A Firefox user running with ETP "Strict" (i.e., Total Cookie Protection) will have very strong privacy protections - including the state partitioning offered by dFPI/TCP - in all their "non-Container" tabs. That same user can ALSO use Containers to access a number of sites that will all share combined storage access.

Let's take an example of a user signing into GitHub and then to Travis CI that relies on GitHub SSO thru a number of cases:

1. Firefox user with default settings: Sign in to GitHub works, and sign into Travis CI works. GitHub is not on the ETP block-list, so it is allowed to access the cookies required for SSO on Travis CI.
2. Firefox user with ETP "Strict" including TCP/dFPI: Sign in to GitHub works, and sign into Travis CI works. Travis CI uses SSO in a way that TCP heuristics can detect, so TCP allows access to the cookies required for SSO on Travis CI.
3. Firefox user with Containers: Sign in to GitHub works, and sign into Travis CI works, if Travis CI is accessed in the same Container.

I'll stop here and let other TCP/dFPI engineers chime in too.

[grahamperrin]

User-defined containers

… A Firefox user running with ETP "Strict" (i.e., Total Cookie Protection) will have very strong privacy protections - including the state partitioning offered by dFPI/TCP - in all their "non-Container" tabs. …

Amongst my eleven containers, some of which were predefined by Mozilla's Multi-Account Containers extension, four of the user-defined containers are for (amongst other things) four Microsoft Exchange mailboxes from a single service provider. All four in a single domain. One Outlook Web App instance in each of the four containers.

Strict protection is effective in tabs in these user-defined containers.

I expect the protection here to be no less effective than in non-contained tabs.

When I aim to follow a link from within Outlook Web App, I either:

1. want it in the same container; or
2. want it in a different container

– and if difference is required, then I'll either:

• know that the link address will be governed by the site list for a user-defined container (or an extension with comparable capability); or
• use the context menu to decide which container, if any, will receive the linked content.

Scopes of technologies

If thoughtlessness before clicking a link causes undesirable content to enter a user-defined container:

• this is simply my fault

– unrelated to total cookie protection or any other technology that's intended to protect me.

[grahamperrin]

Some related discussions (thanks @groovecoder for directing people here):

• https://old.reddit.com/r/firefox/comments/lqj1zl/-/goh58b1/
• https://old.reddit.com/r/firefox/comments/lr3beg/-/
• https://old.reddit.com/r/firefox/comments/lrfa5l/-/
• https://old.reddit.com/r/privacy/comments/lqkouc/-/gokw73n/?context=1 *
• https://old.reddit.com/r/privacy/comments/lqkouc/-/goh0bky/
• https://old.reddit.com/r/privacy/comments/lqkouc/-/goi75fu/
• https://old.reddit.com/r/privacytoolsIO/comments/lqjpe3/-/gogr7dt/
• https://old.reddit.com/r/privacytoolsIO/comments/lqjpe3/-/goiqnof/

Whilst most questions in Reddit are answered,

I'm summoning the engineers who worked on Total Cookie Protection to this issue to also discuss this. …

– 👍 there is, if you like, an opportunity for engineers (and others with an interest – @caitmuenster maybe?) to view the terms in which people are thinking.

---

* off-topic, responses to adjacent comment https://old.reddit.com/r/privacy/comments/lqkouc/firefox_announces_total_cookie_protection/gohcxe5/?context=1 might be enjoyed if you can have a dry sense of humour about being literally followed by cookies.

[gitthehubs]

It gets a bit confusion to me as well as some things seems to overlap. Multi-account containers seperates cookies, localStorage, indexedDB, HTTP data cache, image cache and 'Any other areas supported by originAttributes'. The supercookies protection since Firefox 85, or Network Partitioning, partitions HTTP cache, image cache as well, and many more. The Total Cookie Protection since Firefox 86, or Dynamic Partitioning, paritions cookies, localStorage, indexedDB as well, and a few more things.

I see it as that multi-account containers does some seperation on a higer level and within every container you have your own supercookies and total cookie protection. The easiest example to give it that with a normal Firefox installation you can only log in once to a website, because every other tab has also access to the or some first party data, for example the cookies, so it recognise that you are already logged in to a website. With multi-account containers this is seperated again and so you can log in to a website in every container.

https://wiki.mozilla.org/Security/Contextual_Identity_Project/Containers https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Privacy/State_Partitioning https://blog.mozilla.org/security/2021/01/26/supercookie-protections/ https://blog.mozilla.org/security/2021/02/23/total-cookie-protection/

To make it even more confusion, you also have first-party isolation: https://www.ghacks.net/2017/11/22/how-to-enable-first-party-isolation-in-firefox/

The following items are affected by First-Party Isolation: cookies, cache, HTTP Authentication, DOM Storage, Flash cookies, SSL and TLS session resumption, Shared Workers, blob URIs, SPDY and HTTP/2, automated cross-origin redirects, window.name, auto-form fill, HSTS and HPKP supercookies, broadcast channels, OCSP, favicons, mediasource URIs and Mediastream, speculative and prefetched connections.

Turn it on in about:config preference privacy.firstparty.isolate:true :confused:

[grahamperrin]

Here be dragons

… first-party isolation: …

… Turn it on in about:config …

confused

Reset browser.aboutConfig.showWarning to be reminded of this, or something like it:

https://english.stackexchange.com/a/37087/11504

Of course, most users eventually forget the relevance of the warning :-)

privacy.firstparty.isolate

Proceed with caution. If in doubt, reset the preference.

Discussions include:

• https://old.reddit.com/r/privacy/comments/lqkouc/-/gokatgl/
• https://old.reddit.com/r/privacy/comments/lqkouc/-/goi397j/
• https://old.reddit.com/r/firefox/comments/lnpns6/-/gosuzt2/?context=4
• https://old.reddit.com/r/privacy/comments/lqkouc/-/govw6f2/?context=4 where I think of privacy.firstparty.isolate as uncomfortably blunt.

[sam-goode]

Thanks for the very comprehensive replies everyone!

So to sum up my understanding so far, FF strict mode which enables Total Cookie Protection, effectively gives you a similar level of privacy as you might expect by using multi account containers to prevent cross site tracking, kind of like creating a separate container for every site.

Multi account containers offers additional privacy in the sense that other elements are isolated, which allows you to login to the same site with multiple accounts.

[gitthehubs]

@grahamperrin From: https://github.com/arkenfox/user.js/issues/1051#issuecomment-760442151 Migrate FPI users to dFPI https://bugzilla.mozilla.org/show_bug.cgi?id=1649876

dFPI seeks to make FPI more web compatible by allowing us to relax isolation under certain conditions. Over the past couple months we've rapidly expanded the set of APIs covered by dFPI such that most of the APIs partitioned by FPI are also partitioned by dFPI.

Deprecate and remove the privacy.firstparty.isolate pref. Migrate Firefox FPI users to dFPI, and Tor Browser to a set of prefs that set the heuristics + isolation to their desired level.

[grahamperrin]

https://old.reddit.com/r/firefox/comments/ltdlfh/-/gp045ob/?context=3 is thought-provoking. Things there are not yet entirely clear to me.

[grahamperrin]

https://bugzilla.mozilla.org/show_bug.cgi?id=1649876

Thanks; also 1686296 - Enable dFPI in strict mode for beta and release channel (now closed), which featured in this Reddit post:

• Firefox 86: strict enhanced tracking protection with dynamic first party isolation (dFPI)

In the dependency trees for both 1649876 and 1686296:

• 1549587 - (DynamicFirstPartyIsolation) [meta] Dynamic first party isolation

– with reference to this, which is probably one to watch:

• 1602922 - (dfpi-breakage) [META] Breakage bugs of Dynamic First Party Isolation

‒ all of which might be interesting, although (with respect to the opening post here) I don't know whether it helps to compare Multi-Account Containers with total cookie protection.

---

I'm slightly surprised that the release of Firefox 86, with dFPI available at a simple click of a button (not requiring an advanced preference), has not yet led to more breakage appearing under 1602922.

More than slightly surprised to find Phabricator for Mozilla e.g. https://phabricator.services.mozilla.com/D106622 significantly broken with strict ETP in one Firefox profile: …

[grahamperrin]

… Phabricator for Mozilla e.g. https://phabricator.services.mozilla.com/D106622 significantly broken …

▶ Mozilla bug 1695546 - multiple cloudfront.net addresses breaking strict enhanced tracking protection for Mozilla Phabricator

[AdKiller]

Thanks for the explainers on the myriad of privacy settings in Firefox.

If I understand correctly, currently unless I need to login to the same website with multiple accounts, there is no need for multi account container add-on?

Currently I use multi account containers & Temporary Containers' automatic mode, but I think it is overkill for my goal which is to stop websites from snooping on what I am doing on other websites.

[dannycolin]

Thanks a lot to everyone who answered the question! I'm closing this since we're moving support question to our forum at https://support.mozilla.org. However, I'll add a link to this issue in the GitHub Wiki in case someone is interested in using part of the information shared here to enhance our knowledge base article at https://support.mozilla.org/kb/containers