Thorin-Oakenpants
commented
1 year ago This is by design, for now. Some cross-site logins use a login flow that breaks First Party Isolation (FPI).
Open CHJ85 opened 1 year ago
Thorin-Oakenpants
commented
1 year ago This is by design, for now. Some cross-site logins use a login flow that breaks First Party Isolation (FPI).
CHJ85
commented
1 year ago Ah, I see. Is there a way around this though?
Thorin-Oakenpants
commented
1 year ago No. If you disable FPI (don't do that) then you remove all the cross-site state (cookies, caching, etc) tracking which breaks the protection. FPI here is doing it's job to stop you being tracked by third parties
That's all the State Partitioning tests at https://privacytests.org/
MB may move to some hardened/modified dFPI (dynamic First Party Isolation) and network partitioning = all the results in that section you see for Firefox), but this is not trivial as it diverges from TB's base
It also carries risk: i.e MB/TB would need to tweak dFPI and maybe even add warnings/confirmation instead of automagically (gated behind user gestures e.g. clicking the login button) allowing these cross-site exceptions, and any exceptions would need to be per-VPN + session (I think Firefox keeps them for 15 days?). It's not trivial
Is there a way around this though
Use a secondary browser for problematic sites .. like, IDK, Firefox :)
CHJ85
commented
1 year ago Right. But using a secondary browser for problematic sites kinda defeats the whole purpose of being safe and secure. I was thinking maybe there's a way to disable FPI on a site by site basis or unlock it for a short amount of time. Just enough time for me to sign in.
Thorin-Oakenpants
commented
1 year ago kinda defeats the whole purpose
who said using Firefox isn't safe or secure. The main point of difference with MB is that it allows robust fingerprinting protection when used with Mullvad VPN.
If you use Firefox, it comes with all that state partitioning by default, and allows you to cross site login. If you're logging in, then 1st party tracking is not an issue. If you also use a system VPN with Firefox, then that's even better, but you're still logging in.
a way to disable FPI on a site by site basis
nope. This is what dFPI is, it allows a site by site basis (gated by user actions such as clicking a login button). On FF you are still getting all that state partitioning, except per site exceptions which relax some of the storage ones
Hi there. Whenever I try to login to websites through Google, I just get a blank page. This does not happen in Firefox, so I know it's not a Firefox issue. I thought it was the no-script addon at first, so I disabled that and some other privacy settings, but with no luck. Any idea?