The Mozilla Foundation has released its latest version of the Firefox browser, which comes with new privacy protections to squash cross-site cookie tracking, as well as a slew of security vulnerability fixes.
Firefox 86, released on Tuesday, includes what it touts as a privacy-bolstering feature called Total Cookie Protection. This new feature isolates each cookie assigned by each website – preventing websites from tracking internet users in an invasive, cross-site manner.
“Total Cookie Protection confines cookies to the site where they were created, which prevents tracking companies from using these cookies to track your browsing from site to site,” said Tim Huang, Johann Hofmann and Arthur Edelstein with Mozilla on Tuesday.
Cookies: Busting Privacy Problems
HTTP cookies are small data files stored by web browsers while users are perusing various websites. These are used as a unique identifier to improve web browsing experience and enable user-specific ads – a necessary part of the internet economy.
However, tracking cookies can also pose a “serious privacy vulnerability,” said Mozilla, because third-party companies – like data brokers, affiliate networks and advertising networks – can use them to track users’ browser activity – even when they visit other websites. Advertisers can then use the tracking cookies to better understand which websites that users visit – whether those are social media websites or otherwise – and ultimately piece together a digital picture of who users are. Those details can also be transferred to a third party and stored on remote servers.
“This type of cookie-based tracking has long been the most prevalent method for gathering intelligence on users,” said Huang, Hofman and Edelstein. “It’s a key component of the mass commercial tracking that allows advertising companies to quietly build a detailed personal profile of you.”
Firefox Total Cookie Protection
Total Cookie Protection aims to reign in some of these privacy concerns by creating what Mozilla calls a separate “cookie jar” for each website that a user visits.
Each time a user visits a website, the website (or third-party content embedded in the website) will deposit the cookie in the user’s browser. That cookie is then confined to the “cookie jar” assigned to that website – but it is not allowed to be shared with any other website. This would prevent invasive cross-site tracking by various third-party companies.
Mozilla said that Total Cookie Protection does make “a limited exception” for cross-site cookies when they are needed for non-tracking purposes – including those used by popular third-party login providers.
“Only when Total Cookie Protection detects that you intend to use a provider, will it give that provider permission to use a cross-site cookie specifically for the site you’re currently visiting,” said Huang, Hofman and Edelstein. “Such momentary exceptions allow for strong privacy protection without affecting your browsing experience.”
Browsers Taking Cookie-Tracking Privacy Measures
Mozilla has been on a war path against tracking cookies since 2018, when it announced a campaign blocking tracking cookies by default in Firefox and implementing various other privacy measures in its browser. In October 2018, for stance, Firefox rolled out (off-by-default) enhanced tracking protection features, which gave users the option to block cookies and storage access from third-party trackers.
Other browsers have offered up their own various tactics combating the privacy holes introduced by tracking cookies. Google, for instance, in 2020 set an aggressive two-year deadline for dropping support for third-party tracking cookies in its Chrome web browser. And Apple in March released an update to its Safari browser that would block third-party cookies by default.
Mozilla Firefox 86 Security Fixes
Firefox 86 also comes with three security fixes for high-severity flaws. Two of these flaws exist in the Content Security Policy (CSP), a security mechanism for browsers that prevents cross-site scripting, clickjacking and other code injection attacks. The first vulnerability (CVE-2021-23969) could allow a remote attacker to obtain sensitive data. In the process of creating a violation report for CSP, Firefox’s implementation of the process incorrectly set the source file to be the destination of the redirects.
“By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to obtain the destination of a redirect,” according to an analysis by vulnerability search engine Vulmon.
Mozilla fixed this error by making the source file the redirect destination’s origin as opposed to its destination.
Another flaw (CVE-2021-23968) stems from the CSP violation report process. While details regarding this flaw are scant, Mozilla said that the vulnerability can be used to leak sensitive information contained in Uniform Resource Identifiers (URIs).
“If Content Security Policy blocked frame navigation, the full destination of a redirect served in the frame was reported in the violation report; as opposed to the original frame URI,” according to Mozilla.