> ...the little players (who users weren't worried about anyway) will still lose.

The little players not having data is a win in my eyes, because those are more likely to get breached or sell data to the highest bidder.

> This only works in Google Chrome

Regardless of Firefox abiding by the standards (or doing what Chrome does) or not, this was always going to be the case, and so it isn't that big a deal.

> Trackers that offer a widget you can install on your server will win.

This is already a thing thanks to the popularity of content blockers like Pi-Hole and uBlockOrigin. Firefox's move here is another nail in the coffin for third-party tracking through third-party servers. At least, first-party tracking with third-party "widgets" means first-party would need to shell out the cost of running that infrastructure.

> The web will break.

The web always has been :)

> Those of us who will stick with Firefox regardless are in for a world of pain, and not a lot of gain.

For me, Firefox seems to be making decisions with user's security and privacy in mind, and I see that as a net positive. As a long time user, it is the only reason I use Firefox.

I agree with pretty much everything you've said :)

I guess my gripe is more "Why does the world not work right" than "Firefox has done a stinker here".

And I suppose my reaction really should be "How can we work to give Firefox a leg up, while still encouraging it to intentionally fail many of the metrics most people care about".

It's a hard battle to fight. Don't suppose Google will implement these things that might hurt their user tracking businesses... yeah?... no?... no.

> thanks to the popularity of content blockers like Pi-Hole and uBlockOrigin

Unfortunately these are "block these please" which hurts all the big players for the tiny portion of web users that use them. Every time I've ever moved a feature in software I've written from "all except this" to "none except this", it has always failed spectacularly, at least for a few people. The fact that users will get an option to unblock the services they need is encouraging... the fact that they mention that users might see the dialog multiple times for the same service is not.

But yes, I will try to be hopeful - and you are right, the fact that Firefox does this kind of thing is a big part of the reason I use them in the first place.

> Regardless of Firefox abiding by the standards (or doing what Chrome does) or not, this was always going to be the case, and so it isn't that big a deal.

It's a huge deal to me as a Firefox user. This is a total anecdote, but the number of websites and apps that are broken in Firefox seem to be on the rise. I try to report bugs when I can but the task is Sisyphean.

If Firefox is increasing the friction between web developers and the browser while chrome is lowering it, the problem will only get worse.

I remember a time when Firefox didn't work for anything that required ActiveX.

I remember when Firefox didn't support Flash without a seriously dangerous plugin.

I remember when somehow enough people woke up and banded against ActiveX and Flash.

It seems popular here to make the argument that "doing what's right" poses an existential threat to the right-doer. The corollary to that argument is that in order to survive you must do what is wrong.

For some, it is better to die than to go along with what is wrong. Luckily, it often works out that those who have the courage to do the right thing survive. And when they do the world is often a better place.

Don't cave into the naysayers who predict the end of the world. Keep fighting the good fight.

"And herein do I exercise myself, to have always a conscience void of offence toward God, and toward men."

Cool story, I still have to use Chrome to talk to my doctor, view my healthcare documents, and get my W2. While Firefox is "doing the right thing," me, the Firefox user, has to use a different browser that doesn't respect my privacy because they don't do what web developers expect.

And you can blame web developers, businesses who hire them, or Google for turning the world into this sorry state. But oftentimes the only choice I have as a consumer is what browser I use, and most of the time it's Firefox. But more and more frequently, I can't choose to use Firefox because some functionality is broken on a website I need to visit.

The more of this functionality that they break, the more often I need to use Chrome.

Your claims are suspicious. A company cannot require you to have internet access to supply you a W-2 tax form. You choose to keep your healthcare documents in some format that requires Chrome? That seems very very strange. Your doctor won't talk to you in person or on the telephone? Again, strange.

You are not forced into any of these things. You choose them as a matter of convenience, cost-savings, or some other reason. You have your reasons, but it is highly unlikely that you don't have a choice.

The choices you have purportedly made have allowed others to make poor choices with little consequence. With less effort than it took to install Chrome, you could have asked for a paper copy of your W-2. That would have put the pain of a bad decision back upstream where it belongs.

> The more of this functionality that they break, the more often I need to use Chrome

From context, "they" would refer to the party that breaks functionality. From the sentence above, I take that to be "Google for turning the world into a sorry state." Your response to this is to "need to use Chrome." Your choices seem irrational to me.

But again, they are your choices and you do have them.

Many of my documents are accessed electronically through various web services. Many of them function poorly or not at all with Firefox. I'm sure I could make a phone call and get them mailed to me, but "don't use the internet" is not an acceptable workaround to a website failing to load in Firefox.

The "they" I refer to is Mozilla's engineers. They have consistently broken or failed to implement their platform as developers expect, and since their market share is tiny, developers do not care and bug reports.

I accept that by using Firefox my experience on the web is degraded. That's a tradeoff I make. What I'm reacting to is that it seems you've put on the blinders from the high horse you're sitting on. In the real world, Firefox is technically limited by the many decisions to ignore what developers are doing.

Instead of blaming the users for following the path of least resistance, blame Mozilla for failing to make the "right thing" the path of least resistance for developers. If Firefox were easier to target than Chrome, supported more APIs and had better developer tools, then we wouldn't have this reality.

> The more of this functionality that they break, the more often I need to use Chrome.

On the other hand, if Firefox is just going to be a clone of Chrome (behavior-wise), then what's it's purpose for existing?

+1

Your handle "freeopinion" reminds me that although people often say "you get what you pay for," just because something's free does not mean that it's worthless.

> For me, Firefox seems to be making decisions with user's security and privacy in mind, and I see that as a net positive. As a long time user, it is the only reason I use Firefox.

I agree that that is a good thing. However, the more firefox breaks compatibility with sites people use, the harder it will be to regain marketshare. And if Firefox keeps losing marketshare it will have less ability to influence web standards, and could potentially die altogether, which would be bad for privacy and security in the long run.

Fortunately, state partitioning isn't enabled by default on Firefox yet (it is part of "strict" ETP), so only people who are ok with it potentially breaking sites will turn it on.

> The little players not having data is a win in my eyes, because those are more likely to get breached or sell data to the highest bidder.

I somewhat agree with everything but the above. I’ve looked at data on thousands of breaches and have found that size of organization isn’t really correlated with “having better security”.

"Regardless of Firefox abiding by the standards (or doing what Chrome does) or not, this was always going to be the case, and so it isn't that big a deal."

The "dealedness" of this isn't a binary. One may tolerate a small amount while rejecting a large amount.

I point this out more to put the idea out there (it's an important concept even in your day-to-day job) than because I disagree with the main thrust being made here; as a uMatrix use I traded security for a functional web a long time ago. Breaking trackers is a feature, not a bug, for me. If that breaks your website, goodbye.

I'm having exactly the opposite thought.

As a developer, shit like "Automatic unpartitioning through heuristics" alone is enough that I won't touch this. Full stop.

Firefox is now breaking the contract I expected it to fulfill as the user's agent, and it's doing it fucking at random.

I happen to live in a space where I do need cross site support (both for cookies and requests) and frankly, between Google's push for SameSite, and now Firefox's selectively breaking the cookie jar, I'm pissed.

I'm a bit boggled that we haven't settled on a decent solution to let a site declare how it wants to interact with other sites.

This already fucking exists for mobile too, both Android and iOS support an opt-in manifest declared at a /.well-known/ path on the origin in question, why the fuck are the browser vendors so DEAD SET on removing control from the sites themselves in favor of these rushed, half assed, shoddy solutions.

Let me declare the sites I want to allow to share my resources. Let me do it at a known location, with a standard manifest, with finer grain control than "Random fucking heuristic" and "strict/lax/none".

I feel like the entire purpose of this is to take the control from the sites and give it to the users. The site owners obviously do want the cookies to be shared with trackers if they embed them.

Isn't that pretty much exactly what this accomplishes? It means sites first have to request your permission in a popup.

I thought the article made it pretty clear that the heuristics are only intended as a temporary stop-gap measure to prevent every current SSO service from breaking.

> I thought the article made it pretty clear that the heuristics are only intended as a temporary stop-gap measure to prevent every current SSO service from breaking.

That sentence alone is mind boggling - Hey, Mozilla is breaking every standard that previously allowed cross domain authentication, or 3rd party authentication services, but don't worry, it's only temporary... until what exactly?

Either every site under the sun is suddenly asking the user to accept unpartitioning because critical features are broken and a user literally has to click yes to continue, in which case all you're doing is training users to always click yes (EU cookie popups, take two, lovely...)

Or users move away from Firefox because sites are just broken.

They don't even have a long term solution for how SSO services are expected to work here, other than "use this other API that happens to cause the behavior as a side effect, and oh, btw, the global market leader (chrome) doesn't support it yet! Enjoy!"

Where the fuck is my RFC. Where is real planning I'd expect from a from the company that I only know the name of because they actually gave a shit about standards when IE was doing this kind of crap left and right?

I like Firefox precisely because they normally don't do this bullshit (and their standards based docs on MDN are literally some of the best around).

---

My take is that this is essentially security advertising and social signaling, and is another death blow to Firefox from Mozilla trying to push privacy focused paid services.

> The web will break.

I have been using the First-Party Isolation feature for a few months now. FPI (privacy.firstparty.isolate) is a flag that was originally created for the Tor Browser project. It's a strict version of State Partitioning without any way to unpartition (no permission dialogs, no heuristics).

So far I have only come across one broken website: Microsoft Teams login through Okta SSO.

The rest of my logins worked flawlessly with FPI turned on. Nothing close to the 50% that you mention.

I don't understand why the SSO would be broken. AFAICT, I'd just need to re-login to the SSO-provider (Okta in this case) in the context of the initiator (Microsoft Teams, in this case). They'd otherwise need to be doing something silly if it stops working.

Teams relies on iframe auth to fetch the Nth token from AAD (multiple resources to call, multiple tokens required). The iframe calls are partitioned and lose cookies, even under Firefox's helpful "redirect exemption" setup, it's not clear why.

That's encouraging news. Do you use a lot of sites with SSO? Are they mostly mainstream (where I would class MS Teams to fall in that bracket) or do they tend to be more niche services?

(I totally accept that my "50% of SSO systems will be broken by this" to be a worst-case random number i-have-no-idea-but-for-all-I-know value. Probably shouldn't have been so blasé about it! But very much interested to hear what real-world values look like)

Okta SSO is used heavily inside my company to access internal sites, but if there's a way to whitelist, or the user sees a popup the first time and allows Okta cookies after that, this problem is taken care of.

SSO really doesn't need cookies to function, you can e.g. pass short-lived authentication tokens via URL hash fragments, that is already supported by OAuth 2.0 via the implicit grant flow (and for API-based flows it's not a problem).

IMO this and referrer URL are the only information that ought to be able to be shared between two different domains via the browser. Either put it in the query string so the user can be aware of it or leave it alone.

Of course, there are downsides. Query string character limits constrain what can currently be passed (some would say a it's good thing in this context), and browsers are headed more and more towards showing only the domain in the address bar by default.

The other remaining problem would be tracking via XHR. The only mechanism for limiting which servers an XHR request can talk to currently is CORS, and that config is controlled by the server, not the user.

> SSO will be broken for a good couple of months

OpenID Connect should continue to work just fine. It's redirect based so 3rd-party cookies don't apply.

But I can see HTTP-based redirects being used for tracking on every page load (so much for SPAs, heh). Techcrunch already does that.

Nothing that ultimate bypass/redirector can't solve, assuming the target url is somewhere in the GET data

OIDC in an 3rd-party iframe breaks with SameSite

Mozilla went chasing Chrome, and lost almost all of its market share.

Chasing Chrome was a bad decision. When they realised it was, they should've corrected the mistake, but instead Baker doubled down on the wrong direction, breaking all fiduciary duties she has as a CEO of non-profit in the process.

If you're referring to XUL extensions being given the elbow, the small proportion of users using those does not correspond to Firefox market share loss.

That's not Mozilla's only or most significant misstep.

CEO drama, Hello, Pocket, UI indecisiveness, repeated feature removal over objections, breaking everyone's addons first with the XULening then with the addon cert fiasco, opt-out telemetry, force-pushing addons without affirmative consent, opt-out advertising, buying into scummy tracking outfits like cliqz (and trying to hide it), poor prioritization, lack of focus..

If there's ever a choice between giving the user more control and transparency or taking it away, Mozilla seems to take the latter option.

Outside of HN, no one I've ever talked to has mentioned any of those as reasons for using Chrome. The two most common reasons I've heard are "dunno" followed distantly by "I use ten hundred thousand million tabs and Firefox crashed on me once fifteen years ago."

I suspect the rise of mobile browsing, with Chrome as the default, plus users' Google account having strong integration with Chrome--not to mention Google pushing Chrome across all of their properties--have a lot more to do with Chrome's popularity than a button on Firefox's toolbar that you don't like.

Mozilla still hasn't figured out that they are synonymous with Firefox and until that happens you can expect the marketshare to further deplete. Meanwhile, Chrome gain little by little until Mozilla will be utterly irrelevant, which is a huge pity because we really need an independent browser.

I'm still writing this using Firefox but Chrome is now also running all the time on this machine because of one of my private projects which requires web midi (and which, according to Mozilla can not be implemented safely, though Chrome is existence proof that this is nonsense).

Maybe, but evangelization is a significant source of market share. That's what led to FF eclipsing IE back in the browser dark ages.

*response to stealth edit:

I listed 13 separate problems with Mozilla, I'd thank you to respond to what I actually wrote, not a caricature you cooked up.

Fair cop. That was lazy of me and I apologize.

Wow, I had actually forgotten about a ton of this stuff, shines a different light on how hard it’s been working to gain trust and be the “privacy browser” in recent years.

> breaking everyone's addons first with the XULening then with the addon cert fiasco

You're forgetting back when they first switched to the rapid release cycle they broke plugins every release. After 3-4 release breaking half my plugins each time I switched to Chromium. It was when they dumped the XUL based extensions and finally had a stable extension API that I switched back.

> Facebook et all will still know where they sent you, and will be able to track you server side

This is not a problem a browser can fix

Layering leaky abstractions over leaky abstractions and calling it security is what the web has turned into. All the while introducing new side channels and attack vectors like WebGL that allow completely covert access via unknown access paths in GPU driver binary blobs.

It's unfixable.

> Firefox doesn't have the market share to make this work.

Potentially indeed. On the other hand it will give FF evangelists one more selling point.

"Why should I switch to Firefox?" - "Because it lets you chose who is tracking you and who is not."

It’s a difficult argument, depleted of its true meaning by its overuse in VPN ads (which make it... easier to track you at the VPN level). But Firefox has a good enough corporate image to tell that _they_ are the ones who really do it.

I have only gotten a virus once on my computer, and it was because IE was harrassing me with dialog boxes on a regular basis, and one time when it was asking me a yes/no question about downloading code, my brain went into "SSL Warning mode" and didn't say "wait!" until my finger was descending on the OK button.

I only had the virus for ten minutes, but it reconfirmed everything I knew about dark UI patterns.