Firefox kills another tracking cookie workaround • The Register

Firefox has been fighting the war on browser cookies for years, but its latest privacy feature goes well beyond mere cookie tracking to stop URL query parameters.

HTML query parameters are the jumbled characters that appear after question marks in web addresses, like website.com/homepage?fs34sa3aso12knm. Sites such as Facebook and HubSpot use them to track users when links are clicked, and other websites like YouTube use them to enable certain site features too.

On June 28, Firefox 102 released a feature that enables the browser to “mitigate query parameter tracking when navigating sites in ETP strict mode.” ETP, or enhanced tracking protection, encompasses a variety of Firefox components that block social media trackers, cross-site tracking cookies, fingerprinting and cryptominers “without breaking site functionality,” says Mozilla’s ETP support page.

ETP is active in all current installations of Firefox, but it’s set to “Standard” by default, so it won’t block query parameters. To enable strict ETP, click on the shield icon in the Firefox address bar, then click Protection Settings. In the window that opens, users will now find Enhanced Tracking Protection. Just toggle it to “strict” and you’re off to the races.

ETP is not new. It was added to Firefox in 2018, but was only able to block third-party cookies, not first-party ones that are stored on websites. Advertisers circumvented ETP’s third-party blocking by using redirect trackers, which first send the user to the tracker’s own website for a split second in order to create a first-party cookie. ETP 2.0, released in 2020, closed that loophole.

A 2021 update to ETP added a feature called “total cookie protection,” which creates partitions for cookies that can only be accessed by the website that created them, addressing yet another shortcoming in ETP.

According to Mozilla, ETP requires an up-to-date blacklist of known trackers. “If an attacker wants to thwart ETP, they can set up a new tracking domain that isn’t on the list. Total Cookie Protection avoids these problems by restricting the functionality for all cookies,” Mozilla said. Total cookie protection was rolled out to all Firefox users earlier this month.

What else is new in Firefox 102?

Along with query parameter tracking mitigation, Mozilla added some security and quality-of-life features.

As another perk, for those frustrated by the download panel popping up whenever saving something from the web, that feature can now be disabled. Audio decoding has moved to its own sandbox process to improve security, developers can now filter style sheets in Firefox’s dev tools, and the browser now supports Content-Security-Policy integration with WebAssembly.

Firefox Enterprise organizations should take note as well: 102 of the enterprise version of Mozilla’s browser is the new extended support release, and Firefox 91 ESR will go out of support this September. ®