Firefox to auto-block third-party ad cookies by summer

Online advertising exec calls the move a 'nuclear first strike' against the online ad industry

Mozilla will automatically block third-party cookies starting with Firefox 22, which is slated to ship this summer, according to the Stanford University researcher who coded the change.

The move, which will make it more difficult for online ad networks to track users' activities, was only the latest skirmish in a war between advertisers and some browser makers.

[ Also on InfoWorld: Mozilla to automatically block virtually all plug-ins in Firefox. | Get your websites up to speed with HTML5 today using the techniques in InfoWorld's HTML5 Deep Dive PDF how-to report. | Learn how to secure your Web browsers in InfoWorld's "Web Browser Security Deep Dive" PDF guide. ]

In a blog post and on Twitter, Jonathan Mayer, a graduate student in computer science and law at Stanford University, and one of two researchers at the school who created the HTTP header implementation that signals a user's "No Dot Track" preference, announced the new Firefox cookie policy.

Mayer kick-started the change last December when he submitted code to the Bugzilla bug-tracking database operated by Mozilla. It was Mayer's first contribution to the open-source Firefox.

"The default Firefox cookie policy will, beginning with release 22, more closely reflect user privacy preferences," Mayer claimed in a post to his blog last week.

Mozilla has added the cookie change to Firefox's "Nightly" channel, the browser's roughest-edged version. Unless the modification is sidetracked or Mozilla changes its mind, the new policy will first appear in a final release of Firefox on June 25.

Cookies are used by online advertisers to track users' Web movements, then deliver targeted ads. The new Firefox policy will allow cookies presented from domains users actually visit -- dubbed a "first-party" site -- but will block those generated by a third-party domain unless the user had previously visited the cookie's site-of-origin.

Examples of first-party cookies are those placed in a user's browser by sites like to identify the customer on repeat visits, letting him or her skip the log-on sequence. Third-party cookies, however, are often placed in ads on first-party sites so that advertisers and online ad networks can track a browser's past activity.

When the new policy goes into effect, Firefox users will need to clear all cookies to start with a fresh slate. Doing so, however, requires a user to laboriously reenter usernames and passwords to again access websites.

Although Mozilla has not publicized the change, developers and company executives, including Brendan Eich, Mozilla's CTO, and Asa Dotzler, the Firefox desktop product manager, debated the new policy on a discussion thread for several weeks before approving the change.

"I'm in favor of moving forward on this, cautiously," Dotzler said Feb. 11 on the thread. "As long as we have confidence at each step of the way that we're not breaking significant numbers of users or sites, this is a good move."

Mozilla will be following in the footsteps of Apple's Safari, which also blocks third-party cookies by default. "The new Firefox policy is a slightly relaxed version of the Safari policy," said Mayer in an FAQ published on his personal blog.

Even so, at least one online ad official slammed Mozilla for making the change. "Firefox to block 3rd party cookies? This default setting would be a nuclear first strike against ad industry," said Mike Zaneis, general counsel for the Interactive Advertising Bureau (IAB), on Twitter Saturday. The IAB is one of several advertising organizations that has been fighting other privacy moves by browser makers, including Microsoft's decision to set "Do Not Track" on by default in Internet Explorer 10 (IE10).

"Second strike, technically (Safari)," retorted Justin Brookman, director of consumer privacy at the Center for Democracy and Technology, also on Twitter.

All browsers, including Firefox, have settings that let users manually switch off all cookies, or refuse those from third-party sites. But only Safari currently blocks all third-party cookies by default. Safari's small share -- in January, Net Applications pegged it as just 5.2 percent -- was likely too low to trigger the online ad industry's concern. Firefox is a different beast: According to Net Applications, Firefox was the second-most-used browser last month, with a 19.9 percent share globally.

But Mozilla didn't view the change as a first strike of any kind, nuclear or otherwise, aimed at online advertising. "We are not trying to stop tracking with this feature," Mozilla's Dotzler said on the discussion thread Sunday. "We are trying to make tracking relationships more obvious to the user."

It would not in Mozilla's self-interest to disrupt the online ad industry, as it generates the bulk of its revenue from a deal with Google, which pays the browser maker a reported $300 million a year for setting Google's search engine as Firefox's default.

The Nightly build of Firefox for Windows, OS X and Linux can be downloaded from Mozilla's website.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed. His email address is

Read more about Internet in Computerworld's Internet Topic Center.

This story, "Firefox to auto-block third-party ad cookies by summer" was originally published by Computerworld.

Copyright © 2013 IDG Communications, Inc.