Skip to main content

Mozilla holding off cookie-blocking by default in Firefox

Mozilla is holding off on plans to block third-party cookies by default in the next version of its browser, Firefox 22.

"To make sure we get this right we need more data," Mozilla CTO Brendan Eich wrote in a blog post.

Back in February, it was revealed that Firefox 22 would block cookies from third-party advertisers across the Web by default. Cookies are little bits of data collected about your Internet activity. They can be useful — like remembering passwords and settings on sites that you surf to frequently — but there are also concerns about targeted advertising and how much data is really collected.

As a result, browser makers like Mozilla have been toughening up their cookie rules with "do not track" technology. This type of blocking is already in place on Apple's Safari, while Microsoft irked advertisers by turning on "do not track" by default in IE10.

In his blog post, Eich said that Mozilla has been testing a patch from Stanford grad student Jonathan Mayer that would basically allow cookies from sites that you have visited before, but block those from sites to which you are new to.

It sounds good, but there are complications, he explained, like false positives and negatives.

"For example, say you visit a site named, which embeds cookie-setting content from a site named With the patch, Firefox sets cookies from because you visited it, yet blocks cookies from because you never visited directly, even though there is actually just one company behind both sites," Eich wrote. "Meanwhile, in the other direction, just because you visit a site once does not mean you are ok with it tracking you all over the Internet on unrelated sites, forever more."

The challenge, therefore, is how to address these issues, and that troubleshooting likely won't be done by the time Firefox 22 is released.

"We plan to ship an evolution of the patch 'on' by default, but we want to make refinements first," Eich wrote. Right now, the patch is on by default in the Firefox Aurora channel, and has been released but is not on by default in beta.

Eich stressed that the move does not mean Mozilla is getting soft on privacy protection. "In a word: no," he wrote. "False positives break sites that users intentionally visit. (Fortunately, we haven't seen too many such problems, but greater testing scale is needed.) False negatives enable tracking where it is not wanted. The patch as-is needs more work."

Earlier this week, Mozilla released Firefox 21, which added more Social API support, as well as better fonts and HTML5 support on Android.

Patch creator Mayer, meanwhile, made headlines last year when he accused Google and three other ad networks of side-stepping the privacy settings on Apple's Safari browser to track usage on iPhones and Macs without permission. Ultimately, Google was hit with a £14 million fine for the misstep.