I commend Firefox for trying to do this... but it worries me.<p>3 obvious holes:<p>- Proliferation of dialogs. When you don't know whether a site will suddenly break or not, standard users will be implicitly trained to say yes to all dialogs.<p>- Domain "homogenizing" (spoofing) services will win. Trackers that offer a widget you can install on your server will win. Facebook et all will still know where they sent you, and will be able to track you server side. If mozilla provide a centralized whitelist, then SSO providers who also provide trackers will win. Essentially, the big players will find a way, the little players (who users weren't worried about anyway) will still lose.<p>- The web will break. SSO will be broken for a good couple of months on over 50% of websites using it - possibly more. "This only works in Google Chrome" will become more and more popular. Potentially, Firefox doesn't have the market share to make this work.<p>Those of us who will stick with Firefox regardless are in for a world of pain, and not a lot of gain. I guess it's necessary to move the web on, but the pessimist in me doesn't see that happening any time soon.
I think what you want is essentially an entirely fresh browser session for every website you visit. Pretty mind-boggling to what lengths we need to go in order to prevent companies from tracking us. That said most tracking companies seem to have devised strategies to construct fingerprints from data like IP addresses, user-agent strings and any other meta-data they can get their hands on, so the next step will probably be to restrict what kind of information can be learned about the browser environment via JS (e.g. getting exact screen resolution).<p>Also, data exfiltration via browser extensions is still not a solved problem, there are very popular extensions (Ghostery for example) that are highly privileged in the browser and often collect a ridiculous amount of data. Really can't get my head around why browser vendors still allow that while being so strict on all other forms of tracking.
This needs to be bypassed to use SSO, to bypass it the SSO providers site will need to ask for Storage Access, in some cases the user will be asked for permission…<p>“After the user has granted access, Firefox will remember the storage permission for 30 days.”<p>So lay users will get used to just clicking through and blindly granting the permission.<p>The end result will be an additional step for trackers, and a bunch of headaches for all the legit services that get broken from this change.<p>I’m all for less tracking but this doesnt seem like a good solution.
Looking at the proposed permission UI, I would - as a programmer and heavy web user - have no real clue what to click/what the implications were. If it were Google - do I know and trust them? Well, sort of. I know them; I trust them in the same sense I don't trust a scammer.<p>Also: 30 day timeout? I'm getting pretty fed up of re-logging into websites already over the last couple of years. Add on re-allowing various permissions for access to various things (sometimes every single time), trying to figure out why websites are broken (ad-blocker vs browser blocker vs not cross-browser tested vs temporary problem vs just totally broken) and it's rather a big productivity drain.
This is a very positive change, but I'd be interested to know how the Mozilla folks think about 'collateral damage' from a policy point of view.<p>The exceptions and shared state lead me to believe they've thought about it and tried to mitigate it as much as possible, but how much is acceptable? If this breaks more than they thought it would, is it something they'd be comfortable rolling back or changing?<p>For example, if I read this post correctly, this change would put a hard upper limit in SSO logins to 30 days for Firefox users (because StorageAccess is only granted for 30 days). That might not be a _huge_ issue for most people, but it'll add a hard limit to something that's never had a browser enforced hard limit before.
This seems brilliant! But the solution for SSO concerns me, given most SSO providers (Google, Facebook) are among the main ones partitioning aims to stop from tracking you. By giving Google SSO unpartitioned access, doesn’t that also let google track you anywhere?
I like this. After it rolls out, can we quit with those silly GPDR cookie messages? That always seemed like "a social solution for a technical problem", with all the jurisdictional and enforcement problems you would expect from one political body trying to legislate behavior worldwide.<p>Don't want to be tracked? It's your browser after all, just stop handing the trackers data!
Can privacy focussed browsers that extend Chrome ( Brave, Vivaldi, etc) provide something similar to this, or is it baked deep within Chrome internals, and cannot be overriden?
I'm unconvinced. It's not even possible to whitelist websites for their current "Enhanced Tracking Protection" feature[1]. This smells like another case of over engineering stuff that people never asked for while ignoring what your users ask for.<p>[1] <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1432644" rel="nofollow">https://bugzilla.mozilla.org/show_bug.cgi?id=1432644</a>
Link moved here: <a href="https://hacks.mozilla.org/introducing-state-partitioning/" rel="nofollow">https://hacks.mozilla.org/introducing-state-partitioning/</a>
I understand from the article is they're saying the future way of doing SSO is through an iframe with the Storage Access API?<p>How does this work with being able to verify the HTTPS URL? How do I know I'm typing my credentials into my legit SSO provider and not a phishing site?
Can you imagine the next step adtech will take in this arms race? I can imagine adtech giants like Google offering free web hosting and cloud resources to gather most of the Web under a few TLDs. They did it with e-mail, they can do it again with Web.
Found a concise video explaining the concept:<p><a href="https://www.youtube.com/watch?v=ETYmvjxc1h4" rel="nofollow">https://www.youtube.com/watch?v=ETYmvjxc1h4</a>