Today’s Firefox 91 release adds new site-wide cookie-clearing action – Ars Technica

This menacing firefox seems to be on the prowl for unwanted third-party cookies.
Enlarge / This menacing firefox seems to be on the prowl for unwanted third-party cookies.

Mozilla’s Firefox 91, released this morning, includes a new privacy management feature called Enhanced Cookie Clearing. The new feature allows users to manage all cookies and locally stored data generated by a particular website—regardless of whether they’re cookies tagged to that site’s domain or cookies placed from that site but belonging to a third-party domain, eg Facebook or Google.

Building on Total Cookie Protection

Mozilla isn't being delicate about which tech giant is first in its crosshairs.
Enlarge / Mozilla isn’t being delicate about which tech giant is first in its crosshairs.

Mozilla

The new feature builds and depends upon Total Cookie Protection, introduced in February with Firefox 86. Total Cookie Protection partitions cookies by the site that placed them, rather than the domain that owns them—which means that if a hypothetical third party we’ll call “Forkbook” places tracking (or authentication) cookies on both momscookies.com and grandmascookies.com, it can’t reliably tie the two together.

Without cookie partitioning, a single Forkbook cookie would contain the site data for both momscookies.com and grandmascookies.com. With cookie partitioning, Forkbook must set two separate cookies—one for each site—and can’t necessarily relate one to the other.

Even if the cookies are used for third-party Forkbook login, tying the two together would need to be done on the back end—since both presumably are for the same Forkbook account—rather than Forkbook being able to simply, cheaply, and easily read all tracking data from a single cookie. If the sites don’t use Forkbook for authentication, the two probably can’t be tied together at all—because even if the user is logged in to Forkbook in a different tab, that cookie is split apart from the ones used on mom’s and grandma’s cookie sites.

Clearing data site-wide

The updated Cookies and Site Data management dialog displays all locally stored resources set at a particular site, whether owned by that site or by a third party.
Enlarge / The updated Cookies and Site Data management dialog displays all locally stored resources set at a particular site, whether owned by that site or by a third party.

Mozilla

Once you understand that websites routinely place cookies that belong to third-party domains, it becomes obvious why it might be difficult to clear all traces of data stored by that site—returning to our “Forkbook” example above, clearing all data belonging directly to momscookies.com wouldn’t clear the Forkbook cookie, and clearing a universal Forkbook cookie would necessarily log the user out of all websites using Forkbook authentication.

However, when each site has its own individual cookie jar—meaning Forkbook needs to place separate cookies, separate copies of embedded javascript libraries, separate copies of images, and so forth between momscookies.com and grandmascookies.com and forkbook.com itself—it becomes possible to easily manage all data stored locally by that individual site.

When using Total Cookie Protection, you can empty the entire bucket for momscookies.com including its own cookies, Forkbook’s cookies, and anything else. This breaks Forkbook’s record of your browsing activities on momscookies.com—because although it will set a new cookie the next time you visit, it won’t have a reliable way to tie that cookie to the previous cookie you deleted or to other Forkbook cookies set by other sites.

Fuhgeddaboudit

The new "Forget about this site" option in History allows you to clear all site data, as well as your history of visiting it in the first place.
Enlarge / The new “Forget about this site” option in History allows you to clear all site data, as well as your history of visiting it in the first place.

Mozilla

In addition to organizing locally stored data by the website that placed it rather than the domain that owns it, Firefox 91 gives users the ability to quickly and easily remove all local traces of visiting a site using the History feature. When browsing your own History timeline in Firefox 91, you can right-click a site’s entry and select Forget About This Site. Doing so removes both the entry in History and all cookies, images, cached scripts, and so forth set during visits to that site.

Get strict

In order to use the new privacy management features, you’ll first have to make sure that Strict Tracking Protection is enabled. Without Strict Tracking Protection, cookies aren’t separated by the site that sets them in the first place.

To enable Strict Tracking Protection, click the shield to the left of the address bar and select Protection Settings. This opens Privacy and Security in a new tab—from there, just make sure the radio-button option for Enhanced Tracking Protection is set to Strict, not Standard.

Although Firefox’s Privacy and Security dialog warns you—accurately—that Strict protection may cause some sites or content to break, those breakages have so far been few and minor in our own testing. The majority of the web—including the bits using third-party authentication and tracking—should continue to work just fine.