security in firefox4

[Tim]

On Thu, 2011-05-19 at 17:50 +0900, Misha Shnurapet wrote:
> * blocked third-party cookies while online (may prevent advertisement
> networks from carrying information between sites)

I don't think it quite does what people hope.  Well, not any more.

Third party cookies are cookies that don't belong to the content being
loaded.  Most tracking cookies are associated with graphics, rather than
the page, but either can be used for tracking you.  And as far as those
graphics are concerned, ownership of their cookies is *NOT* the page
you're looking at, but the content going into the page.

e.g. As a theoretical example, you might load www.example.com, its page
includes images from doubleclick.com, and these images have cookies.  If
those images include cookies for doubleclick.com, they're not
third-party, so they're not blocked.  But if those images included
cookies to some other domain, such as google.com, then they would be
third party (or vice versa - images from google, with cookies for
doubleclick).  So, if you want to block doubleclick.com cookies, for
instance, you need to directly blacklist them.

This has been my experience, at least.

I think most people's ideas about third-party cookies, and apparently
the browser authors, would be along these lines:

You'd browse www.example.com, it'd include pages and graphics from
itself, but the tracking cookies would be for someone like
doubleclick.com (this *is* a third party).

Going back to my first example, simply blocking doubleclick.com cookies
wouldn't be enough to stop them tracking you.  The mere loading of their
graphics has counted you, and put your IP into their database to track
for the rest of your browsing session.  You need to stop loading their
graphics, in the first place.

-- 
[tim at localhost ~]$ uname -r
2.6.27.25-78.2.56.fc9.i686

Don't send private replies to my address, the mailbox is ignored.  I
read messages from the public lists.