Online advertisers have been nervous the past few weeks as Mozilla moved forward with its plans to block third-party cookies by default in its Firefox browser. Some advertiser groups have even claimed that Mozilla’s policy will “undermine American small businesses.” It seems that Mozilla listened as it has decided to postpone the implementation of its policy.
In a blog post from Thursday, Mozilla’s Brendan Eich said that Mozilla has delayed the implementation of its new anti-cookie patch in Firefox so that it can test for false positives and false negatives. As you may know, the new anti-cookie policy is meant to block third party cookies from sites you haven’t visited while leaving cookies from previously visited sites intact. Eich says that fales positives and false negatives may get in the way of how this policy is meant to work:
False positives. For example, say you visit a site named foo.com, which embeds cookie-setting content from a site named foocdn.com. With the patch, Firefox sets cookies from foo.com because you visited it, yet blocks cookies from foocdn.com because you never visited foocdn.com directly, even though there is actually just one company behind both sites.
False negatives. Meanwhile, in the other direction, just because you visit a site once does not mean you are ok with it tracking you all over the Internet on unrelated sites, forever more. Suppose you click on an ad by accident, for example. Or a site you trust directly starts setting third-party cookies you do not want.
The anti-cookie patch will be turned off by default in the Firefox 22 beta will Mozilla works on these issues. Users on the beta will be able to turn on the patch, however, and mess around with the settings. Mozilla, of course, encourages feedback as it works on it. Those who are using the Aurora release will find that the anti-cookie patch is turned on by default however.
In the end, Eich says that Mozilla’s work on the patch doesn’t represent any change to its previous anti-cookie philosophy:
[h/t: PC World]We have heard important feedback from concerned site owners. We are always committed to user privacy, and remain committed to shipping a version of the patch that is “on” by default. We are mindful that this is an important change; we always knew it would take a little longer than most patches as we put it through its paces.
For those who read this as Mozilla softening our stance on protecting privacy and putting users first, in a word: no. False positives break sites that users intentionally visit. (Fortunately, we haven’t seen too many such problems, but greater testing scale is needed.) False negatives enable tracking where it is not wanted. The patch as-is needs more work.