Mozilla released Firefox 86 yesterday, and the browser is now available for download and installation for all major operating systems, including Android. Along with the usual round of bug fixes and under-the-hood updates, the new build offers a couple of high-profile features—multiple Picture-in-Picture video-watching support, and (optional) stricter cookie separation, which Mozilla is branding Total Cookie Protection.
Taking Firefox 86 for a spin
Firefox 86 became the default download at mozilla.org on Tuesday—but as an Ubuntu 20.04 user, I didn’t want to leave the Canonical-managed repositories just to test the new version. This is one scenario in which snaps truly excel—providing you with a containerized version of an application, easily installed but guaranteed not to mess with your “real” operating system.
As it turns out, Firefox’s snap channel didn’t get the message about build 86 being the new default—the
latest/default snap is still on build 85. In order to get the new version, I needed to
snap refresh firefox --channel=latest/candidate.
With the new version installed as a snap, the next step was actually running it—which could be a lot easier. The snap produces a separate Firefox icon in Ubuntu’s launcher, but there’s no way I know of to readily distinguish between the icon for the system
firefox and the new snap-installed
firefox. After some hit-and-miss frustration, I finally dropped to the terminal and ran it directly by issuing the fully pathed command
Multi Picture-in-Picture Mode
In December 2019, Firefox introduced Picture-in-Picture mode—an additional overlay control on in-browser embedded videos that allows the user to detach the video from the browser. Once detached, the video has no window dressing whatsoever—no title bar, min/max/close, etc.
PiP mode allows users who tile their windows—automatically or manually—to watch said video while consuming a bare minimum of screen real estate.
Firefox 86 introduces the concept of multiple simultaneous Picture-in-Picture instances. Prior to build 86, hitting the PiP control on a second video would simply reattach the first video to its parent tab and detach the second. Now, you can have as many floating, detached video windows as you’d like—potentially turning any monitor into something reminiscent of a security DVR display.
The key thing to realize about multi-PiP is that the parent tabs must remain open—if you navigate away from the parent tab of an existing PiP window, the PiP window itself closes as well. Once I realized this, I had no difficulty surrounding my Firefox 86 window with five detached, simultaneously playing video windows.
Total Cookie Protection
In December, we reported on Firefox 85’s introduction of cache partitioning—a scheme which makes it more difficult for third parties to figure out where you have and have not been on the Internet. Firefox 86 ups the ante again, with a scheme Mozilla is calling “Total Cookie Protection.”
In a nutshell, Total Cookie Protection restricts the ability of third parties to monitor your movement around the Web using embedded elements such as scripts or iframes. This prevents tracking cookies from Facebook, Amazon, et al. from “following you around the web.”
In theory, cookies were already strictly per-site—so contoso.com cannot set or read cookies belonging to facebook.com, and vice versa. But in practice, if contoso.com willingly embeds active Facebook elements in its site, the user’s browser treats those elements as belonging to Facebook itself. That means Facebook can set the value of a cookie while you’re browsing contoso.com, then read that value again later when you’re actually on Facebook (or when you’re on other, entirely unrelated sites which also embed Facebook content).
Total Cookie Protection nerfs this misfeature by creating separate “cookie jars” based on the identity of the URL actually present in the address bar. With this feature enabled, a Facebook script running at contoso.com can still set and read a Facebook cookie—but that cookie lives within the contoso.com cookie jar only. When the same user browses facebook.com directly, later, Facebook cannot read, write, or even detect the presence of a Facebook cookie within the contoso.com cookie jar, or vice versa.
This isn’t a panacea against tracking, by any means—for example, it does nothing to prevent scripts from Facebook, Amazon, et al. from uploading data about your Web travels to their own servers to profile you there. But it at least keeps them from using your own computer’s storage to do the dirty work for them.
No, the other TCP
If you want to enable Total Cookie Protection (and we really, really wish Mozilla had picked a name that didn’t initialize to TCP), you’ll first need to set your Enhanced Tracking Protection to the Strict profile. To do so, click the shield icon to the left of the address bar (visible when browsing any actual website, not visible on the blank New Tab screen) and click Protection Settings. From there, you can change your ETP profile from Standard to Strict.
Total Cookie Protection can make exemptions for third-party login providers—for example, logging into YouTube with a personal Gmail account still allowed a visit to Gmail.com in another tab to instantly load the correct inbox without the need to log in again separately. The exemptions are not hard-coded for favored providers, but are dynamically applied as necessary. According to a Mozilla representative:
A set of heuristics will automatically undo partitioning for an embedded domain under specific circumstances. These rules are designed to capture interactions that a user might have with benign embedded content, such as interacting with an embedded federated login provider.
That is, if Firefox thinks a user is trying to interact with an embedded login provider it will remove partitioning for that provider on the current website, and will do so for any embedded content that appears to be a federated login provider. The exact set of rules are documented here under “Storage Access Heuristics”.
Mozilla warns that the Strict Enhanced Tracking Profile may break some sites entirely—and we believe Mozilla—but in our own cursory testing, we didn’t encounter any problems. We had no difficulty loading and logging in to Gmail, YouTube, Facebook, Twitter, and several other major sites.
Listing image by Airwolfhound / Flickr