Mozilla today started rolling out Enhanced Tracking Protection (ETP) 2.0 in Firefox. While the company technically launched Firefox 79 for Windows, Mac, and Linux last week, it only unveiled its marquee feature today. Firefox 79 by default blocks redirect tracking, also known as bounce tracking, and adds a handful of new developer features. You can download Firefox 79 for desktop now from Firefox.com, and all existing users should be able to upgrade to it automatically. According to Mozilla, Firefox has about 250 million active users, making it a major platform for web developers to consider.
While Google and Microsoft had to adjust their respective browser release schedules due to the coronavirus pandemic, in April Mozilla committed to sticking with its 2020 Firefox release schedule and the browser’s four-week release cadence. While the schedule remains unchanged, Mozilla shifted its roadmap to avoid shipping changes that might negatively impact government and health service websites and to address video conferencing issues.
Enhanced Tracking Protection 2.0
Before we dive into Enhanced Tracking Protection 2.0, which is rolling out over the next couple weeks to protect against redirect tracking, it’s important to look at the foundation it is built on. Over the past two years, Mozilla has been boosting Firefox’s privacy chops. Other browser makers have made similar strides. While this is a win for browser users, the online advertising industry and the businesses that depend on it have to come up with alternatives.
In October 2018, Firefox 63 arrived with Enhanced Tracking Protection, blocking cookies and storage access from third-party trackers. Firefox 65, released in January 2019, added Content Blocking controls with three options for the blocking feature:
- Standard: the default, where Firefox blocks known trackers and third-party tracking cookies in general.
- Strict: for people who want a bit more protection and don’t mind if some sites break.
- Custom: for those who want complete control to pick and choose what trackers and cookies they want to block.
Firefox 69 arrived in September with Enhanced Tracking Protection turned on by default and cryptomining blocked by default. Firefox 70 followed in October with cross-site tracking cookies from sites like Facebook, Twitter, and LinkedIn blocked under the Standard setting. Firefox 72 arrived in January with fingerprinting blocked by default.
Since enabling Enhanced Tracking Protection by default, Mozilla says it has blocked 3.4 trillion tracking cookies. But Mozilla notes that the ad industry has since created workarounds and new ways to collect user data as you browse the web.
Redirect tracking goes around Firefox’s built-in third-party cookie-blocking policy by passing the user through the tracker’s site before taking them to the desired website. This lets the tracker see where you came from and where you are going. Here is how Mozilla explains it:
Let’s say you’re browsing a product review website and you click a link to purchase a pair of shoes from an online retailer. A few seconds later Firefox navigates to the retailer’s website and the product page loads. Nothing looks out of place to you, but behind the scenes you were tracked using redirect tracking. Here’s how it happened:
Step 1: On the review website you click a link that appears to take you to the retail site. The URL that was visible when you hovered over the link belonged to the retail site.
Step 2: A redirect tracker embedded in the review site intercepts your click and sends you to their website instead. The tracker also saves the intended destination — the retailer’s URL that you actually thought you were visiting when you clicked the link.
Step 3: When the redirect tracker is loaded as a first party, the tracker will be able to access its cookies. It can associate information about which website you’re coming from (and where you’re headed) with identifiers stored in those cookies. If a lot of websites redirect through this tracker, the tracker can effectively track you across the web.
Step 4: After it finishes saving its tracking data, it automatically redirects you to the original destination.
Enhanced Tracking Protection 2.0 attempts to address this by checking to see if cookies and site data from those trackers need to be deleted. The feature stops known trackers from accessing your information by clearing their cookies and site data every 24 hours. Because you look like a new user the next time you visit the tracker (after 24 hours), they can’t build a long-term profile of your activity.
To be clear, Firefox tries not to clear cookies for services you engage with, such as search engines, social networks, and your email account. The browser leaves sites that you have interacted with in the past 45 days, even if they are trackers. The hope is that you stay logged into the sites you frequent but are not tracked indefinitely based on sites you’ve only visited once.
Windows, Mac, and Linux
For the full rundown, here’s the Firefox 79 for desktop changelog:
- We’ve rolled out WebRender to more Windows users with Intel and AMD GPUs, bringing improved graphics performance to an even larger audience.
- Firefox users in Germany will now see more Pocket recommendations in their new tab, featuring some of the best stories on the web. If you don’t see them, you can turn on Pocket articles in your new tab by following these steps.
- Various security fixes.
- Several crashes while using a screen reader were fixed, including a frequently encountered crash when using the JAWS screen reader.
- Firefox Developer Tools received significant fixes allowing screen reader users to benefit from some of the tools that were previously inaccessible.
descelements (labels and descriptions) are now correctly exposed to assistive technology products such as screen readers.
- A number of bug fixes and new policies have been implemented in the latest version of Firefox. You can see more details in the Firefox for Enterprise 79 Release Notes.
- Updates to the password policy allow admins to require a primary password (formerly called master password). Previously, the policy could disable the primary password but not force a primary password. Users required to use a primary password will only be asked to create a primary password the first time they try to save a password.
- Newly added asynchronous call stacks let developers trace their async code through events, timeouts, and promises. The async execution chains are shown in the Debugger’s call stack, but also for stack traces in Console errors and Network initiators.
- Erroneous network responses with 4xx/5xx status codes display as errors in the Console, making it easy to understand them in the context of related logs. The request/response details can be expanded or resent for quick debugging.
- Opening SCSS and CSS-in-JS sources from the Inspector now works more reliably thanks to improved source map handling across all panels.
- Inspecting accessibility properties from the browser context menu is now available to all users by default.
Mozilla releases new Firefox versions every four weeks. Firefox 80 is currently slated for late August.