Firefox

Current status

Detail Description
Mechanism Enhanced Tracking Protection (ETP)
Originally deployed in 69.0
Latest update deployed in 87.0
Latest update includes Default referrer policy set to strict-origin-when-cross-origin.
User controls
  • Choose between Standard, Strict, and Custom levels
  • In Custom level, select which types of trackers and scripts to block
  • Add exceptions to the domains blocked by Enhanced Tracking Protection

    Enhanced Tracking Protection levels

    Classification of “known trackers”

    Firefox uses the Disconnect.me lists to establish the domains that fall under ETP measures.

    Firefox utilizes the following Disconnect.me categories in ETP:

    • Advertising - third-party cookies blocked
    • Analytics - third-party cookies blocked
    • Cryptomining - all third-party requests blocked
    • Fingerprinting - third-party requests blocked conditionally
    • Social - third-party cookies blocked

    Example: If the browser sends a request to www.facebook.com (a known tracker), no cookies would be sent with the request.

    Tracking Content blocking (enabled in Private windows by default) will not just strip cookies but actually block all resource requests to domains listed in Disconnect.me.

    Firefox deletes all stored site data (incl. cookies, browser storage) if the site is a known tracker and hasn’t been interacted with in the last 30 days.

    Third-party cookies

    Third-party cookies are blocked for classified domains.

    First-party cookies

    All storage is cleared (more or less) daily from origins that are known trackers and that haven’t received a top-level user interaction (including scroll) within the last 45 days. More details can be found here.

    Note that domains in the Cryptomining category have all incoming requests blocked by Firefox, and thus scripts loaded from these domains will not be able to interact with first-party cookies. Similarly, domains that are both in the Fingerprinting and some other tracking category have incoming requests blocked and the downstream impact is the same.

    Other third-party storage

    For classified domains, localStorage and IndexedDB are restricted.

    Example: JavaScript running in an iframe, which loads content from a known tracking domain, tries to write to localStorage within that iframe. Firefox blocks this activity, because localStorage is disabled in third-party context if the domain is classified as a known tracking domain.

    sessionStorage is not restricted.

    No restrictions for other domains.

    Other first-party storage

    All storage is cleared (more or less) daily from origins that are known trackers and that haven’t received a top-level user interaction (including scroll) within the last 45 days. More details can be found here.

    Note that domains in the Cryptomining category have all incoming requests blocked by Firefox, and thus scripts loaded from these domains will not be able to interact with other first-party storage. Similarly, domains that are both in the Fingerprinting and some other tracking category have incoming requests blocked and the downstream impact is the same.

    CNAME cloaking

    No protections against CNAME cloaking.

    Referrer

    The default referrer policy is strict-origin-when-cross-origin.

    Other

    If the domain is in the Fingerprinting category of Disconnect.me and in one of the tracking categories (Advertising, Analytics, or Social), all third-party requests to the domain are blocked.

    On macOS Firefox, the version number in the User Agent string is frozen to 10.15 to fix compatibility issues with upgrading to macOS version 11+ (Big Sur). This has obvious privacy implications as well, as the platform version is no longer useful for fingerprinting purposes.

    Sample User Agent string when running Firefox 88.0.1 on macOS 11.3.1:
    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:88.0) Gecko/20100101 Firefox/88.0"

    ยด