Firefox 86 brings several images in the image, “total protection of cookies”

Mozilla released Firefox 86 yesterday, and the browser is now available for download and installation for all major operating systems, including Android. In addition to the usual slew of bug fixes and updates under the hood, the new version offers a few high-level features: support for multiple Picture-in-Picture video viewing and (optional) split stricter cookies, which Mozilla branding Total Cookie Protection.

Take a tour of Firefox 86

Firefox 86 became the default download on mozilla.org on Tuesday – but as a user of Ubuntu 20.04, I didn’t want to leave the repositories managed by Canonical just to test the new version. This is a scenario where snaps really excel – giving you a containerized version of an application that is easy to install but guaranteed not to mess up your “real” operating system.

It turns out that the Firefox snap channel did not receive the message that the build 86 was the new default – the latest/default snap is still on build 85. In order to get the new version, I had to snap refresh firefox --channel=latest/candidate.

With the new version installed in the blink of an eye, the next step was to run it, which could be a lot easier. The snap produces a separate Firefox icon in the Ubuntu launcher, but I don’t know of any way to easily distinguish the system icon firefox and the new snap-installed firefox. After some random frustrations I finally stumbled across the terminal and ran it straight by issuing the fully routed command /snap/firefox/current/firefox.

Multi-picture-in-picture mode

In December 2019, Firefox introduced Picture-in-Picture mode, an additional overlay control over embedded videos in the browser that allows the user to detach the video from the browser. When detached, the video has no window wraps – no title bar, min / max / close, etc.

PiP mode allows users who tile their windows – automatically or manually – to watch said video while consuming minimal screen space.

Firefox 86 introduces the concept of multiple simultaneous Picture-in-Picture instances. Before building 86, pressing the PiP control on a second video would simply reattach the first video to its parent tab and detach the second. Now you can have as many floating and detached video windows as you want, potentially turning any monitor into something reminiscent of a security DVR screen.

The key thing to realize about multi-PiP is that the parent tabs should remain open – if you exit the parent tab of an existing PiP window, the PiP window itself also closes. Once I realized this, I had no difficulty surrounding my Firefox 86 window with five detached video windows, playing simultaneously.

Total protection of cookies

In December, we reported Firefox 85’s introduction of cache partitioning, a system that makes it harder for others to know where you have and haven’t been on the Internet. Firefox 86 raises the bar once again, with a scheme Mozilla calls “Full Cookie Protection.”

In a nutshell, Total Cookie Protection limits the ability of third parties to monitor your movements on the web using built-in elements such as scripts or iframes. This prevents tracking cookies from Facebook, Amazon et al. to “follow you on the web”.

In theory, cookies were already strictly per site – so contoso.com cannot set or read cookies owned by facebook.com, and vice versa. But in practice, if contoso.com intentionally integrates active Facebook elements into its site, the user’s browser treats those elements as belonging to Facebook itself. This means that Facebook can set the value of a cookie while you are browsing contoso.com, then replay that value later when you are actually on Facebook (or when you are on other completely independent sites that also have content embedded. Facebook) .

Total Cookie Protection removes this anomaly by creating separate “cookie jars” based on the identity of the URL actually present in the address bar. When this feature is enabled, a Facebook script running on contoso.com can still set and read a Facebook cookie, but that cookie resides only in the contoso.com cookie file. When the same user browses facebook.com directly, later on, Facebook cannot read, write or even detect the presence of a Facebook cookie in the contoso.com cookie jar, or vice versa.

This is by no means a panacea against tracking – for example, it does nothing to prevent scripts from Facebook, Amazon, et al. downloading data from your web trips to their clean servers to profile you there. But that at least prevents them from using your own computer’s storage to do the dirty work for them.

No, the other TCP

If you want to enable Full Cookie Protection (and we really, really wish Mozilla chose a name that did not initialize to TCP), you must first set your Enhanced Tracking Protection to the Strict profile. To do this, click on the shield icon to the left of the address bar (visible when browsing a real website, not visible on the blank New Tab screen) and click Protection Settings. From there you can change your ETP profile from Standard to Strict.

Total Cookie Protection has a few (seemingly hard-coded) exemptions for third-party login providers – for example, logging into YouTube with a personal Gmail account still allowed visiting Gmail.com in another tab to instantly load the correct inbox. without the need to reconnect separately.

Mozilla warns that the Enhanced Strict Tracking Profile can completely damage some sites – and we believe Mozilla – but in our own shallow testing we didn’t encounter any issues. We had no trouble loading and logging into Gmail, YouTube, Facebook, Twitter, and several other important sites.

Ad image by Airwolfhound / Flickr