Mozilla released Firefox 86 yesterday and the browser is now available to download and install for all major operating systems, including Android. In addition to the usual array of bug fixes and under-the-hood updates, the new build brings some high-profile features: multiple Picture-in-Picture video viewing support and (optionally) stricter cookie segregation, which is Mozilla branding Total Cookie Protection.
Try Firefox 86
Firefox 86 became the default download on mozilla.org on Tuesday, but as an Ubuntu 20.04 user, I didn’t want to leave the Canonical managed repositories to test the new version. This is one scenario where snaps really excel: providing you with a containerized version of an application, easy to install but guaranteed not to mess with your “real” operating system.
It turned out that Firefox’s snap channel was not getting the message that build 86 was the new default – the
latest/default snap is still on build 85. To get the new version I had to:
snap refresh firefox --channel=latest/candidate.
With the new version installed in a jiffy, the next step was actually running it – which could be a lot easier. The module produces a separate Firefox icon in the Ubuntu launcher, but I don’t know of a way to easily distinguish between the icon for the system
firefox and the new snap installed
firefox. After some frustrated frustration I finally fell to the terminal and ran it directly by issuing the fully-padded command
Multi Picture-in-Picture Mode
In December 2019, Firefox introduced Picture-in-Picture mode, an additional overlay control on in-browser embedded videos that allows the user to unlink the video from the browser. Once detached, the video has no window dressing whatsoever – no title bar, min/max/close, etc.
PiP mode allows users who tile their windows automatically or manually to watch the video while consuming an absolute minimum of screen space.
Firefox 86 introduces the concept of multiple simultaneous Picture-in-Picture instances. Prior to build 86, pressing the PiP control on a second video would simply re-dock the first video to the parent tab and undock the second. Now you can have as many floating, free-standing video windows as you want, potentially turning any monitor into something reminiscent of a DVR security screen.
The important thing to realize about multi-PiP is that the parent tabs should remain open – if you navigate away from the parent tab of an existing PiP window, the PiP window itself will also be closed. Once I realized this, I had no trouble surrounding my Firefox 86 window with five freestanding, simultaneously playing video windows.
Total cookie protection
Back in December, we reported on Firefox 85’s introduction of cache partitioning – a scheme that makes it harder for third parties to figure out where you’ve been and where you haven’t been on the web. Firefox 86 raises the bar again, with a scheme Mozilla calls “Total Cookie Protection”.
In a nutshell, Total Cookie Protection limits the ability of third parties to track your movements on the web using embedded elements such as scripts or iframes. This prevents tracking cookies from Facebook, Amazon, et al. from ‘following you on the internet’.
In theory, cookies were already strictly per site, so contoso.com cannot set or read cookies from facebook.com, and vice versa. But in practice, if contoso.com willingly embeds active Facebook elements into its site, the user’s browser treats those elements as belonging to Facebook itself. That means Facebook can set the value of a cookie while you’re browsing contoso.com, and read that value again later when you’re actually on Facebook (or when you’re on other completely unrelated sites that also have Facebook- embed content).
Total Cookie Protection addresses this flaw by creating separate “cookie jars” based on the identity of the URL actually present in the address bar. With this feature enabled, a Facebook script running on contoso.com can still set and read a Facebook cookie, but that cookie only lives in the contoso.com cookie jar. Later, when the same user browses directly to facebook.com, Facebook cannot read, write, or even detect the presence of a Facebook cookie in the contoso.com cookie jar, or vice versa.
This is in no way a panacea against tracking – for example, it does nothing to prevent scripts from Facebook, Amazon, et al. from uploading data about your internet travels to their own servers to profile you there. But at least it stops them from using your own computer’s storage space to do the dirty work for them.
no, the other TCP
If you want to enable Total Cookie Protection (and we really wish Mozilla had chosen a name that didn’t initialize to TCP), you’ll first need to set your Enhanced Tracking Protection to the Strict profile. To do this, click the shield icon to the left of the address bar (visible when browsing a real website, not visible on the blank New Tab screen) and click Security Settings. From there you can change your ETP profile from Standard to Strict.
Total Cookie Protection may make exceptions for third-party login providers. For example, if you log in to YouTube with a personal Gmail account, you can visit Gmail.com in another tab to instantly load the correct inbox without having to log in separately again. The exemptions are not hard-coded for preferred providers, but are applied dynamically as needed. According to a Mozilla representative:
A set of heuristics automatically unpartitions an embedded domain under certain circumstances. These rules are designed to capture interactions a user may have with benign embedded content, such as interaction with an embedded federated login provider.
That is, if Firefox thinks a user is trying to communicate with an embedded login provider, it will remove the partitioning for that provider on the current website, and will do so for any embedded content that appears to be a federated login provider. The exact set of rules is documented here under “Storage Access Heuristics”.
Mozilla warns that the Strict Enhanced Tracking Profile could break some sites completely – and we believe Mozilla – but in our own cursory testing we encountered no problems. We had no problems loading and logging into Gmail, YouTube, Facebook, Twitter, and several other major sites.
Listing image by Airwolfhound/Flickr