I just noticed that Mozilla 1.1b has "Enable cookies for the originating web site only," a feature we've been waiting for from browsers for years! This prevents web advertising companies and affiliates from tracking your browsing (and other) habits across domains. (Without it, if there's a Doubleclick ad on both xyz.com and abc.com, Doubleclick will know you've been to both places; and if either of those sites have your name and address and are Doubleclick partners, Doubleclick knows that too.)



I'm pretty sure 1.0 didn't have this feature, as I remember looking for it. Now it's here! :)

I don't understand what this feature does; sites already can only set cookies for their own domain. It's part of the cookie spec.

The originating domain is the domain of the web page you explicitly requested. Without this feature, a web page can embed content (such as an image) from an alternate domain (an implicit request) which can have its own cookie in the alternate domain.



Sure, the site I'm visiting knowingly embedded content from the alternate domain, so if I trust the site I'm visiting to track my session, I should probably trust their partner site (or at least assume that whatever the site knows about me, so does their partner). Problems arise because that partner site may also partner in similar ways with other sites, making the same alternate-domain cookie visible to the partner when I access those other sites. What ought to be two discrete, trackable sessions on two discrete web sites becomes one uber-session, and any information I shared with one site is potentially available to both sites and the partner, including all information about what I did on each site and when. Any security intended by the cookie spec's limiting of cookie access to originating domains is non-existent across these content-embedding partnerships.



With this new feature of Mozilla, I can automatically accept cookies from web sites I visit but automatically deny cookies from their banner ad service (for example). This gives me more control over my personal information, and restricts the ability of others to track me to the bare minimum of what is technologically necessary for me to use their web sites. While it is still possible for sites to partner and share information that connects my sessions on one site to those on another, I can read their privacy policies and decide for myself if I want to provide to them the information that connects those sessions.



I suppose if I visit two partnered sites in a narrow time frame using the same computer and dial-up session, they could probably guess the two visitors are the same guy. That's difficult to avoid (though proxies and firewalls help). Ultimately I'll have to rely on thorough, easily-accessible posted privacy policies to help me decide who I can trust to visit. I love the idea of P3P in this regard (I tell my browser what I want done with my info and the appropriate blocks are set up based on specially-encoded privacy policy data files), I just wish it were catching on more quickly. Mozilla's refined cookie control is another tool in the belt for privacy control.