temporary-containers
temporary-containers copied to clipboard
stoically
Is TC still relevant?
Hello, long time user here.
Was wondering if this extension is still relevant today and if it provides any additional layer of security/privacy to those already present in recent versions of Firefox.
Specifically, if I enable Total Cookie Protection and use Strict Mode in Enhanced Tracking Protection, is there any good reason to keep temporary-container around?
I'm not sure about security or privacy but I've found it's great as an "incognito" without the incognito type of tab; which also bypasses the nag screens from a lot of paywall sites which block incognito window.
Especially if you use temporary deletes history tabs.
@sikz1 I've been wanting to ask this exact question, but I've been too busy, and I think I was also being a bit of a perfectionist about trying to think of how to phrase the question "just right" to yield the best responses.
I think part of the challenge of asking (and answering) this question is that people use Temporary Containers (TC) for different purposes. I'm interested in reading all responses.
BTW, how are you enabling Total Cookie Protection (TCP)? The UI/UX of Firefox's settings page isn't very good in this regard. Total Cookie Protection is only mentioned if you select the relatively weak Standard Mode for Enhanced Tracking Protection. It's not mentioned for the other two modes.
Also, did you mean that you are using Strict Mode for Enhanced Tracking Protection? You mentioned "Enhanced Cookie Protection", but I think that was likely a typo.
Separately, is Total Cookie Protection enabled when Custom Mode is enabled for Enhanced Tracking Protection and "All cross-site cookies" are blocked? Despite the warning on the Firefox settings page, I have literally only found a single site that had any issues with that option enabled, and it was a minor issue (the rather useless chat function didn't work on that site).
@Gitoffthelawn Total Cookie Protection is enabled by default, you can check it's active looking at the value of network.cookie.cookieBehavior. If it's 5, TCP is enabled. More info here: https://support.mozilla.org/en-US/kb/total-cookie-protection-and-website-breakage-faq#w_what-is-the-difference-between-enhanced-tracking-protection-and-total-cookie-protection.
Also, yes it was Enhanced Tracking Protection. Fixed it, thanks.
@sikz1 Thanks, and you're welcome.
I've actually been setting network.cookie.cookieBehavior to 1, which allows first-party cookies only (rejects all third-party cookies). Surprisingly, except for the minor breakage on a single site, this hasn't caused any issues at all. I started using that setting before Total Cookie Protection (TCP) was implemented by Mozilla.
As I understand it (and I don't consider myself an authority on the topic), if I changed its value from 1 to 5, third-party cookies would then be allowed, but would be isolated per site. Here are the tradeoffs I perceive:
- Possibly less site breakage, but I never had any significant breakage while blocking all third-party cookies.
- Possibly more tracking. The browser would now be accepting third-party cookies, which could hypothetically lead to more tracking because trackers would now be more likely to run their code as they wouldn't be encountering a somewhat locked-down browser.
- Possibly less tracking. The browser would now be accepting third-party cookies, which could hypothetically lead to less tracking because trackers think they are doing their job, and therefore will not resort to other types of fingerprinting and tracking.
- Risk of tracking if Mozilla didn't do a good job with TCP. With no third-party cookies allowed, one does not have to concern themselves with the quality of TCP implementation. With TCP enabled, one must trust TCP is working correctly. I think Mozilla invested considerable resources into TCP, so I think it's reasonable to believe that it works correctly and thoroughly, but I suppose it involves a little more risk than simply rejecting all third-party cookies.
Either way, I don't think it changes the decision on whether or not to use Temporary Containers.
Feel free to provide feedback on the above analysis. I'm speculating quite a bit in it because I don't write tracking code, and I've only analyzed several trackers, so I'm left to speculate largely based of hypotheticals.
@Gitoffthelawn I share the same concerns. I haven't seen the TCP labeling in the browser for a while now, so it's tough to know if it's still around, been rebranded, or what. Plus, the fact that Mozilla still has their own Facebook Container add-on listed and updated on AMO as recently as 2023, when TCP was already on by default, just makes things more confusing.
If anything, TCP would just take the place of Multi-Account Containers. Temporary Containers is still useful for keeping things separate within the same domain. For instance, when I search for videos on YouTube (without being logged in ofc), each search and video is contained, so I don't get recommendations based on those. My homepage stays clean. The same goes for Google; ideally, each search shouldn’t create a shadow profile of my interests.
Once again, for all I know, it could all just be a placebo effect until Mozilla decides to clarify things.
Side note: I found this page to supposedly test TCP but it displays nothing on my end https://total-cookie-protection-test.netlify.app/.
@OutshineIssue Thanks for the test link, that helped probe the differences.
I did some tests using Firefox 136. Total Cookie Protection is a great improvement for preventing third party cookies tracking your browsing behavior across multiple sites. However, there's still value in having a throwaway browser state (cookies, localStorage, etc.) for first-party cookies like you get from a Private Window.
Private Windows provide a clean browser state, BUT it is shared between all private tabs and private windows until the last private window is closed. Many non-technical folks are surprised to learn it works this way, and expect two private tabs/windows would be isolated from each other.
Multi-Account Containers gives you a clean browser state for each container you create, and then Temporary Containers simplifies creating fresh ones on the fly.
So I'd frame the utility of Temporary Containers in terms of how many sessions I can maintain on the same website.
- base browser: 1 session
- base browser + private window: 2 sessions
- Multi-Account Containers: 3+ sessions (one per container)
- Multi-Account Containers + Temporary Containers: 3+ sessions (fresh containers created as needed)
So TC still has value as more private than private windows. I think it's too technical for a mainstream audience, but if opening Web Developer Tools to debug your container settings from time to time doesn't make you want to cry, isolated sessions by default is more secure.
@tlby Thank you for the helpful analysis. If you have third-party cookies completely disabled, and never log into the same site with different credentials, does TC still serve a purpose?
I'm largely wondering if it helps block cross-site tracking via localStorage and other types of browser storage, or if the browser now takes care of this on its own.
@Gitoffthelawn
If you have third-party cookies completely disabled, and never log into the same site with different credentials, does TC still serve a purpose?
Personally, I prefer not storing even first-party data about me for random websites until I "promote" them into a Multi-Account Container. Temporary Containers is still convenient there.
I'm largely wondering if it helps block cross-site tracking via localStorage and other types of browser storage, or if the browser now takes care of this on its own.
As best I understand it, Total Cookie Protection is essentially the same as having one Multi-Account Container per site. I would expect if you have third-party cookies disabled, then Total Cookie Protection would not impact how your browser behaves. If your only concern is third-party tracking, and you have third-party cookies disabled, then I don't think Temporary Containers impacts that risk either (they're blocked in both cases).
I really only tested the cookie jar and localStorage though, there's source IP tracking, ETag fingerprinting, etc. that the truly paranoid folks worry about. This topic of TCP vs. MAC+TC is only about managing the data we store and send sites to actively help sites profile us.