Total Cookie Protection is enabled by default in Firefox, and Privacy Guides recommend using Sanitize on Close with per-site exceptions that disable Total Cookie Protection.
If you want to stay logged in to particular sites, you can allow exceptions in Cookies and Site Data → Manage Exceptions…
The bug hasn’t been fixed after all this time.
I think this is important and should be mentioned on the browser recommendations page.
What is a temporary solution until the bug is fixed? Not using exceptions? Using containers? Using “Block All cross-site cookies” mode with exceptions?
This doesn’t change much, since the most important sites for me are in exceptions and they’re not protected.
If sites like YouTube are exceptions, then on every site with embedded video these YouTube cookies will be without isolation. These cookies are not cleared on exit either because the domain is in exceptions, so they can be reused later.
This feature seems completely broken when exceptions are used.
I believe Firefox Multi-Account Containers should still protect sites you have set exceptions for. That is what I’m doing and what Arkenfox also seems to recommend.
The developer of Arkenfox suggested several solutions, if adding any extra extensions isn’t outside your threat model I myself use and recommend Multi-Account Containers. The extension is not required to use containers (if you use Arkenfox, they’re turned on by default) but gives them added functionality, such as opening certain sites in an assigned container automatically, and optionally exiting the container when going to an external site.
Not using exceptions at all seems to be the only solution.
Using “Block All cross-site cookies” mode with exceptions
It doesn’t work because exceptions also apply to blocking third-party cookies. If YouTube is in exceptions, YouTube cookies are automatically allowed on other sites as third-party cookies.
Using containers
It doesn’t work either, exceptions also apply to containers. If YouTube is in exceptions, Total Cookie Protection doesn’t work. If you remove YouTube from exceptions, data in the container is also cleared on exit.
What is a temporary solution until the bug is fixed? Using containers?
I’d say using containers with the sites you make exceptions for is a full (and stronger) solution than Total Cookie Protection is on its own.
If sites like YouTube are exceptions
In my mind, the exceptions list is for websites that are at least minimally trustworthy. I would never put Youtube or any other google site on an exceptions list personally unless it was restricted to its own container (and even then I personally still probably wouldn’t do it).
This feature seems completely broken when exceptions are used.
I would like to see this problem addressed, its a flaw that should be fixed, but for my usage (which afaik is the intended/expected way to use this feature) it is very far from “completely broken.” Putting something on the whitelist implies a degree of trust, and its on me to be the gatekeeper of which websites I trust enough to put on that list.
I strongly prefer not making exceptions for untrustworthy websites, but if I was deadset on putting them on the exceptions whitelist, then I would further isolate them using Firefox containers.
Using containers and the exceptions whitelist in combination seems like it gives you the best of both worlds. This is personally what I do. If a website gets on my exceptions list, it also gets segregated into it’s own container.
I don’t think so. When using exceptions for YouTube, if Site 1 has an embedded YouTube video and you then go to Site 2 with an embedded video, YouTube cookies will be shared between them. With TCP cookies are isolated for each site.
Also, Site 1 and Site 2 will remain in “Cookies and Site Data” because they have some YouTube cookies that are not cleared on exit, since YouTube is in the exceptions.
So, containers are far from an ideal solution.
In my mind, this should be a list that excludes sites from data clearing on exit, not completely disables all protection for these sites. And isolation should be handled by TCP, not containers.
Isn’t a PWA just a simple shortcut? Or are you talking about the PWAsForFirefox addon? It requires many things to install, I don’t think it’s a good workaround.
It’s still just a shortcut and uses browser data.
PWAsForFirefox addon seems to work differently. It uses a new profile for each PWA. But it requires installing a program outside the browser.