Exactly. Why aren't all websites run in containers by default (personally I'm envisioning per-domain containers)? What benefit do we get from full-coverage containerization not being the default?
We're so deep in this that a first party isolation would break almost every single website. In a cooperation with Tor, Mozilla actually ported the first-party isolation feature in mainstream Firefox (available in Nightly, don't know about stable), but since it would break almost every single website, there are no plans to turn it on by default. You can, of course, enable it yourself by turning on "privacy.firstparty.isolate" in about:config.
Disclaimer: I'm a Mozilla Foundation affiliate that has nothing to do with Mozilla Corporation nor Firefox.
It would break some sites (certainly not every site, I'm browsing this site right now with it enabled) because 3rd party cookies are an entrenched, standardized feature of the web, you can't simply turn them off tomorrow. Developers are using them to create benign functionality, for example spread an application across multiple domains owned by the same publisher.
What I proposed above is that we introduce an opt-in feature: before the browser is allowed to connect to 3rd parties (in the tracking and cookie sense), the user needs to opt-in, for example by clicking in a notice window displayed at the corner of the browser window. Instead of nagging every user of every site that "This site is using cookies", developers should nag only when connecting to other applications, using a standardized browser API. After sometime from standardization, you can roll out this functionality to all users and nothing legitimate would break.
There should be no presumed used consent - because there really is none, the outcry against Facebook and advertiser tracking shows people don't expect the web to work the way it does.
We ran a breakage study near the end of last year.
First-Party Isolation (FPI) did have the highest breakage scores: ~18-19% of users reported problems with it, and 9-10% of FPI users disabled the study.
Those are low relative numbers, but at entire-market scale, they are big absolute numbers. :/
In my experience with Brave browser I had to enable third-party cookies only for very few sites. In most cases that was to support some external login mechanism that the site used, not to access the site after a login. So I doubt the claim about breakage on most sites.
While micro-sites and CDNs could still be brought under the same SLD. The biggest blocker as is OAuth. I'd want to make a UX call to see if browser could elegantly prompt the user for a 3rd party interaction.
While we are at it, I keep wondering (in a strictly SSL world) if it would be a good idea to restrict CORS calls only to sites using the same certificate as the webpage. Would make life easier for folks like facebook.com making CORS to fb-blablabla.fbcdn.com.
Some sites rely on multiple domains to work. E.g. open auth, cdns are usually a separate domain, a lot of big corporates create new domains for “microsites” when they want to do something new but are tied down by slow moving corporate practices (although the world would be a better place without microsites).
Basically, you couldn’t do it without breaking a large part of the internet.
