Workarounds for sites that are broken without cookies?
If you're concerned about trackers, you're probably looking for First Party Isolation.
First Party Isolation is a feature that Firefox adopted from the Tor browser's Cross-Origin Identifier Unlinkability concept. FPI works by linking all cookies to the first-party domain (the one in the URL bar), making third-party cookies distinct between different domains. That is, if you're visiting a.com
and a tracker sets a cookie, and later visit b.com
which uses the same tracker, it won't be able to see the cookies it has placed earlier, when the first-party domain was different (a.com
). Another explanation:
What is First-Party Isolation
FPI works by separating cookies on a per-domain basis. This is important because most online advertisers drop a cookie on the user's computer for each site the user visits and the advertisers loads an ad.
With FPI enabled, the ad tracker won't be able to see all the cookies it dropped on that user's PC, but only the cookie created for the domain the user is currently viewing.
This will force the ad tracker to create a new user profile for each site the user visits and the advertiser won't be able to aggregate these cookies and the user's browsing history into one big fat profile.
(Source)
To enable FPI, you can either go to about:config
and set privacy.firstparty.isolate
to true
, or install the official First Party Isolation add-on. But before you activate it, be aware that some web apps rely on third-party cookies for actual functionality and may become unusable afterwards (e.g. you might be unable to log in). If you experience such problems, try also setting privacy.firstparty.isolate.restrict_opener_access
to false
which will relax the isolation rules and you're less likely to experience problems during, say, a cross-domain login flow that redirects you between different domains.
Another approach in Firefox are containers.
With containers you're essentially isolating different sessions from each other without having to use multiple browser profiles. E.g., you could read WaPo in a distinct container, and any cookies set by trackers in that container wouldn't be visible in the other ones. Containers are available in Firefox Nightly and as an add-on.
(Chrome doesn't have this exact feature, but you can use multiple profiles to get the same effect.)
I thought about writing a script that would run every 10 seconds on my machine and delete all cookies except those from whitelisted domains.
The problem I see with this is that some sites re-create cookies immediately after you delete them (as long as you still have their scripts loaded). And if your timing is bad, you might eventually run into the same problems you had with disabled cookies.
Finally, there are also reputable addons such as Ghostery that detect and block known trackers. So, you have plenty of options to maintain your privacy without disabling cookies entirely -- which unfortunately doesn't get you very far in the modern web.
Fire up an incognito browser window (or VM instance if you are really paranoid) to view WaPo, then only use it for that site, or close it and open a new one each time you visit.