What advantages does brave have other than their weird ad replacement thing? I’ve weirdly moved to Microsoft edge from Firefox for something’s recently. Unfortunately the chrome developer tools are awful.
Chromium browser which still generally has a performance edge, but without some types of Google's tracking like the browser level sign in or the recent example of Google exempting themselves from clear cookies.
I use both quite a bit and do not notice any difference in performance. You may be able to tell via benchmarks, but real-world performance is very similar.
But is that performance difference actually important? I can accept a minor impact as a tradeoff to support a more diverse ecosystem and weaken the Google monolith just a little.
> Unfortunately the chrome developer tools are awful
You are literally the first person I've ever heard say this. I've heard a ton of people say they want to switch to Firefox, but can't leave the Chrome dev tools behind. Mind telling us why you find Firefox dev tools superior?
I stay with Firefox for a lot of reasons, but the main one is this - I am so used to TreeStyleTabs I can't imagine going with anything else. Do any other browsers support something similar?
Opera has tree tabs extension (which I'm using for a long time, but only for really threaded sessions), chrome idk. Not sure how much different it is, but the basic functionality you'd expect from tree editor is there.
I love Brave and use the Sidewise extension to mimic TST. [1]
It isn't perfect though. My main issues are that it's a separate window so sometimes clicking on the side window or the main window draws focus instead of clicking the thing under my cursor. Also the search bar in the sidebar keeps getting accidentally activated when I hit command-T. So I ended up inspecting and deleting the element. It's not the most elegant solution, but it works well enough.
I've tried FF a couple times a year ever since Quantum came out, but on my MBP it's just much slower than Brave.
Work on Encrypted Client Hello (the current iteration of encrypted SNI) continues and you should anticipate that Chrome will deploy it as the draft approaches Last Call perhaps next year.
Because of the Don't Stand Out principle one of the most important factors for success of ECH is the deployment of ECH GREASE, which is to say, willing clients just claiming they want to do ECH even when talking to servers that don't really have any hidden services at all. Chrome's participation in that probably makes a real difference to whether anybody actually tries to block it.
The only asterisk to that statement would be if OP was a Mac user. Using Firefox for reddit and youtube nets me 4 hours of battery life on a 2020 13 inch MacBook Pro, while safari will get my 6.5-8 hours with the same usage.
Some years ago Firefox was near-unusable on MacBooks because it started spinning fans like crazy after a few minutes, eating battery in 30 minutes. But it had improved immensely since that time.
Speaking of Safari, maybe it's a matter of preference or habit, but for me it's has a very weird UX
I'm loving Firefox Containers for various use cases, but is running Google/Facebook in them worth the extra hassle if you use uBO/Privacy Badger? It blocks all that stuff anyway.
I think that one of you is talking about network filters and the other is talking about cosmetic filters. Cosmetic filters are a bit hard right now, due to Facebooks effort to obscure them. Network filters are as easy and as reliable as ever though.
I was pretty "meh" on containers until I put in a bit of effort to set them up. Flagging certain domains to always open in a specific tab category took a bit to work through on the common sites I visit, but now that its all set up I think its great.
You might be able to escape facebook using ublock, but you're going to have trouble escaping google. It's everywhere: youtube embeds, google cdn (for scripts/fonts), google maps embeds/autocomplete, recaptcha.
uBO/PB make you much easier to fingerprint uniquely due to not loading advertising content on all web requests, which could be considered harmful in a scenario where you don't want to be tracked. Facebook Containers extension offers the same fingerprint as "doesn't have a Facebook account and uses a browser that blocks tracking by default" outside of the container, which is far less unique these days than it used to be.
Note that this doesn't diminish the effectiveness of uBO/PB at blocking requests — but I think most of their users don't realize how much easier it is to identify who uBO/PB users are, relative to the rest of the world on less obvious setups.
The reason Facebook Container exists is because the UX of the generic version is awful. Trying to created a new container to always open a site with has something like half a dozen steps.
And of course we won't get a dedicated 'Google Container' from Mozilla because despite all their hot talk they know what side their bread is buttered on.
I love this Facebook container. Love to see the Facebook container mark also on other websites trying to track me.
I also use the Firefox multi-account containers to set a temporary container for every new tab. To not lose logins etc I'm websites I visit frequently, I set up dedicated containers for those. Work very well.
Anyone else with experience of the Firefox multi-account container extension?
Was just coming back to this thread to say I use the Multi-Account Containers extension to isolate my Facebook, YouTube, Twitter, and Google Search sessions from the rest of my web browsing, and I highly recommend it.
The terminology is a little confusing: Containers or "Container Tabs" is a session-management tool that's baked into Firefox, while Multi-Account Containers is an extension on top of that that allows you to automatically sort specific domains into containers, so when I open e.g. a YouTube link it automatically appears in a YouTube container, which knows nothing about my Google account. IMO the functionality of the extension (which was written by Mozilla) should be added to the browser itself.
Right now I use safari, chrome, firefox, and edge to keep the four identities I use for different projects separate thanks to Google not playing nice at all with the GCP account you are using not being the primary Google Signin.
> Love to see the Facebook container mark also on other websites trying to track me.
In fairness, some of those sites might not even know the like button is used for tracking and just think it's for helping them grow their facebook audience.
Multi-container will break any SSO experience that depends on cookies, where the sso domain (abc.sso.com) is not pinned to a container, and the destination domain (abc.com) is pinned to a container, due to the correct behavior of not allowing cookies to be copied into the container when the SSO chain of requests traverses from abc.sso.com -> abc.com.
This plus the inherent back button hijacking when you click a link that throws you into another container (which works by opening the link in the new container tab, changing to it, and closing the original tab), led me to just stick with facebook containers and sacrifice the privacy offered by multi account containers for some convenience.
Anyone know if there's an integration with Tree Style Tabs[0]? They're a gamechanger for browsing the web, and it'd be nice to see what tabs are contained.
I switched my sidebar tab add-on to Sidebery [0], and that's actually what got me to start using containers (not the other way around).
I have a 'home' container (= sidebar 'tab' of tabs), 'personal code' container (ditto), 'finance' (ditto), and 'work' (ditto). It's not even really that I want to silo their data from each other (I have uMatrix - yes I know, will probably switch to nuTensor - and autocookie delete etc. anyway) - but the organisation into contexts I can easily switch between is amazing.
Worth pointing out that while they're probably safe (and do in fact use the same container APIs to separate out the domains), these are all from third-party developers. Where as the Facebook container is from Mozilla directly.
You can make all of these yourself as long as you've got the Temporary Containers add-on installed. I don't see the benefit of installing four addons for this purpose, as the security risk of third-party addon vendors surely outweighs the convenience of a pre-configured container.
I use per-domain isolation, so I don't run into this issue.
However, I need 2 manual persistent containers for sites that are broken with per-domain isolation (Gmail and Outlook 365). Both visit many different domains after login. Within those containers, I need to be careful not to click on external links, but to open them in a new temporary container.
Is it possible to have each domain open in a persistent container? It looks like Temporary Containers uses a new one each time a site is visited. Containerise, on the other hand, seems to need to know about each domain in advance.
I only use the official "Firefox Multi-Account Containers" (on this browser).
It gives me a menu with choices like "Reopen This Site in..." and "Always Open This Site in..." as well as options to open a new tab in any of the permanent containers or even open new ones.
Tip: if anyone gets confused by a page popping up, saying something like "You asked me to always open this site in, do you still want to " a typical explanation for me was I had set at site to open in a specific container but as part of login procedure it would access another domain for sso, trigger "Always Open This Site in..." for that domain and get confused.
Now that you know this you should probably be able to either avoid it completely by being specific about subdomains or something.
It is not a big thing, just a heads up so nobody gets confused.
This extension to Multi-Account Containers looks great at first -- its Automatic mode spins up a new container each time you open a new tab, then switches that tab to an existing container, should one be associated with the TLD you visit.
The problem is that Temporary Containers does not delete these temporary containers. They accumulate in the MAC containers list. There is no way to mass delete them, nor set them to auto-delete when the tab is closed.
These WILL sync to your Firefox account and reappear on every machine. Over 3000 temp container made MAC unusably laggy. This was so destructive of my MAC experience that I uninstalled both extensions. Unfortunately, to my knowledge, there is no way to reset the data MAC syncs to Firefox Account.
Temporary Containers has an option "Delete no longer needed Temporary Containers" which defaults to 15 minutes, but can also be set to immediate.
Are you setting this option to something else?
Temporary Containers works really well for me. I have per domain isolation, which only breaks very very few sites (Gmail and Outlook 365). For those I have regular persistent containers. Alternatively, I can always open a new private window where I don't have this plugin active.
uBlock Origin + Temporary Containers + ClearURLs are a great setup for privacy and security. Actually, I don't need much else aside from a VPN and a few settings in my user.js.
The only thing I miss is Vimperator. Modern alternatives are full of glitches because of inherent limitations in the WebExtensions API.
It's a long-standing bug that also affects me. It's quite annoying since it's easy to irreversibly hose up your sync account by going over the remote storage quota. Maybe you don't have a Firefox account and/or sync setup?
There are related issues opened for Temporary Containers, MAC and Firefox and at least from the public discussions not much is happening about it.
I use Temporary containers heavily and the MAC sync is also enabled but I never see anything like this. Sometimes 1-2 container it remains but I can delete it manually.
Maybe I'm lucky with this.
"Delete no longer needed temporary containers 15 minutes after the last tab in it closes" is a default setting. This is not an issue I've experienced in the 3+ months I've been using this extension.
I don't remember what the default settings are, but I do remember changing a fair number of them (and they are numerous). Definitely not the most friendly tool to casual use. But when fully configured, it is my second favorite addon (behind uMatrix).
I don't know what, but something causes it to leak. I've been using it for about a year and several of the low numbered containers have accumulated duplicates:
I used to delete manually each container when this happened, through about:preferences container manager, but now there is no more this in Preferences and to remove containers through the Multi-Container extension isn't the best thing.
Tried do that by editing some files too but the hundreds os containers keep reappearing after few days, or on new installations.
Huh, I have not experienced this issue, but there seem to be mixed reports in these comments. The numbers continue to count up (this is also configurable), but the containers are actually deleted.
I have the same problem (which supposedly does not happen to all users of that extension). I fix it by running this script once a month (it deletes the temporary containers from the containers.json file):
import json
with open('containers.json.bac') as f:
s = f.read()
j = json.loads(s)
ids = [i for i in j['identities'] if not i['name'].startswith('tmp')]
print(len(j['identities']), len(ids))
j['identities'] = ids
with open('containers.json', 'w') as wf:
wf.write(json.dumps(j))
You can reset your sync data for any extension in Firefox.
Just go to about:debugging, click on "This Firefox", locate the extension and click the "Inspect" button. In the case of MAC this should lead you to about:devtools-toolbox?type=extension&id=%40testpilot-containers
In the devtools that open you need to go to the Console tab and run this command:
await browser.storage.sync.clear()
If you want to see the data before you delete it, you can show it with this command:
The issue with this was using multiple Google identities. The Google Container Extension would want to open any other Google sites in the same container.
I wanted to keep the soccer club administrator, school website, etc. Google identities separate and distinct.
Perhaps things have changed and this isn't an issue anymore. What I did was create an identity (soccer, PTA) for each gmail account and set defaults for google.com, YouTube.com, etc.
Having MTTSCPresident@gmail.com is really nice for being able to give someone else the password and let them take over the account when your term is done.
This doesn't work as well though for things like university campuses or large companies where many people may be using a single IP and identical hardware.
I would bet $100 FB does geolocate your IP to determine if it's likely a single residence or a larger multi-user building, and likely tracks that, but that misses a large chunk of their user base.
Imagine the number of people who use FB as a distraction at work or in class, but might not use it as much at home.
Yeah, I've tried to do the multi-profile thing in Chrome and always ended up giving up in disgust after a while because the UX is hard to deal with. Lately I've just been using different browsers for different "profiles" (social media, work, general internet browsing, etc) with. Between Safari, Chrome, Chrome Canary, FF, FF Nightly you can have a lot of different "profiles" and using something like https://www.choosyosx.com the day-to-day UX is not bad.
What’s the way to set this up for custom domains? I basically only want to be logged into my mail, Facebook HN and twitch (and they don’t need to share tracking cookies) and have everything else happen in a no-cookies stored environment.
But do I need a container extension for each of those sites or what is the deal here? And do I exit the container when I click a link to another domain?
There are still other ways they can identify you based on typing and mouse movement patterns or other heuristics and fingerprinting techniques. Or they can purchase this information from one of the many 3rd party adtech companies that are also tracking and building shadow profiles on people.
I use Firefox multi-account containers[1] extensively, it's honestly the primary reason I use Firefox these days. The big win for me is that I _hate_ having to use the Google account switcher, so I basically set up a container for each Gmail account (work, personal, old email, etc).
The nice bonus feature is you can have certain sites default to containers. I had a paid YouTube account for a while, for example, so having any YouTube link open in my personal account was nice for not getting hit with ads on initial click due to my default Gmail not being the right one.
There's also a plugin[2] that will make any new tab default to whatever the first tab listed is. Really great for if you want to have a whole browser window dedicated to one container.
Do you use windows? I found that having multiple GitHub account is infuriating on windows because it forces you to go into an obscure security manager to delete a record in order to switch which account your using. Never found a way around it.
I had never heard of this so I just tried to reproduce this - I have no trouble logging into two separate GitHub accounts in different Chrome profiles. What makes Firefox profiles different?
I think he means when using git from the command line. Trying to push to your repo will trigger a github sign in process, which will then save the credentials to Windows Credential Manager. Git will then ALWAYS use those from that point on credentials unless you go into the manager and delete them, which is a massive pain if you use multiple github accounts.
Where I'm contracting now didn't want my account added to their org because it's not a profile picture of me. As the public facing stuff of the account is my personal stuff, I don't want someone else to tell me how it should be. So a new account for this customer it is..
I wish they didn’t do that. Or preferably, I wish they had native “containers” for work and personal repos.
Explore is one of my favorite features and now it’s crowded with work related suggestions. It makes it harder to separate the personal/professional persona and interests. This problem also manifests in notifications. I want a clear separation so I can focus on my personal life after work.
I’ve thought many times about creating a separate account.
We actually discussed this for quite a while at work when I pushed us to start contributing to open-source. Mostly it came down to the fact that TfL wished me to keep my work-life and personal-life separate to keep things simple. Reading that back, it doesn't sound so crazy.
What I've been doing was to set up a browser profile (local) for each main context. If I have a set of work accounts (google, github, etc.), I have a 'work' profile for it. This isolates all cookies related to 'work' at once, as well as bookmarks, saved tabs, extensions, and settings. It's a total context switcher.
I'm also doing this in chrome. I have about 5 different profiles, aliased to things like `chrome-work`, `chrome-personal`, `chrome-dev', etc. I would love to use FF, but iirc FF doesn't provide something like `firefox --profile=someIdentifier` that opens a new window in my desired profile.
edit: Apparently this is bad info. I'll have to give it a try again.
I used to always include `--no-remote` here but it seems `firefox -P <profile>` now works, too, even when another Firefox instance is already running. Is anyone experiencing the same?
There's also a firefox-bin. Anyone know what the difference between firefox and firefox-bin is nowadays?
I believe that in the far past firefox-bin was the firefox binary, and firefox was a shell script that would do things like notice you already have a firefox-bin instance open and signal it to open a new window rather than launching a new firefox-bin instance.
But nowadays, firefox and firefox-bin seem almost the same. On the current release version on Mac, for example, both are binaries, with firefox-bin 40320 bytes and firefox just 16 bytes bigger.
Info.plist in /Applications/Firefox.app/Contents gives firefox is the executable to run. I'm not sure what role firefox-bin has now, if any.
Grabbing the source and building it myself results in firefox and firefox-bin matching.
Profiles definitely have the basic functionality, but I like to keep all my extensions the same across my containers, and it's also easy to set up rules such that a certain site will always open in a certain container. You don't have to think about it at all.
I want my extensions to share the base configuration but have some different settings in different contexts.
Like, allow some tracking & advertising for "shopping" container, but block it otherwise. I don't mind having a special self-curated image where my in-scope browsing is tracked and analyzed. Now, I just have a separate browser (Chrome) for this - because it's more straightforward and less error-prone.
Or a sandbox development & local resource management profile where nothing but localhost and LAN addresses are allowed. And then block such access for any other profile - for security reasons.
Or allow, let's say, Grammarly extension on a few selected websites (like HN), where all I write is public and I would benefit from machines aiding my writing without any privacy concerts, but don't give it any chance to see my private correspondence.
Unfortunately, that's not possible with containers, and profiles are quite cumbersome.
Is the Firefox implementation different from Chrome? I don't think Chrome allows you to default links to specific profiles but I have used this feature in Chrome for a while to separate work and personal profiles to sandbox Chrome instances.
I do all my shopping in the shopping container. I have the deals website I frequent set to the shopping container so if I open slickdeals.net in any tab, I get to the shopping container.
One quality of life change I encourage is go to manage containers and select "Select a container for each new tab". Then you can pretend the firefox tab without a container even exists (caveat: does not work with ctrl + t shortcut for new tab)
> The nice bonus feature is you can have certain sites default to containers. I had a paid YouTube account for a while, for example, so having any YouTube link open in my personal account was nice for not getting hit with ads on initial click due to my default Gmail not being the right one.
I use Chrome on Windows 10 at work because we're a gsuite shop and that's just what we do (I don't do personal things on company resources). I use Firefox on Debian everywhere else because Fuck Google.
Along with the Facebook Container I use multi-account containers to keep a Google, Microsoft, and Amazon container as well. I included all of their children companies in the parent containers (like GitHub in Microsoft, YouTube in Google). It's sobering seeing how much of the internet shows up in one of these four containers.
Temporary containers has a plethora of settings for when to open a new container. For example, I have a rule enabled that will open links in a new temporary container when they leave the current one. That's a terrible explanation, so let me give an example to make it clear:
- I have a GitHub container
- github.com and gist.github.com are set to always open in the GitHub container
- Say I am currently browsing github.com in the GitHub container.
- If I click a link to a domain other than [gist.]github.com, instead of navigating my current tab to that url, the url will open in a new tab & new temporary container
This is more powerful than simply persisting cookies from github.com -- I'm keeping GitHub's cookies, but only in the github container. It's almost like first party isolation, but a little weaker (unless you enable the setting where any link to a different domain will open in a new container), and I have the ability to group sites that would break with 1st party isolation by opening them in the same container.
I agree, your description is more why I like it -- the only websites that get to save any state are the ones I pick to open in specific named containers and which I also specifically granted permissions to with uMatrix (RIP).
Everything else opens links in a new container with the hope to make it as close as possible to looking like a different person clicked that link. I know it won't work that well since the IP doesn't change nor the user-agent, but at least it helps with the most lazy tracking.
I share the same goals; thanks for the succinct description.
Discussion upthread made me interested to see whether I can route temporary containers through tor, to make this protection stronger — see https://news.ycombinator.com/item?id=24853320
It's not super high on my list of priorities though, probably won't get to it for a month or two.
Oh, that'd be very neat if it made separate container tabs look like different tor sessions. Very clever! I suppose there's little short of that which would stand a real chance of working...
Damn I also hate the Google accounts mayhem. I will look into those containers.
Right now I manually type ?authuser=1 into my URLs to have Google Docs open in the right account, but this breaks when I restart the browser and the page reloads with the wrong account... Why Google removes this parameter from URLs after loading is beyond me.
It feels like multi-user management with google is a feature which was not really considered from the start and never become important enough to refactor the whole thing.
I have no idea how the product is structured, but I do know that many other services have a similar issue.
Heck, we’re using outlook at one of my customers and I can’t even open a second tab in 2020. It will just block the UI telling me there is another tab open.
Does this work with Firefox Sync? I'd love to have different bookmarks/cookies/accounts/etc. for work and home but use the same sync account - sometimes I work from home and want to use my work profile, but also don't want my home bookmarks showing up when I share my screen at work.
Multi-Account Containers with Containerize is an unbeatable combo. Until Chrome gets something like this (I doubt it), I'm never leaving Firefox because of it.
In my experience that had better support for per-eTLD temporary containers, so that each site can have its own, and the data can be discarded relatively soon. I also have more permanent containers for things that I want to be able to persist (e.g. work uses SSO so I need to link multiple sites together to log in).
When I used it I found the management in Multi-Account Containers to be onerous (I don't believe it could do automatic containers based on eTLD).
Oh wow, okay this makes things a little easier. I've always struggled with logging in as the SSO-flow has domains that I haven't added to the "Always open in X tab". Hopefully the functionality gets incorporated into the MAC addon eventually!
.. I say hopefully, man I feel guilty getting so much use out of these addons when I could be actively contributing. Fuck it, donating.. https://donate.mozilla.org/en-US/
This is going to take care of my biggest gripe with Multi-Account Containers; it leaks cookies to the default container if you open the site management list because it looks up favicons each time. I just tested Containerise and multi-container cookie jars, it does not leak cookies with this.
Finally, painless container management!
The worst thing about the Google account switcher is logging into some third party sites sometimes just uses the first logged in account instead of showing the account switcher, so I can't log into the correct account without logging out of all the Google accounts.
I used to have 4 or 5 profiles for firefox for various accounts and situations and containers let me leave all that mess behind. It's pretty awesome and I wish more people knew about it. It's one of the things I bring up to privacy oriented and people who need a lot of different logins.
Also adding to this - you can set up container-specific proxies with "Container proxy" addon. This is great for when you want to ensure your connection is going over a private network, for instance if you have a regular torrent website (or porn or whatever) - you can configure it to automatically open in a container, like this Facebook addon - but when it opens - it will only connect to the endpoint over a proxy. If you're not connected, it fails.
Works really well with Mullvad which has a SOCKS proxy setup only available when connected.
Great for work connections too, I've setup all work/business websites to auto-open in a "work" container which I've created a local bridge proxy for to ensure my work connections are always over the corporate VPN.
This is also really good if you consult or work with many customers - you can start to build a catalogue of containers with specific settings for those customers.
I use the same setup (mullvad + container proxy) and can't praise it enough. I just keep a mullvad connection open on my router and only route the proxy IPs through it.
Great for all kinds of silly GeoIP restrictions, too - in my part of the world, homedepot.com just spits out "access denied", a foodnetwork.com recipe you find in search results just redirects you to the tudiscovery.com homepage, etc.
>"I just keep a mullvad connection open on my router and only route the proxy IPs through it.'
I'm interested in your setup. Do you configure your router to have a point to point tunnel with Mullvad then? I didn't know this was a thing. Do you then just have a separate container proxy for each GeoIP region you want to access?
For Geo-IP, unfortunately unless you have some sort of automation to reconfigure the OpenVPN settings on your router - this will only work with 1 configuration. They may be alluding to using the VPN to connect to another country where they're not getting weird as fuck redirects and shit content.
Although just as I wrote that, I'm expecting a dd-wrt/browser addon will probably support this somewhere - or at least as a script on Linux.
I have a Unifi USG, which has a third party wireguard addon, though of course OpenWRT could work just fine. You setup a wireguard tunnel normally, but disable the default routing (on a Unifi, set route-allowed-ip false), and then explicitly add a route for 10.124.0.0/16 through the wireguard interface. The mullvad servers page[1] has socks 5 proxy addresses for all of their servers - assign one to a firefox container and you're all set. No reason you couldn't have a container for each geographic region you want.
Anyone in the know: what would it take to implement a "container over tor"? I am not currently a tor user, but absolutely would if I could integrate it with my current workflow (using the temporary containers addon).
Be careful doing this though, there's a reason Tor Browser exists and it is because it's very hard to do anonimity over Tor right on a default browser.
Granted, Tor tries to upstream as much as it reasonably can to FF, but there's still large differences in defaults that could give away (some bits of) your identity.
"Anyone in the know: what would it take to implement a "container over tor"? I am not currently a tor user, but absolutely would if I could integrate it with my current workflow (using the temporary containers addon)."
This is my every-six-months wish/rant on this subject ...
What we need is the ability to 'jail' a GUI browser process.
It is too resource intensive to spin up an actual virtual machine to run a browser window/tab. However, a facility like 'jail' (or zones or, perhaps even Docker) that simply chroots a new process with its own network interface, etc., does not have any of that expense.
It really is just a fancy chroot and the expense is limited to the overhead of just the process you're running.
If you could 'jail' a GUI application, you could have a browser window that was not merely its own cookie domain or history domain, but that was on an entirely different network and it's own chroot.
Have you tried Firejail? I'm not sure i'm clear on what your requirements are, but at a glance it seems to me that Firejail should do what you need, a Contained sandbox for GUI processes
Container proxy plus a putty socks tunnel over SSH through a pinhole firewall rules to my work linux system is my preferred poor man's work VPN. One main benefit being that allowing the non-VPN traffic to handle the video meeting works way better.
I just discovered Mullvad (just a VPN provider) and for some reason, they don't have "English" in the list of languages available for their site.
So they redirected me to the Dutch version because I'm in a nominally Dutch-speaking region, and I had no option to get it in English. I had to go with half-translated French until I noticed that I could replace the "fr" in the URL with "en", and actually get to an English-language website.
The region-based redirection was annoying enough, and the half-assed translation job was expected, but not even providing an easy way to get back to English is really idiotic.
I still wish I had some kind of system that would automatically use a connection in the right country for geoblocked content. For now I just use SSH proxies to (my own) strategically located servers combined with Firefox Containers and Container Proxies, but it's all manual.
Just checked it, and English is 4th option in the language switcher on the bottom of the page.
Also, it seems to be using browser's preferred locale, not the IP region. So, it looks like that changed, too.
Google, on the other hand, is just as bad as you described. Geo-based localisation, lots of clicks to change the language (or ?hl=en, once you learn about it).
Looks like you're right, but unfortunately the select is cut for me[0] because my screen is not big enough.
Since the list is not alphabetically ordered (it actually is, but with the English names, not the displayed names) and it shows no scrollbar, it wasn't obvious there would be other countries up there.
As for language, maybe Google itself chose to send me to the Dutch version. Despite all my attempts, I still cannot consistently get Google to use the language I want (apart from manually choosing it by directly visiting Google with the right hl= first, indeed). Right now Google.fr seems to be in English and offering me the three languages of Belgium, for some reason.
Last I checked, I'd have to enumerate every Google domain and subdomain, which just seemed like too much work. But if others have already done this, itd be easy to just use theirs.
Why do you hate the Google account switched for Gmail? It keeps all of my Gmail-attached sites isolated in Chrome and is easy to use on desktop (non-existent on Android Chrome unfortunately).
Tooting my own horn :). Session Boss [1] saves the container information as part of the session and can restore the tabs in their respective containers. I use it to maintain multiple Gmail accounts and other email accounts in different containers.
The add-on page for this says it was last updated in June 2019. Just wanted to check if it's still compatible and has no issues with all the changes in Firefox for more than a year now.
Still works fine. I have a large pending change which is risky and I want to do more testing before releasing, but got busy with other stuff and no update has been pushed out for a while.
Didn't know you could do this with Firefox. Thanks for the tip! Curious — have you ever heard of Shift (tryshift.com)? It pretty much does the same thing, but with everything (Gmail, Facebook, YouTube, WhatsApp, etc.). I use it at work so that I don't have to sign in and out of all my Google accounts. It's pretty unreal.
Welcome to HN. Is this you?[1] You should disclose your job is promoting the company you mentioned if it is. I hope it isn't or you just forgot. Astroturfing erodes trust between people and makes the world worse.
The Facebook Container extension is special, it does a bunch of work to put all of Facebook and only Facebook inside the Facebook Container. Bits of Facebook trying to peak through outside Facebook (e.g. tracking pixels) are elided entirely. Which is exactly what I want. But ordinarily that's not the behaviour you get from a Firefox container.
e.g. I have that Facebook Container, and I also have a Slack container I just put together in the usual way by opening my Slack session (it's for the main social group I hang out with, during the pandemic) inside a Container with a pink theme and icon.
Suppose three friends send me a funny Youtube video of kittens, one sends it on Slack, one on Facebook, one literally sends me a postcard with the URL on it.
In Facebook, it's inside the Facebook container. Since the Facebook Container has no idea who I am, Youtube presents adverts and of course there's no way to add the video to my "Fun kitten videos" list. But if I tell Youtube to open this now the tab is not Facebook, a no-referrer link opens with the URL and now in my default context which has Youtube Premium, so there are no adverts and I can add this to my lists. As far as Facebook is concerned I apparently just left. Unless Google tells them I watched that video they are none the wiser.
Slack is inside the Slack container. So again, no Youtube account, adverts. But if I open the Youtube page that's still inside the Slack container, so still no Youtube account. I need to explicitly get the URL and paste it into a not Slack tab to get my default context.
The link from the postcard obviously I get to choose which context to type it into the URL bar, although maybe the UX of typing random Youtube URLs in isn't great.
> In Facebook, it's inside the Facebook container. Since the Facebook Container has no idea who I am,
wouldn't they know exactly who you are with every request sent to any of their servers and any facebook page you load either by your facebook account, IP address, or by browser fingerprinting.
I mean, sure they can be entirely confident that I'm the Facebook user who signed up for that account, and so in that sense they know exactly who I am.
But in another very real sense they've got no idea who that is. It would suit them very well to be able to reliably tie it to other information (hence all the tracking pixels and so on) but the Container prevents that.
I mean, one of my Facebook friends is named say "Norman Le Plum". I'm very confident that isn't what it says on his birth certificate, and indeed when his friend request arrived I actually ignored it until I found someone out of band to tell me who "Norman" was, but in a sense Facebook know exactly who Norman is, he's a disembodied red skull who is still really into skateboarding and Steamed Hams.
What use that is,isn't clear, and presumably one day advertisers might conclude the answer is "No use whatsoever" and Facebook will go out of business. Meanwhile I read funny Steamed Hams variants, people complain about their jobs, and while I'd rather it didn't exist at all, if it must exist at least it's trapped in a little box where it can't taint everything else.
Now Google probably knows way too much about me, but that's quite a different problem.
I wouldn't count on a fake name being any kind of problem for facebook assuming they're actively using the profile.
Not providing them any data at all won't spare you, but if you're using the account they can easily analyze photos and comments (including those on other people's profiles), use facial recognition, use friend/activity patterns, match IP addresses/browsers (including any instances where the same IP address/browser was used to sign into non-facebook services found in records purchased by facebook from data brokers), and if he ever uses his phone or chrome to look at facebook there's a handy unique ID sent to facebook as well which can be matched with countless other recorded activities.
Facebook devotes a huge amount of time and money to collecting data and using it to associate people to a real identity to the extent that even people who never signed up for an account at all have hidden profiles created for them by facebook which contain the intimate details of their life including what they buy at the grocery store.
As far as I can tell, a container won't protect your identity but it will limit the amount of information they have on your browsing history (unless your ISP decides to sell them that information or they obtain some of it from a 3rd party data broker)
Older accounts may have fake names but newer ones require identification documents, even selfie videos to prove you are a human. It wouldn't surprise me if they start combing through older accounts eventually.
Ok so my point is that you specifically don't put any Google sites into "a" container but rather let them fall where there are, and if you have a Work container and open something Google, you only ever log into the Work-related Google account?
For work stuff my habit for maybe a decade or more has been to have work buy me hardware and the work hardware does work stuff, so this conflict never arises. The closest is maybe a previous employer paid me a retainer and obviously they didn't buy me a special laptop just for like one conference call a year on retainer, so I did that from my PC.
But yes, in a Foo container, all the various Google things (Docs, GMail, their Cloud offering, Youtube...) are either not logged in at all or they're logged in from some Foo context.
I tried it but it doesn't seem to work. I clicked a new "Work" container, then went to mail.google.com, and it instantly took me out of the container.
And then when I click back to the work container and try to access mail.google.com I get:
"400. That’s an error.
The server cannot process the request because it is malformed. It should not be retried. That’s all we know."
Bug? It seems like a really messy UI. Why can't they make Multi-Account Containers work just like Facebook Container? Or have make 1 window == 1 container?
Yes, I use it at home but also a lot at work. Opening personal account and admin accounts in a bunch of different tabs for a bunch of different sites. Makes it super easy, no need to log in and out throughout the day. I have users that also will have our O365/Okta accounts as well as client O365/Okta accounts. Containers make it a cinch to keep everything separate and logged in at the same time.
I was asking about Chrome profiles, not Firefox containers. I use dozens of Firefox containers already, and it's my understanding that Chrome profiles aren't a good substitute because you can only use one at a time.
Private tab? Do you mean private window? Or is there some other feature/extension?
The temporary containers extension is creating a temporary container with each newly opened tab. It uses same container for tabs opened from existing tabs.
All tabs opened in private windows share the same "container", which gets cleared once you close the last private tab. With temporary containers, all your tabs are in independent containers.
It's not that unusual to use separate AWS accounts as blast-barriers. I.e. they contain the damage that might occur due to a leak etc. I typically use 2 (prod & non-prod) for each major product/offering, plus a centralised one to manage policies, billing etc for all the sub accounts. They add up pretty quickly.
Similar to OP you're replying to, I use Firefox Containers to open separate accounts to open independent windows from my Identity Provider when I need to be in more than one account at a time.
AWS credits? You can get a bunch of free credits for each account, and then build an abstraction around boto3 to make 20 accounts look like 1 account to you.
meh, compute cost almost always costs less than dev time. I use multiple accounts for separation of duties, cost, access, and blast radius. Most services I run blow through the free tier in minutes.
I do have scripts that spin up accounts as needed and I just have a bucket for 'free Tier account access ending' emails.
I run big fleets, 100s of hosts 1000s of containers in most AWS regions. Most of the control plane is automated, but when that breaks, or there are issues in the data plane, I might log into read logs, look at metrics, force scaling actions, or just general investigation tasks.
I also use different accounts for permissions boundaries. Data shared between multiple teams might go in one account. The apps can access the data but maybe the interns can only access the app account while the SR. Eng(s) + current oncall have full read only access to the data for investigation. A second RW-Data oncall might have access to the DB account in each region. Ever data storage account also has a limited access cross account Data replication/backup account.
+ I help people out. 'Can you look at this? . . .'
In the end, there are account specific errors that can be caused in your infra, IAM rolls, keys, throttling, malicious access that are easily prevented with least access in per account buckets. So I end up with multiple accounts in each region.
It’s not the same. All my uMatrix anc cookie auto delete rules are container specific. Private windows are like very simple containers that destroy themselves once closed.
AFAICT private Firefox windows are also part of the same container so you don’t get true separation (can’t open multiple Firefox private windows and log into different google accounts — does that work in Safari?)
I just recently discovered a tip that finally made Firefox multiple windows usable. When you want to restart the browser and save tabs across all windows, you use Quit command from menu (or Ctrl+Q) and not the window X button (Alt+F4).
Ctrl-shift-n will reopen a closed window (with all the tabs it had) just like ctrl-shift-n will reopen a closed tab. Try it a few times after closing multiple firefox windows with multiple tabs each if they don't come up automatically on start.
Yes, my mistake. That's pretty obvious in context what I meant to someone that already knew it, but that doesn't help those that didn't know about that feature, so thanks. :)
This is definitely convenient for now, but the shifting browser ecosystem (along with default security changes in Safari and proposed changes in Chrome) is driving the development and adoption of server-side tracking solutions. This is great for the short-term, but I imagine it won't be relevant much longer.
There's a reason why Segment just sold for $3.2 billion... [edited to add: They offer a single integration point and will proxy your data server-side to hundreds of other companies.]
Indeed, I'm getting increasingly skeptical that a technical solution is sufficient to fighting surveillance capitalism. Looking forward to see some serious GDPR fines.
They use CNAME aliasing to make the requests seem like they're coming from your own domain, so you'd have block a specific URL on a site-by-site basis, and there are also fully server-side APIs so you don't even know when data is being captured or shared.
I use the 'Containerise' plugin along with the following configuration (which I am constantly tweaking) to keep the big tech companies isolated from each other and the rest of the web.
I'm also increasingly using it to keep their various properties isolated from each other (eg. keeping Bing separate from the rest of Microsoft) to reduce tracking even further.
!*.atlassian.net , Atlassian
!*.bing.com , Microsoft Bing
!*.bitbucket.org , Atlassian
!*.github.com , Github
!*.google.com , Google
!*.imdb.com , Amazon Home/Personal
!*.linkedin.com , Microsoft LinkedIn
!*.live.com , Microsoft
!*.microsoft.com , Microsoft
!*.nytimes.com , New York Times
!*.reddit.com , Reddit
!*.twitter.com , Twitter
!*.youtube.com , Google
amazon.com , Amazon Home/Personal
console.aws.amazon.com , Amazon AWS
music.amazon.com , Amazon Home/Personal
news.ycombinator.com , Hacker News
smile.amazon.com , Amazon Home/Personal
www.amazon.com , Amazon Home/Personal
Oh wow. I used containers for a while, but the official plugin for managing them was awful. You had to go to the site, set the container, then click an approve button the _next_ time you went to it. Took forever to get things set up, and it never synced the settings despite claiming it would. I'm going to give this one a try. Thanks!
> but the official plugin for managing them was awful
I wish we'd stop being so hard on products. It's likely those developers read these comments. Having babies be called ugly by your peers is rough, actively trying to be more respectful on the internet leads to a nicer industry.
EDIT: Just to clarify - I'm not saying your intention was disrespectful. I've written many comments similar to this, and continue to do so, but I've started to try and curb it because I imagine it's what YouTubers feel like reading their comments section.. But this is by our own peers in our industry.
I was quite frustrated by this as well, but then I remembered that the design goal of the extension is allowing logging into the same service with multiple accounts, not isolating services from each other. That is why the secondary functionality, the possibility of isolating tech fiefdoms, is less polished. It's not the main show, it's just a happy side effect.
Containerise and Cookie Autodelete together are indeed a very good addition to uBlock and uMatrix, and if you already have some Regular Expression classification rules written for Cookie Autodelete, setting up Containerise is very quick. It works like a charm even with the Firefox Multi Account Containers extension itself disabled.
This add-on has the same problem as Temporary containers. If you want to isolate Facebook and click a link to Spotify it will open Spotify in the Facebook container :(
So far only the Google/FB container add-ons do this right.
If I understand what you want correctly: the Firefox multi account container extension (is that the default one?) allows to "manage containers" and by clicking on the one you want you can select "limit to designated sites" so you can, from a container, click a non containerized link and get that link opened in the default/different container
> If you want to isolate Facebook and click a link to Spotify it will open Spotify in the Facebook container :(
If you are talking about the Temporary containers extension, that's not the case. The extension is not the most easy to use, but it certainly supports opening Spotify in a different container when clicking a link in FB. You either don't have the Navigation→Target Domain set to Different from Tab Domain & Subdomains or you have Exclusion Patterns set which exempt Spotify.
While I do agree with some reply-ers that @pkulak's critical wording was a bit strong in the sibling comment here, I have been incredibly frustrated with the default "Multi-Account Containers" add-on.
They have a facility to delete domains from a container, but no facility to add one: something I would've thought would be one of the first things one would want to implement. I understand resources are not always plentiful, but they've added a bunch of other features and yet this one is still lacking.
This is especially infuriating for "intermediate" domains forming parts of a redirect (Google have changed their subdomain structure recently and placing different Google properties into separate containers is now impossible with Multi-Account Containers due to their redirect structure)
The pattern-matching feature in `containerise` looks even better again.
Hoping it works as well as it looks; going to give it a try now.
I love the general idea behind the container (sandboxed browsing). However, I'm not clear on the exact privacy benefit relative to the much easier path of blocking 3rd party cookies in your browser of choice and installing uBlock Origin. What specific tracking is no longer possible using containers that is currently possible if you're using one or both of those protections?
Is it something about 3rd party scripts that uBlock Origin doesn't block by default and that don't require 3rd party cookies?
I'm not looking for a general answer about containment or sandboxing or a nice user experience for separating environments or profiles; I'm looking for a precise attack/tracking vector that makes this worth switching browsers for.
It's my understanding that if you're logged into Facebook and visit a website that uses Facebook's APIs (the Like button etc) then your pageview will get tied to your profile. Even if you don't actually interact with it in any way.
If you isolate your session with Facebook container then they can only tie your pageviews to an anonymous profile and will have a much harder time tracking you across devices, connections, etc.
Here is an example. This page [1] has stuff from google loaded that is not blocked by a combination of Ublock Origin and Privacy Badger; for instance google fonts (other stuff from Google, Twitter and Facebook is blocked). If I ever log into Google, then my activity on this page will be linked to my account. If I containarize my Google account, then I guess Google can only use my IP or very advanced tricks to attach this activity to my account.
By default? It can break a lot things that people expect to work and can make browsing the web slightly more annoying (harder recapcthas etc). You can enable first-party site isolation in your Firefox preferences which will effectively provider a container for each site (as far as I understand). But it's pretty annoying at times.
In terms of cookies that's effectively the same yes.
To deal with the annoying breaks, assuming the fix you want is 'just make it work', there's at least one add-on available that just gives you a toolbar button to toggle it on or off, a fish bowl that glows red as a warning when off.
Other than convenience, what, if anything, do containers have over doing what I do - always opening a private window/incognito in Chrome, go to facebook and log in?
Primarily, it's not 'other than convenience', because that's huge.
But to actually answer: you can remember cookies etc., they're just only accessible within that container silo, versus private/incognito windows where they're deleted (by design) when you close that tab.
You can only open one private session, you can have as many containers as you want. With the caveat that you can probably spawn multiple chrome sessions each with a different profile, but then each session will have it's own bespoke config and (lack of) extensions.
I dearly wish that I was able to purge cookies/local storage on a per-container basis.
Persistence. If you log into a website in a container, cookies will be stored locally within the context of the container. Those cookies can't be used to track you on other sites outside the container, but they do fulfill their purpose within the container.
I've been using Multi Account Containers for a while now (years probably) and they do provide good value but things can still be improved. What I think Firefox lacks right now is good UX around switching profiles. Sure `about:profiles` works, but it's hard to access, looks ugly, and prone to miss-clicking.
Here is my workflow:
- Normal browsing: not logged in, no containers.
- YouTube: have an "Entertainment" container for it and use it logged out since Google signs you on all their property, and I don't want to mix my entertainment history with my educational history.
- Social media: have a "Social" container where I access all the data harvesters.
- Logged in: For anything that I need to be signed up, a "Personal" container, so I can check my email in peace.
- Work: here's the catch, this needs it's own profile. Since "YouTube" is set to always open in the "Entertainment" account, and I don't want work related videos pop up when relaxing, and vice-versa, I can switch profiles and have everything completely isolated in my "Work" profile. And in case I need to, I can set up more containers in this profile. Also there are different add-ons I need for my own setup compared to work, or the same add-on with different configuration. So just containers won't do here.
My point is, if Firefox had a profile switcher as easy to use as Chromium had, my life would be way better. Profiles and Containers seem to complement each other. They just need a truckload of polish.
Some things that annoy me right now:
- There is no dedicated UI for profile CRUD. And an add-on won't work for this since it needs to be available and enabled by default across profiles.
- "Reopen in container" opens a new tab instead of replacing the current.
- Having keybindings for the two above would be extremely useful.
- For some reason, Firefox lacks the functionality to change the ordering of stuff (in general, but more specifically profiles and containers). The creation order is all you get.
- A quick way to do "clear cookies/data in this container only" so I don't need to delete/recreate the container and mess up my ordering (which I can not change). Also clear data for non container use without clearing data in containers. Basically treating non container use as a "Default" container.
- All of the above I wish came by default with Firefox and not from an add-on. My honest opinion is that they are crucial functionality and deserve to be made aesthetically pleasing and available for everyone to use.
I've been using this, but it seems to break any sites that use facebook login, so it's pretty annoying to have to disable the extension whenever I need to login to a site that only has facebook login.
Facebook Container dev here. It breaks those sites because the extension blocks all Facebook resources (and tracking) from loading on non-Facebook sites.
To use Facebook login on a site, you'll need to add the website to the Facebook Container. Follow the directions from the docs[1]. This will stop you from having to turn the extension on and off entirely.
446 comments
[ 2.5 ms ] story [ 303 ms ] threadIs Google still planning to destroy adblock with Manifest V3?
You are literally the first person I've ever heard say this. I've heard a ton of people say they want to switch to Firefox, but can't leave the Chrome dev tools behind. Mind telling us why you find Firefox dev tools superior?
It isn't perfect though. My main issues are that it's a separate window so sometimes clicking on the side window or the main window draws focus instead of clicking the thing under my cursor. Also the search bar in the sidebar keeps getting accidentally activated when I hit command-T. So I ended up inspecting and deleting the element. It's not the most elegant solution, but it works well enough.
I've tried FF a couple times a year ever since Quantum came out, but on my MBP it's just much slower than Brave.
1: https://chrome.google.com/webstore/detail/sidewise-tree-styl...
Eventually I'll probably end up on Brave.
Because of the Don't Stand Out principle one of the most important factors for success of ECH is the deployment of ECH GREASE, which is to say, willing clients just claiming they want to do ECH even when talking to servers that don't really have any hidden services at all. Chrome's participation in that probably makes a real difference to whether anybody actually tries to block it.
Speaking of Safari, maybe it's a matter of preference or habit, but for me it's has a very weird UX
Blame apple
and Google, for not doing the minimum thing they could have done and served you the best encoding for the platform.
It is almost if the companies you actually give you money to (or eyeballs) do not care at all for your interests.
www.facebook.com##div[aria-label="Stories"]
www.facebook.com##div[data-pagelet="Stories"]
www.facebook.com##div[data-pagelet="VideoChatHomeUnit"]
Note that this doesn't diminish the effectiveness of uBO/PB at blocking requests — but I think most of their users don't realize how much easier it is to identify who uBO/PB users are, relative to the rest of the world on less obvious setups.
You're welcome.
And of course we won't get a dedicated 'Google Container' from Mozilla because despite all their hot talk they know what side their bread is buttered on.
Select "always open this site in".
1) Visit the site.
2) Click the container button or use the shortcut.
3) Click 'Manage Containers'
4) Click 'New Container'
5) Name the container, click 'Ok'
6) Open the multi-account containers panel again.
7) Click 'Always Open This Site in...'
8) Select your new container.
But wait, you're still not done!
9) Open the site again in a new tab.
10) Check the 'Remember my decision for this site' box. (Didn't I already tell it to ALWAYS open the site in that container, in step 7?)
11) Click 'Open in [your container] Container'
That's how you create a new container to always open a site in with the Multi-Account Containers extension.
Unfortunately, I don't trust a third party extension with this either.
I also use the Firefox multi-account containers to set a temporary container for every new tab. To not lose logins etc I'm websites I visit frequently, I set up dedicated containers for those. Work very well.
Anyone else with experience of the Firefox multi-account container extension?
The terminology is a little confusing: Containers or "Container Tabs" is a session-management tool that's baked into Firefox, while Multi-Account Containers is an extension on top of that that allows you to automatically sort specific domains into containers, so when I open e.g. a YouTube link it automatically appears in a YouTube container, which knows nothing about my Google account. IMO the functionality of the extension (which was written by Mozilla) should be added to the browser itself.
https://addons.mozilla.org/en-GB/firefox/addon/multi-account...
Right now I use safari, chrome, firefox, and edge to keep the four identities I use for different projects separate thanks to Google not playing nice at all with the GCP account you are using not being the primary Google Signin.
In fairness, some of those sites might not even know the like button is used for tracking and just think it's for helping them grow their facebook audience.
[0]: https://addons.mozilla.org/en-US/firefox/addon/tree-style-ta...
I have a 'home' container (= sidebar 'tab' of tabs), 'personal code' container (ditto), 'finance' (ditto), and 'work' (ditto). It's not even really that I want to silo their data from each other (I have uMatrix - yes I know, will probably switch to nuTensor - and autocookie delete etc. anyway) - but the organisation into contexts I can easily switch between is amazing.
[0]: https://github.com/mbnuqw/sidebery
https://addons.mozilla.org/en-US/firefox/addon/container-tab...
- Temporary Containers[0]
- Google Container[1]
- Google Container w/ Integrations (YouTube, AdTech, Apps, etc)[2]
- Reddit Container[3]
There are a few others[4] as well, but I've found the Temporary Containers solves the 80%.
--
[0] - https://addons.mozilla.org/en-US/firefox/addon/temporary-con...
[1] - https://addons.mozilla.org/en-US/firefox/addon/google-contai...
[2] - https://addons.mozilla.org/en-US/firefox/addon/google-contai...
[3] - https://addons.mozilla.org/en-US/firefox/addon/contain-reddi...
[4] - https://addons.mozilla.org/en-US/firefox/search/?q=Container
If I'm in FB Messenger and click an external link I don't want that link to be opened in the FB container.
However, I need 2 manual persistent containers for sites that are broken with per-domain isolation (Gmail and Outlook 365). Both visit many different domains after login. Within those containers, I need to be careful not to click on external links, but to open them in a new temporary container.
It gives me a menu with choices like "Reopen This Site in..." and "Always Open This Site in..." as well as options to open a new tab in any of the permanent containers or even open new ones.
Tip: if anyone gets confused by a page popping up, saying something like "You asked me to always open this site in, do you still want to " a typical explanation for me was I had set at site to open in a specific container but as part of login procedure it would access another domain for sso, trigger "Always Open This Site in..." for that domain and get confused.
Now that you know this you should probably be able to either avoid it completely by being specific about subdomains or something.
It is not a big thing, just a heads up so nobody gets confused.
This extension to Multi-Account Containers looks great at first -- its Automatic mode spins up a new container each time you open a new tab, then switches that tab to an existing container, should one be associated with the TLD you visit.
The problem is that Temporary Containers does not delete these temporary containers. They accumulate in the MAC containers list. There is no way to mass delete them, nor set them to auto-delete when the tab is closed.
These WILL sync to your Firefox account and reappear on every machine. Over 3000 temp container made MAC unusably laggy. This was so destructive of my MAC experience that I uninstalled both extensions. Unfortunately, to my knowledge, there is no way to reset the data MAC syncs to Firefox Account.
Are you setting this option to something else?
Temporary Containers works really well for me. I have per domain isolation, which only breaks very very few sites (Gmail and Outlook 365). For those I have regular persistent containers. Alternatively, I can always open a new private window where I don't have this plugin active.
uBlock Origin + Temporary Containers + ClearURLs are a great setup for privacy and security. Actually, I don't need much else aside from a VPN and a few settings in my user.js.
The only thing I miss is Vimperator. Modern alternatives are full of glitches because of inherent limitations in the WebExtensions API.
There are related issues opened for Temporary Containers, MAC and Firefox and at least from the public discussions not much is happening about it.
Didn't use Vimperator, but I found Tridactyl to be pretty good, especially their hinting mode.
Are you sure you didn't accidentally change it?
Edit: Apparently HN strips box drawing characters. Imagine the output of `sparklines 6 15 7 5 2 1 1 4 3 1 1 1 1 1 1 1`.
I used to delete manually each container when this happened, through about:preferences container manager, but now there is no more this in Preferences and to remove containers through the Multi-Container extension isn't the best thing.
Tried do that by editing some files too but the hundreds os containers keep reappearing after few days, or on new installations.
At least this way yo won't end up with unusable FF because of the thousands of undeletable temporary containers.
Just go to about:debugging, click on "This Firefox", locate the extension and click the "Inspect" button. In the case of MAC this should lead you to about:devtools-toolbox?type=extension&id=%40testpilot-containers
In the devtools that open you need to go to the Console tab and run this command:
If you want to see the data before you delete it, you can show it with this command:I wanted to keep the soccer club administrator, school website, etc. Google identities separate and distinct.
Perhaps things have changed and this isn't an issue anymore. What I did was create an identity (soccer, PTA) for each gmail account and set defaults for google.com, YouTube.com, etc.
Having MTTSCPresident@gmail.com is really nice for being able to give someone else the password and let them take over the account when your term is done.
I would bet $100 FB does geolocate your IP to determine if it's likely a single residence or a larger multi-user building, and likely tracks that, but that misses a large chunk of their user base.
Imagine the number of people who use FB as a distraction at work or in class, but might not use it as much at home.
I wonder, does this fix the Google reCAPTCHA problem with using multiple browser profiles?
But do I need a container extension for each of those sites or what is the deal here? And do I exit the container when I click a link to another domain?
And also the Temporary Containers addon if you want cookies, local storage, and history cleared automatically: https://addons.mozilla.org/en-US/firefox/addon/temporary-con...
The nice bonus feature is you can have certain sites default to containers. I had a paid YouTube account for a while, for example, so having any YouTube link open in my personal account was nice for not getting hit with ads on initial click due to my default Gmail not being the right one.
There's also a plugin[2] that will make any new tab default to whatever the first tab listed is. Really great for if you want to have a whole browser window dedicated to one container.
[1] https://addons.mozilla.org/en-US/firefox/addon/multi-account...
[2] https://addons.mozilla.org/en-US/firefox/addon/sticky-window...
https://github.community/t/using-one-account-for-all-your-pr...
Explore is one of my favorite features and now it’s crowded with work related suggestions. It makes it harder to separate the personal/professional persona and interests. This problem also manifests in notifications. I want a clear separation so I can focus on my personal life after work.
I’ve thought many times about creating a separate account.
thanks for the sticky windows tip
edit: Apparently this is bad info. I'll have to give it a try again.
Linux was happy to open a new instance without the `--new-instance` option (which is implied by `--no-remote`), but macOS required it.
I believe that in the far past firefox-bin was the firefox binary, and firefox was a shell script that would do things like notice you already have a firefox-bin instance open and signal it to open a new window rather than launching a new firefox-bin instance.
But nowadays, firefox and firefox-bin seem almost the same. On the current release version on Mac, for example, both are binaries, with firefox-bin 40320 bytes and firefox just 16 bytes bigger.
Info.plist in /Applications/Firefox.app/Contents gives firefox is the executable to run. I'm not sure what role firefox-bin has now, if any.
Grabbing the source and building it myself results in firefox and firefox-bin matching.
I use containers liberally also
Like, allow some tracking & advertising for "shopping" container, but block it otherwise. I don't mind having a special self-curated image where my in-scope browsing is tracked and analyzed. Now, I just have a separate browser (Chrome) for this - because it's more straightforward and less error-prone.
Or a sandbox development & local resource management profile where nothing but localhost and LAN addresses are allowed. And then block such access for any other profile - for security reasons.
Or allow, let's say, Grammarly extension on a few selected websites (like HN), where all I write is public and I would benefit from machines aiding my writing without any privacy concerts, but don't give it any chance to see my private correspondence.
Unfortunately, that's not possible with containers, and profiles are quite cumbersome.
I do all my shopping in the shopping container. I have the deals website I frequent set to the shopping container so if I open slickdeals.net in any tab, I get to the shopping container.
One quality of life change I encourage is go to manage containers and select "Select a container for each new tab". Then you can pretend the firefox tab without a container even exists (caveat: does not work with ctrl + t shortcut for new tab)
> The nice bonus feature is you can have certain sites default to containers. I had a paid YouTube account for a while, for example, so having any YouTube link open in my personal account was nice for not getting hit with ads on initial click due to my default Gmail not being the right one.
Is there any reason to also use facebook container if you already have multi-account containers?
Worth mentioning that with the addon cookie auto-delete, you can more or less emulate temporary containers.
- I have a GitHub container
- github.com and gist.github.com are set to always open in the GitHub container
- Say I am currently browsing github.com in the GitHub container.
- If I click a link to a domain other than [gist.]github.com, instead of navigating my current tab to that url, the url will open in a new tab & new temporary container
This is more powerful than simply persisting cookies from github.com -- I'm keeping GitHub's cookies, but only in the github container. It's almost like first party isolation, but a little weaker (unless you enable the setting where any link to a different domain will open in a new container), and I have the ability to group sites that would break with 1st party isolation by opening them in the same container.
Everything else opens links in a new container with the hope to make it as close as possible to looking like a different person clicked that link. I know it won't work that well since the IP doesn't change nor the user-agent, but at least it helps with the most lazy tracking.
Discussion upthread made me interested to see whether I can route temporary containers through tor, to make this protection stronger — see https://news.ycombinator.com/item?id=24853320
It's not super high on my list of priorities though, probably won't get to it for a month or two.
Right now I manually type ?authuser=1 into my URLs to have Google Docs open in the right account, but this breaks when I restart the browser and the page reloads with the wrong account... Why Google removes this parameter from URLs after loading is beyond me.
Heck, we’re using outlook at one of my customers and I can’t even open a second tab in 2020. It will just block the UI telling me there is another tab open.
In my experience that had better support for per-eTLD temporary containers, so that each site can have its own, and the data can be discarded relatively soon. I also have more permanent containers for things that I want to be able to persist (e.g. work uses SSO so I need to link multiple sites together to log in).
When I used it I found the management in Multi-Account Containers to be onerous (I don't believe it could do automatic containers based on eTLD).
.. I say hopefully, man I feel guilty getting so much use out of these addons when I could be actively contributing. Fuck it, donating.. https://donate.mozilla.org/en-US/
Works really well with Mullvad which has a SOCKS proxy setup only available when connected.
Great for work connections too, I've setup all work/business websites to auto-open in a "work" container which I've created a local bridge proxy for to ensure my work connections are always over the corporate VPN.
This is also really good if you consult or work with many customers - you can start to build a catalogue of containers with specific settings for those customers.
Container Proxy addon:
https://addons.mozilla.org/en-US/firefox/addon/container-pro...
Great for all kinds of silly GeoIP restrictions, too - in my part of the world, homedepot.com just spits out "access denied", a foodnetwork.com recipe you find in search results just redirects you to the tudiscovery.com homepage, etc.
I'm interested in your setup. Do you configure your router to have a point to point tunnel with Mullvad then? I didn't know this was a thing. Do you then just have a separate container proxy for each GeoIP region you want to access?
For Geo-IP, unfortunately unless you have some sort of automation to reconfigure the OpenVPN settings on your router - this will only work with 1 configuration. They may be alluding to using the VPN to connect to another country where they're not getting weird as fuck redirects and shit content.
Although just as I wrote that, I'm expecting a dd-wrt/browser addon will probably support this somewhere - or at least as a script on Linux.
1. https://mullvad.net/en/servers/
On a USG the config looks like this:
I'm uncertain of the benefit for everyday people.
Granted, Tor tries to upstream as much as it reasonably can to FF, but there's still large differences in defaults that could give away (some bits of) your identity.
It's all baby steps. I don't expect to be fully anonymous this way, just like I know my current setup does not foil more sophisticated tracking.
This is my every-six-months wish/rant on this subject ...
What we need is the ability to 'jail' a GUI browser process.
It is too resource intensive to spin up an actual virtual machine to run a browser window/tab. However, a facility like 'jail' (or zones or, perhaps even Docker) that simply chroots a new process with its own network interface, etc., does not have any of that expense.
It really is just a fancy chroot and the expense is limited to the overhead of just the process you're running.
If you could 'jail' a GUI application, you could have a browser window that was not merely its own cookie domain or history domain, but that was on an entirely different network and it's own chroot.
Traditional VPN solutions seem overengineered and complicated. Wireguard is better though
So they redirected me to the Dutch version because I'm in a nominally Dutch-speaking region, and I had no option to get it in English. I had to go with half-translated French until I noticed that I could replace the "fr" in the URL with "en", and actually get to an English-language website.
The region-based redirection was annoying enough, and the half-assed translation job was expected, but not even providing an easy way to get back to English is really idiotic.
I still wish I had some kind of system that would automatically use a connection in the right country for geoblocked content. For now I just use SSH proxies to (my own) strategically located servers combined with Firefox Containers and Container Proxies, but it's all manual.
Also, it seems to be using browser's preferred locale, not the IP region. So, it looks like that changed, too.
Google, on the other hand, is just as bad as you described. Geo-based localisation, lots of clicks to change the language (or ?hl=en, once you learn about it).
Since the list is not alphabetically ordered (it actually is, but with the English names, not the displayed names) and it shows no scrollbar, it wasn't obvious there would be other countries up there.
As for language, maybe Google itself chose to send me to the Dutch version. Despite all my attempts, I still cannot consistently get Google to use the language I want (apart from manually choosing it by directly visiting Google with the right hl= first, indeed). Right now Google.fr seems to be in English and offering me the three languages of Belgium, for some reason.
[0]https://i.imgur.com/nuAPsxD.png
One of the permissions you have to grant to the container proxy add on is:
“Access your data for all websites”
That’s not acceptable.
Last I checked, I'd have to enumerate every Google domain and subdomain, which just seemed like too much work. But if others have already done this, itd be easy to just use theirs.
https://addons.mozilla.org/en-US/firefox/addon/google-contai...
You can use this. It's a fork of Facebook Container, but for Google.
This one is a fork for Amazon https://github.com/krober/contain-amazon https://addons.mozilla.org/en-US/firefox/addon/contain-amazo...
Twitter: https://github.com/v1shwa/contain-twitter https://addons.mozilla.org/en-US/firefox/addon/twitter-conta...
There's a few more too
[1] https://addons.mozilla.org/en-US/firefox/addon/session-boss/
[1] https://blog.hubspot.com/marketing/author/olivia-scholes
e.g. I have that Facebook Container, and I also have a Slack container I just put together in the usual way by opening my Slack session (it's for the main social group I hang out with, during the pandemic) inside a Container with a pink theme and icon.
Suppose three friends send me a funny Youtube video of kittens, one sends it on Slack, one on Facebook, one literally sends me a postcard with the URL on it.
In Facebook, it's inside the Facebook container. Since the Facebook Container has no idea who I am, Youtube presents adverts and of course there's no way to add the video to my "Fun kitten videos" list. But if I tell Youtube to open this now the tab is not Facebook, a no-referrer link opens with the URL and now in my default context which has Youtube Premium, so there are no adverts and I can add this to my lists. As far as Facebook is concerned I apparently just left. Unless Google tells them I watched that video they are none the wiser.
Slack is inside the Slack container. So again, no Youtube account, adverts. But if I open the Youtube page that's still inside the Slack container, so still no Youtube account. I need to explicitly get the URL and paste it into a not Slack tab to get my default context.
The link from the postcard obviously I get to choose which context to type it into the URL bar, although maybe the UX of typing random Youtube URLs in isn't great.
wouldn't they know exactly who you are with every request sent to any of their servers and any facebook page you load either by your facebook account, IP address, or by browser fingerprinting.
But in another very real sense they've got no idea who that is. It would suit them very well to be able to reliably tie it to other information (hence all the tracking pixels and so on) but the Container prevents that.
I mean, one of my Facebook friends is named say "Norman Le Plum". I'm very confident that isn't what it says on his birth certificate, and indeed when his friend request arrived I actually ignored it until I found someone out of band to tell me who "Norman" was, but in a sense Facebook know exactly who Norman is, he's a disembodied red skull who is still really into skateboarding and Steamed Hams.
What use that is,isn't clear, and presumably one day advertisers might conclude the answer is "No use whatsoever" and Facebook will go out of business. Meanwhile I read funny Steamed Hams variants, people complain about their jobs, and while I'd rather it didn't exist at all, if it must exist at least it's trapped in a little box where it can't taint everything else.
Now Google probably knows way too much about me, but that's quite a different problem.
Facebook devotes a huge amount of time and money to collecting data and using it to associate people to a real identity to the extent that even people who never signed up for an account at all have hidden profiles created for them by facebook which contain the intimate details of their life including what they buy at the grocery store.
As far as I can tell, a container won't protect your identity but it will limit the amount of information they have on your browsing history (unless your ISP decides to sell them that information or they obtain some of it from a 3rd party data broker)
But yes, in a Foo container, all the various Google things (Docs, GMail, their Cloud offering, Youtube...) are either not logged in at all or they're logged in from some Foo context.
And then when I click back to the work container and try to access mail.google.com I get:
"400. That’s an error.
The server cannot process the request because it is malformed. It should not be retried. That’s all we know."
Bug? It seems like a really messy UI. Why can't they make Multi-Account Containers work just like Facebook Container? Or have make 1 window == 1 container?
https://medium.com/@stoically/enhance-your-privacy-in-firefo...
The temporary containers extension is creating a temporary container with each newly opened tab. It uses same container for tabs opened from existing tabs.
so:
main-service_prod_us-east-1_dataStore
main-service_prod_us-east-1
main-service_test_us-east-1_dataStore
main-service_test_us-east-1
main-service_beta_us-east-1_dataStore
main-service_beta_us-east-1
* regions
Adds up pretty quickly.
Similar to OP you're replying to, I use Firefox Containers to open separate accounts to open independent windows from my Identity Provider when I need to be in more than one account at a time.
I do have scripts that spin up accounts as needed and I just have a bucket for 'free Tier account access ending' emails.
I run big fleets, 100s of hosts 1000s of containers in most AWS regions. Most of the control plane is automated, but when that breaks, or there are issues in the data plane, I might log into read logs, look at metrics, force scaling actions, or just general investigation tasks.
I also use different accounts for permissions boundaries. Data shared between multiple teams might go in one account. The apps can access the data but maybe the interns can only access the app account while the SR. Eng(s) + current oncall have full read only access to the data for investigation. A second RW-Data oncall might have access to the DB account in each region. Ever data storage account also has a limited access cross account Data replication/backup account.
+ I help people out. 'Can you look at this? . . .'
In the end, there are account specific errors that can be caused in your infra, IAM rolls, keys, throttling, malicious access that are easily prevented with least access in per account buckets. So I end up with multiple accounts in each region.
AFAICT private Firefox windows are also part of the same container so you don’t get true separation (can’t open multiple Firefox private windows and log into different google accounts — does that work in Safari?)
There's a reason why Segment just sold for $3.2 billion... [edited to add: They offer a single integration point and will proxy your data server-side to hundreds of other companies.]
https://addons.mozilla.org/en-US/firefox/addon/containerise/
I'm also increasingly using it to keep their various properties isolated from each other (eg. keeping Bing separate from the rest of Microsoft) to reduce tracking even further.
You get the idea. Really powerful.I wish we'd stop being so hard on products. It's likely those developers read these comments. Having babies be called ugly by your peers is rough, actively trying to be more respectful on the internet leads to a nicer industry.
EDIT: Just to clarify - I'm not saying your intention was disrespectful. I've written many comments similar to this, and continue to do so, but I've started to try and curb it because I imagine it's what YouTubers feel like reading their comments section.. But this is by our own peers in our industry.
Containerise and Cookie Autodelete together are indeed a very good addition to uBlock and uMatrix, and if you already have some Regular Expression classification rules written for Cookie Autodelete, setting up Containerise is very quick. It works like a charm even with the Firefox Multi Account Containers extension itself disabled.
So far only the Google/FB container add-ons do this right.
https://github.com/stoically/temporary-containers/wiki/Globa...
If you are talking about the Temporary containers extension, that's not the case. The extension is not the most easy to use, but it certainly supports opening Spotify in a different container when clicking a link in FB. You either don't have the Navigation→Target Domain set to Different from Tab Domain & Subdomains or you have Exclusion Patterns set which exempt Spotify.
While I do agree with some reply-ers that @pkulak's critical wording was a bit strong in the sibling comment here, I have been incredibly frustrated with the default "Multi-Account Containers" add-on.
They have a facility to delete domains from a container, but no facility to add one: something I would've thought would be one of the first things one would want to implement. I understand resources are not always plentiful, but they've added a bunch of other features and yet this one is still lacking.
This is especially infuriating for "intermediate" domains forming parts of a redirect (Google have changed their subdomain structure recently and placing different Google properties into separate containers is now impossible with Multi-Account Containers due to their redirect structure)
The pattern-matching feature in `containerise` looks even better again.
Hoping it works as well as it looks; going to give it a try now.
Is it something about 3rd party scripts that uBlock Origin doesn't block by default and that don't require 3rd party cookies?
I'm not looking for a general answer about containment or sandboxing or a nice user experience for separating environments or profiles; I'm looking for a precise attack/tracking vector that makes this worth switching browsers for.
If you isolate your session with Facebook container then they can only tie your pageviews to an anonymous profile and will have a much harder time tracking you across devices, connections, etc.
[1] https://www.sportsbettingdime.com/news/nfl/week-7-opening-li...
Like those: https://panopticlick.eff.org.
To deal with the annoying breaks, assuming the fix you want is 'just make it work', there's at least one add-on available that just gives you a toolbar button to toggle it on or off, a fish bowl that glows red as a warning when off.
But to actually answer: you can remember cookies etc., they're just only accessible within that container silo, versus private/incognito windows where they're deleted (by design) when you close that tab.
I dearly wish that I was able to purge cookies/local storage on a per-container basis.
Here is my workflow:
- Normal browsing: not logged in, no containers.
- YouTube: have an "Entertainment" container for it and use it logged out since Google signs you on all their property, and I don't want to mix my entertainment history with my educational history.
- Social media: have a "Social" container where I access all the data harvesters.
- Logged in: For anything that I need to be signed up, a "Personal" container, so I can check my email in peace.
- Work: here's the catch, this needs it's own profile. Since "YouTube" is set to always open in the "Entertainment" account, and I don't want work related videos pop up when relaxing, and vice-versa, I can switch profiles and have everything completely isolated in my "Work" profile. And in case I need to, I can set up more containers in this profile. Also there are different add-ons I need for my own setup compared to work, or the same add-on with different configuration. So just containers won't do here.
My point is, if Firefox had a profile switcher as easy to use as Chromium had, my life would be way better. Profiles and Containers seem to complement each other. They just need a truckload of polish.
Some things that annoy me right now:
- There is no dedicated UI for profile CRUD. And an add-on won't work for this since it needs to be available and enabled by default across profiles.
- "Reopen in container" opens a new tab instead of replacing the current.
- Having keybindings for the two above would be extremely useful.
- For some reason, Firefox lacks the functionality to change the ordering of stuff (in general, but more specifically profiles and containers). The creation order is all you get.
- A quick way to do "clear cookies/data in this container only" so I don't need to delete/recreate the container and mess up my ordering (which I can not change). Also clear data for non container use without clearing data in containers. Basically treating non container use as a "Default" container.
- All of the above I wish came by default with Firefox and not from an add-on. My honest opinion is that they are crucial functionality and deserve to be made aesthetically pleasing and available for everyone to use.
I guess they don't want my business. Good thing I gave it a few days before connecting the Quest.
To use Facebook login on a site, you'll need to add the website to the Facebook Container. Follow the directions from the docs[1]. This will stop you from having to turn the extension on and off entirely.
[1] https://github.com/mozilla/contain-facebook/blob/master/docs...
Answering my own question: Yes you can -> https://www.facebook.com/help/contact/2032834846972583