I think that Mozilla's recent re-launch of Lightbeam (nee Collusion) shows that they're not trying to back away from the issue of third-party cookies. The complication is that you need to find a solution that doesn't break enough sites that users give up and switch to less-privacy-conscious browsers, which would completely defeat the purpose.
Google will never deprecate 3rd party cookies, and without cross-vendor support Mozilla will be attacked when sites start breaking.
It's a real shame, I've been blocking all 3rd party cookies and referrers for years and really want to see the web to a more privacy concious model. With all the web features tracking tricks out there now though, I feel it's nigh impossible.
Take for instance, common Javascript libraries hosted on CDNs. Every time you visit a jQuery based page where the js file is on a CDN you reveal to the host of that CDN (e.g. Google) what website you're on. You also put complete faith in that 3rd party CDN provider for your security.
3rd party cookies are just the tip of the iceberg in terms of how broken the web is for the privacy concious.
That's easy. Just ask me (the user) for permission and explain why you would like to do so. If your users don't like it then maybe you shouldn't be doing it.
On the server side, companies are bound by data protection laws. Using the browser as a loop-hole for profit is not acceptable. Instead we get these absurd EU 'this site uses cookies' banners that do less than nothing for user privacy.
Just ask me (the user) for permission and explain why you would like to do so.
Unfortunately, it's not that simple.
From a user's point of view, asking questions that interrupt their browsing experience on every other site is usually unwelcome. The "We use cookies (like everyone else in the known universe)" messages in Europe that you mentioned are a great example, where good intentions ran headlong into practical limitations and the result was something that no-one actually likes.
From a business point of view, that same poor experience is a negative because it makes your site less attractive to visitors and ultimately hurts conversion. This remains true even if you're doing something reasonable with innocent intentions that almost all of your visitors would actually be happy for you to do.
I am very much in favour of protecting privacy on the Web and letting users make informed choices about when they are willing to give it up in return for something they value, but I don't see this working in practice until we have some sort of mandatory (with force of law) standards for disclosure by site operators that allow browsers to offer standardised preferences to their users that can be set once and then safely forgotten about. I think we need some sort of standardised, automation-friendly privacy policies, like the credit agreements where providers are required to provide key information up front in a standard format with the same assumptions for everyone, or the way a few open source licence agreements have become established and much of the time both the licensor and the licensee can just say "GPLv2" or "BSD" and everyone knows the deal.
Unfortunately, the wheels of standards turn slowly, the wheels of law more so, and the wheels of laws respected across borders even more so. Meanwhile, the wheels of businesses funded by invading privacy or otherwise exploiting users via modern technologies tend to turn very fast. I'm not sure how we fix this problem as long as the politicians are as technically illiterate and generally open to manipulation by special interest groups as they obviously are in many first world countries today.
Sounds like you're talking about P3P, which at least is a ridiculous useless standard that I'm guessing most server operators copy-paste and tweak a http header without understanding it just to get IE to work as expected.
P3P is a small step in what I'm arguing would be the right direction, but I doubt anything like that would bring any significant improvement in general privacy standards unless it was widely supported (all major browsers), legally mandated (with meaningful enforcement against violations), and most important of all, able to adapt as technologies and the ethics of privacy evolve.
It needs to be able to capture the things that significant numbers of people care about and summarise the main types of behavior encountered on real world web sites, but in a way that everyday users can see and configure in a few moments in their browser. This is a tall order, of course, but even a decent attempt at it would probably be better than the utter contempt for privacy and blatant exploitation of users' ignorance that is widespread today.
As a benchmark, I suggest looking at the way organisations like Facebook have presented privacy settings. Non-technical people understand concepts like sharing data with everyone vs. limited audiences, or allowing their name/photo to be associated with something. Significant numbers of people do set these preferences, and do object when they are violated or when their "preferences" are changed for them. But the choices probably have to be explained and configured at that kind of level of simplicity or it'll all be too much for most people to bother with.
Oh, you mean like all the apps of Facebook that (the users) just get "Accept" clicked so you can share your Cookieland Adventure scores with everyone that doesn't care.
(If there's a real app named Cookieland Adventure, I'm sure it's awesome, this was just a made up example, if you, your spouse or someone you vaguely remember talking to works on a Cookieland Adventure game for FB, I am sorry to associate your app with the scum of the earth)
> Mozilla will be attacked when sites start breaking.
That's the thing, blocking 3rd party cookies breaks (in my anecdotal experience) under 5% of sites. In general the only problem I see with it is when a site uses an iframe with a different domain that requires cookies which is a bad practice that shouldn't be done anyway. I can only think of two sites I know break because of this.
*Safari blocks third party cookies from sites you haven't previously visited and received cookies for by default. Mozilla experimented with similar behaviour but decided against it.
Decided against merging that default to the Beta channel. I believe "allow visited third party cookies" is the default in the Nightly and Aurora channels.
You could try copy and pasting jquery into the developer console for a one-time trick. If a dependency needs jquery to load, try setting a break point before that script and paste jquery into your console.
Perhaps you could put it on your own server, then redirect all calls to Google's CDN to your own server? This way it works automatically for you. You could also add files and CDN's to your setup as necessary.
Mozilla will be attacked when sites start breaking.
I have been browsing with third party cookies blocked for years - the problems have been trivial, like disqus embedded comment boxes not letting me log in. I've never noticed anything important breaking.
You can experience it yourself in Firefox via Preferences -> Privacy -> Third party cookies -> Never
vk.com (one of the top sites in Russia) at least used to break with third party cookies disabled — and breaking one of the largest websites in Russia is a quick way to lose marketshare there.
Take for instance, common Javascript libraries hosted on
CDNs. Every time you visit a jQuery based page where the
js file is on a CDN you reveal to the host of that CDN
(e.g. Google) what website you're on
Generally that only happens the first time you load the library:
Good. This recent war against cookies is futile and silly.
If you visit a website (Assuming you don't go via some anonymizer proxy), they can track you, and they can pass your details to any 3rd party who wishes to also track you.
Cookies are the easiest way for them to do that, but its absurdly naive to think that if you block cookies then people won't track your browser activity online.
If you don't want to be 'tracked', stop generating HTTP requests, or do them through an anonymizer service. And good luck getting any website to work properly.
A single website can only track you inside their own pages. The problem with third-party cookies is that they enable cross-site tracking, which is much more privacy invading. First-party cookies don't help with that, since a cookie dropped by siteA won't be sent to siteB.
Now, sure there are other ways of doing cross-site tracking, like Etags, fingerprinting and such, but why shouldn't we try to plug those leaks too instead of giving up?
No, we shouldn't bother trying to plug those leaks.
Current situation:
* You request website A, which includes 3rd party code from C. C drops a cookie
* You request website B, which includes 3rd party code from C. C knows you previously visited A.
New situation:
* You request website A, which includes 3rd party code from C. Website A sends details of your visit via a backchannel to C.
* You request website B, which includes 3rd party code from C. Websites B sends details of your visit via backchannels, and C knows you previously visited A.
Wouldn't you rather such tracking to be out in the open and easily blocked - stop accepting cookies, rather than them creating backchannels to track you instead?
Yes - You should give up if you think you will able to continue sending websites HTTP requests directly, whilst not being tracked.
I'm not sure. Those backchannels would be enormously more expensive and technically challenging for the commercial entities to do right.
So, yeah, I see your point, but maybe I _would_ rather make it much more expensive to do that, and much harder for them to do it succesfully rather than messing up a technical detail.
On the other hand, I guess eventually they'd get it right in commodity software that everyone can use. Eventually.
Really, I don't know why anyone that wants to do the kind of tracking we're talking about is using cookies anyway, instead of user-agent fingerprints that have been shown to be pretty much unique anyway. So the cookies is perhaps all a distraction. The browser makers don't need to invent a new cookie-less browser fingerprint tracking system, they've already got it with the over-specialized user-agents.
If you block third-party cookies, C has no longer has a reliable way to know that you are the same visitor on both requests. (Unless you're suggesting that C is stuffing a UID in the cache or something?)
C can already infer that. Google probably does that on their free CDN stuff.
you have unique combination of IP+UserAgent+extra Headers. That is enough. A and B does not even have to send anything. And this will continue to work even without cookies.
Requiring an IP address already eliminates cross-network tracking. For example, lots of people browse both on their PC on a cable/fiber connection and on their phone/tablet on 3G, with different IPs. They also often browse from their work network (yet another IP).
Same with User Agent: not useful if you're using Chrome on your laptop and Safari on your phone.
This move is to prevent you from being tracked against website A and B will.
For example, google provides jquery CDN. website A and B uses that to save some cents on bandwidth. Google now knows you visited which pages on website A and B. and if A was a backpack store and B was a pressure cooker review, expect the NSA :D
>If you visit a website (Assuming you don't go via some anonymizer proxy), they can track you, and they can pass your details to any 3rd party who wishes to also track you.
Sure, server-side logging is always possible, but (AFAIK) advertisers and data miners have little interest in this information because it requires trusting the website owner not to forge results, which is obviously a very stupid idea when your business revolves around purchasing and selling ad impressions. Precluding the practical methods of this type of data mining (ideally by requiring whitelisting of Javascript and all access to third party resources, but disabling third party cookies is a good practical step) could greatly reduce the amount of surveillance that users are subject to, by eliminating the most common incentives to perform it.
>If you don't want to be 'tracked', stop generating HTTP requests, or do them through an anonymizer service.
I hope you realize that the effectiveness of services like Tor is greatly reduced if you aren't using the same techniques to reduce your surveillance "attack surface" that people are advocating for regular, non-anonymous browsing. It's really not hard to see why; considering the tracking cookie example: A unique cookie makes it clear to a site operator that the requests coming from all these different exit nodes are really originating from the same user. A third party tracking cookie can then make it clear to that third party that the same user is visiting sites A, B, and C over Tor. All it takes at this point is small handful of screwups (from mentioning personal information to something as innocuous as reading a news article that is only relevant to people living in a certain location) to greatly reduce the search space required to identify you. "Uses xmonad and likely lives in New York City" could be more than enough to tie a large amount of your Tor browsing activity to a small set of suspects, in this case.
Even if server-side tracking is as effective as cookie tracking (and I would argue it will not be), there’s a difference between the site tracking me, and the site enlisting my browser to aid it in tracking me. If I am to be tracked, let the site do so by expending its own cycles and storage, not mine.
Privacy on the Internet today is so riddled with conflicts of interests and doublespeak that it's hard to know where anyone stands on anything.
Microsoft implemented a Do-Not-Track by default in IE 10 [0], only to later reveal it was planning an even more intrusive ad tracking system of its own [1]
Google added a Do-Not-Track feature belatedly to Chrome, buried within levels of settings and warnings [2]. And yeah, they're working on their own cookie replacement too [3].
Facebook meanwhile is tracking you across the web through its own re-targeting tech [4] and even your cursor movements on its site [5]
In fact, when companies like Google, Facebook and Microsoft want to dump cookies [6], I'd argue that we're already past the point where a Firefox can make a difference.
IMHO Internet tracking has become like fast food. A meaningful difference will only come when average users start caring about their privacy and are willing to make conscious choices for it.
IMHO Internet tracking has become like fast food. A meaningful difference will only come when average users start caring about their privacy and are willing to make conscious choices for it.
Definitely agreed. Unfortunately, I think it's much harder for your average web user to make that choice than for your average person to avoid fast food: Everyone knows what and where a grocery store is and that fast food is not usually nutritious, but I don't believe most web users understand how many browser options there are or, in many cases, what that actually means or what other means could help preserve their privacy, if they understand this particular privacy issue in the first place.
Another issue is that people for most part don't seem to have an issue with tracking ("I have nothing to hide", "I trust them not to do evil", etc.), whereas the adverse health effects of bad food and obesity are well know and easily observed.
Yea I think by default Safari blocks third party cookies. I don't use Safari but I remember having to work on a bug somebody was having and that ended up being the cause. Same behavior on Mobile Safari too I believe.
> "This default setting would be a nuclear first strike against (the) ad industry," tweeted Mike Zaneis, general counsel for the Interactive Advertising Bureau.
Such dramatic silliness. An actual first stirke would be NoScript and AdBlock installed by default (which I already do to begin with). Removing third-party cookie functionality is just a shot across the bow.
I feel most users got over the creep factor of cookies back in 1998, and nothing that happened since has demonstrated that cookies need to be severely restricted. In fact, I expect more physical businesses will be installing face recognition to essentially cookie and track casual shoppers in a real stores offline, consumers are already used to this online, and don't feel threatened by it.
Mozilla isn't positioned to stand up to Google while they're getting $300 million a year [0] from them. (For reference Mozilla's 2011 revenue was $163M [1]) I trust (to a point) their motivations but I would imagine that much dough comes with more strings attached than just making Google the default search in Firefox.
I think we're very lucky to have Mozilla in the FOSS world but the will for better privacy will have to come from the community.
You are right. Google silently removed 3 (that i counted) times the ability to remove referrer from chrom[e|ium]
And apple probably disabled some 3rd party cookies more to harm google than thinking on user privacy (now this is speculation, but add that the fact that jobs had said he'd gone nuclear on google at the time)
Why don't browsers just generate a UUID on first run per user.. then anyone tracking can do so server-side.. with a browser/user option to re-generate a new one. It would effectively be the same.. then have a white/blacklist for sending this id.
Or they could make a system where a site can set their own unique id, that they can use.. oh, maybe have a custom key for this value.. and maybe they could call it a token system.. ooh or maybe cookies.
There is no need for a "tool" (which will only add to code bloat and be circumvented anyway). Just don't accept 3rd-party cookies and be done with it. All browsers already have this setting, it just needs to be enabled by default.
I invite all who haven't done so yet to change their browser's settings right now to refuse 3rd party cookies. They have almost no legitimate use anyway. The only breakage of a useful site I'm aware of pertains to active Disqus logins, a price well worth paying in my opinion.
The 3rd party cookie tracking problem is worse than most people think. For instance, every time your browser pulls a file from a CDN, you're tracked.
Philosophically, this effort seems fallacious to me. Many of the Internet's services are only free because of advertising, and while Mozilla's intentions seem admirable, they're at best short sighted and at worst naive.
As for the immediate reason Mozilla is backing off, have you ever wondered how you make money as a browser? One of the key revenue streams for a company like Mozilla or Opera is referral fees from search engines. Ever wonder why Microsoft is so desperate to make it difficult to use non-IE browsers? it's because they have their own search engine.
My own personal speculation is that some of Mozilla's search engine customers, whose business model often includes using cookies, came forward and indicated their displeasure with this initiative and pointed out that this would basically amount to biting the hand that feeds it on Mozilla's part.
54 comments
[ 2.8 ms ] story [ 185 ms ] threadSearching for Jonathan Mayer in Bugzilla https://encrypted.google.com/search?sitesearch=bugzilla.mozi...
Here is the meta bug: https://bugzilla.mozilla.org/show_bug.cgi?id=818337
I think this is the patch: https://bugzilla.mozilla.org/show_bug.cgi?id=818340
you probably have 3rd party cookie working as usual.
It's a real shame, I've been blocking all 3rd party cookies and referrers for years and really want to see the web to a more privacy concious model. With all the web features tracking tricks out there now though, I feel it's nigh impossible.
Take for instance, common Javascript libraries hosted on CDNs. Every time you visit a jQuery based page where the js file is on a CDN you reveal to the host of that CDN (e.g. Google) what website you're on. You also put complete faith in that 3rd party CDN provider for your security.
3rd party cookies are just the tip of the iceberg in terms of how broken the web is for the privacy concious.
On the server side, companies are bound by data protection laws. Using the browser as a loop-hole for profit is not acceptable. Instead we get these absurd EU 'this site uses cookies' banners that do less than nothing for user privacy.
Unfortunately, it's not that simple.
From a user's point of view, asking questions that interrupt their browsing experience on every other site is usually unwelcome. The "We use cookies (like everyone else in the known universe)" messages in Europe that you mentioned are a great example, where good intentions ran headlong into practical limitations and the result was something that no-one actually likes.
From a business point of view, that same poor experience is a negative because it makes your site less attractive to visitors and ultimately hurts conversion. This remains true even if you're doing something reasonable with innocent intentions that almost all of your visitors would actually be happy for you to do.
I am very much in favour of protecting privacy on the Web and letting users make informed choices about when they are willing to give it up in return for something they value, but I don't see this working in practice until we have some sort of mandatory (with force of law) standards for disclosure by site operators that allow browsers to offer standardised preferences to their users that can be set once and then safely forgotten about. I think we need some sort of standardised, automation-friendly privacy policies, like the credit agreements where providers are required to provide key information up front in a standard format with the same assumptions for everyone, or the way a few open source licence agreements have become established and much of the time both the licensor and the licensee can just say "GPLv2" or "BSD" and everyone knows the deal.
Unfortunately, the wheels of standards turn slowly, the wheels of law more so, and the wheels of laws respected across borders even more so. Meanwhile, the wheels of businesses funded by invading privacy or otherwise exploiting users via modern technologies tend to turn very fast. I'm not sure how we fix this problem as long as the politicians are as technically illiterate and generally open to manipulation by special interest groups as they obviously are in many first world countries today.
It needs to be able to capture the things that significant numbers of people care about and summarise the main types of behavior encountered on real world web sites, but in a way that everyday users can see and configure in a few moments in their browser. This is a tall order, of course, but even a decent attempt at it would probably be better than the utter contempt for privacy and blatant exploitation of users' ignorance that is widespread today.
As a benchmark, I suggest looking at the way organisations like Facebook have presented privacy settings. Non-technical people understand concepts like sharing data with everyone vs. limited audiences, or allowing their name/photo to be associated with something. Significant numbers of people do set these preferences, and do object when they are violated or when their "preferences" are changed for them. But the choices probably have to be explained and configured at that kind of level of simplicity or it'll all be too much for most people to bother with.
(If there's a real app named Cookieland Adventure, I'm sure it's awesome, this was just a made up example, if you, your spouse or someone you vaguely remember talking to works on a Cookieland Adventure game for FB, I am sorry to associate your app with the scum of the earth)
That's the thing, blocking 3rd party cookies breaks (in my anecdotal experience) under 5% of sites. In general the only problem I see with it is when a site uses an iframe with a different domain that requires cookies which is a bad practice that shouldn't be done anyway. I can only think of two sites I know break because of this.
Mozilla doesn't seem to be breaking any new ground here. Safari already blocks third party cookies by default.
Does anyone know how I can load jQuery locally?
You can experience it yourself in Firefox via Preferences -> Privacy -> Third party cookies -> Never
Oh crap, is THAT why I can usually not log in to disqus even when I disable Disconnect!
Man, that had been a mystery to me forever, I must have disabled third party cookies and not even remembered doing it.
(I work at Google on ngx_pagespeed, and sit next to the people who maintain the hosted libraries.)
If you visit a website (Assuming you don't go via some anonymizer proxy), they can track you, and they can pass your details to any 3rd party who wishes to also track you.
Cookies are the easiest way for them to do that, but its absurdly naive to think that if you block cookies then people won't track your browser activity online.
If you don't want to be 'tracked', stop generating HTTP requests, or do them through an anonymizer service. And good luck getting any website to work properly.
Now, sure there are other ways of doing cross-site tracking, like Etags, fingerprinting and such, but why shouldn't we try to plug those leaks too instead of giving up?
Current situation:
New situation: Wouldn't you rather such tracking to be out in the open and easily blocked - stop accepting cookies, rather than them creating backchannels to track you instead?Yes - You should give up if you think you will able to continue sending websites HTTP requests directly, whilst not being tracked.
So, yeah, I see your point, but maybe I _would_ rather make it much more expensive to do that, and much harder for them to do it succesfully rather than messing up a technical detail.
On the other hand, I guess eventually they'd get it right in commodity software that everyone can use. Eventually.
Really, I don't know why anyone that wants to do the kind of tracking we're talking about is using cookies anyway, instead of user-agent fingerprints that have been shown to be pretty much unique anyway. So the cookies is perhaps all a distraction. The browser makers don't need to invent a new cookie-less browser fingerprint tracking system, they've already got it with the over-specialized user-agents.
you have unique combination of IP+UserAgent+extra Headers. That is enough. A and B does not even have to send anything. And this will continue to work even without cookies.
Same with User Agent: not useful if you're using Chrome on your laptop and Safari on your phone.
For example, google provides jquery CDN. website A and B uses that to save some cents on bandwidth. Google now knows you visited which pages on website A and B. and if A was a backpack store and B was a pressure cooker review, expect the NSA :D
Sure, server-side logging is always possible, but (AFAIK) advertisers and data miners have little interest in this information because it requires trusting the website owner not to forge results, which is obviously a very stupid idea when your business revolves around purchasing and selling ad impressions. Precluding the practical methods of this type of data mining (ideally by requiring whitelisting of Javascript and all access to third party resources, but disabling third party cookies is a good practical step) could greatly reduce the amount of surveillance that users are subject to, by eliminating the most common incentives to perform it.
>If you don't want to be 'tracked', stop generating HTTP requests, or do them through an anonymizer service.
I hope you realize that the effectiveness of services like Tor is greatly reduced if you aren't using the same techniques to reduce your surveillance "attack surface" that people are advocating for regular, non-anonymous browsing. It's really not hard to see why; considering the tracking cookie example: A unique cookie makes it clear to a site operator that the requests coming from all these different exit nodes are really originating from the same user. A third party tracking cookie can then make it clear to that third party that the same user is visiting sites A, B, and C over Tor. All it takes at this point is small handful of screwups (from mentioning personal information to something as innocuous as reading a news article that is only relevant to people living in a certain location) to greatly reduce the search space required to identify you. "Uses xmonad and likely lives in New York City" could be more than enough to tie a large amount of your Tor browsing activity to a small set of suspects, in this case.
Microsoft implemented a Do-Not-Track by default in IE 10 [0], only to later reveal it was planning an even more intrusive ad tracking system of its own [1]
Google added a Do-Not-Track feature belatedly to Chrome, buried within levels of settings and warnings [2]. And yeah, they're working on their own cookie replacement too [3].
Facebook meanwhile is tracking you across the web through its own re-targeting tech [4] and even your cursor movements on its site [5]
In fact, when companies like Google, Facebook and Microsoft want to dump cookies [6], I'd argue that we're already past the point where a Firefox can make a difference.
IMHO Internet tracking has become like fast food. A meaningful difference will only come when average users start caring about their privacy and are willing to make conscious choices for it.
[0] - http://arstechnica.com/information-technology/2012/08/micros...
[1] - http://adage.com/article/digital/microsoft-cookie-replacemen...
[2] http://www.pcmag.com/article2/0,2817,2411916,00.asp
[3] http://www.usatoday.com/story/tech/2013/09/17/google-cookies...
[4] - http://adage.com/article/digital/facebook-launches-retargeti...
[5] - http://www.pcmag.com/article2/0,2817,2426602,00.asp
[6] - http://online.wsj.com/news/articles/SB1000142405270230468250...
Definitely agreed. Unfortunately, I think it's much harder for your average web user to make that choice than for your average person to avoid fast food: Everyone knows what and where a grocery store is and that fast food is not usually nutritious, but I don't believe most web users understand how many browser options there are or, in many cases, what that actually means or what other means could help preserve their privacy, if they understand this particular privacy issue in the first place.
http://www.electronista.com/articles/12/02/16/google.alleged...
Such dramatic silliness. An actual first stirke would be NoScript and AdBlock installed by default (which I already do to begin with). Removing third-party cookie functionality is just a shot across the bow.
I think we're very lucky to have Mozilla in the FOSS world but the will for better privacy will have to come from the community.
[0] - http://www.forbes.com/sites/timworstall/2013/01/22/so-why-is...
[1] - http://www.mozilla.org/en-US/foundation/annualreport/2011/fa...
edit: I didn't state it explicitly but my argument is based on the idea that Google is primarily interested in a low-privacy and ad-based web.
And apple probably disabled some 3rd party cookies more to harm google than thinking on user privacy (now this is speculation, but add that the fact that jobs had said he'd gone nuclear on google at the time)
Or they could make a system where a site can set their own unique id, that they can use.. oh, maybe have a custom key for this value.. and maybe they could call it a token system.. ooh or maybe cookies.
/sarcasm
I invite all who haven't done so yet to change their browser's settings right now to refuse 3rd party cookies. They have almost no legitimate use anyway. The only breakage of a useful site I'm aware of pertains to active Disqus logins, a price well worth paying in my opinion.
The 3rd party cookie tracking problem is worse than most people think. For instance, every time your browser pulls a file from a CDN, you're tracked.
As for the immediate reason Mozilla is backing off, have you ever wondered how you make money as a browser? One of the key revenue streams for a company like Mozilla or Opera is referral fees from search engines. Ever wonder why Microsoft is so desperate to make it difficult to use non-IE browsers? it's because they have their own search engine.
My own personal speculation is that some of Mozilla's search engine customers, whose business model often includes using cookies, came forward and indicated their displeasure with this initiative and pointed out that this would basically amount to biting the hand that feeds it on Mozilla's part.