Firefox Anti-tracking


(Andreas Schnederle-Wagner) #1

Hey there,
some maybe already stumbled about this Article: Changing Our Approach to Anti-tracking - Future Releases
Firefox is implementing some more Anti-tracking Features.
Was not able to determine if Matomo will also be blocked by this Feature?

We got a central Matomo Instance (matomo.server.com) - which is included into all out Websites (www.somedomain.com) … So Matomo is loaded from another Domain than the Website … is this 3rd Party Tracking for Firefox?

Maybe someone here got some more insights on this Topic?

thx, bye from Austria
Andreas Schnederle-Wagner


(Lukas Winkler) #2

Hi,

This is an interesting topic and I have already waited for someone to mention it :slight_smile:.

A Matomo script from a different domain is per definition a 3rd Party Tracking Script.

But the real question is: Will Matomo be blocked?

Firefox’ tracking protection works by comparing the domain of the 3rd party script with the blocklist of disconnect.me:
disconnect-tracking-protection/services.json at master · disconnectme/disconnect-tracking-protection · GitHub

Or more precisely they run the following script which modifies the list a bit:

So as long as your domain is not on a blocking list for tracking, your Matomo will continue as before.
You can already try it out by enabling tracking protection in the latest firefox version.

Fun Fact: Matomo tracking on http://virtual-drums.com/ is blocked by Firefox as it still uses demo.piwik.org which is on the blocking list.


SMF plugin Global Headers and Footers breaks Matomo tracking code
(Andreas Schnederle-Wagner) #3

Hey @Lukas,

thx for your detailed Answer … so I there is no need to worry here … perfect! :wink:

Was already looking at ‘tracker-proxy’ so Matomo would be 1st Party instead of 3rd Party in case Firefox would block it …
Maybe still worth a try for performance if it’s served by same Domain as the Website? (no more DNS Lookup, HTTP/2 delivery, …)
Are there any downsides tracking with ‘tracker-proxy’? (Not much Info available? :-/)

thx
Andreas


(Lukas Winkler) #4

Hi,

There aren’t really many downsides since Beneka implemented all privacy features in May. But I only would use it if it is necessary as the performance can’t be better (after all the server is making the http request) and it just hides that there is still a third party.


(Andreas Schnederle-Wagner) #7

Seems like more and more of the big players are going from Third Party Cookies to First Party Cookies because of more strict Third Party Cookie Handling from Browsers … (Google, Microsoft, Facebook, … --> Tracking: Facebook wechselt zu First-Party-Cookie - Golem.de)

Not sure if taking the time to look into the tracker-proxy approach would be a good investment into the future … :thinking:

Any Plans how to counter more strict Third Party Cookies Rules (in the future) from Matomo Side?

Andreas


(Lukas Winkler) #8

Hi,

I think you (and maybe also the golem author a bit) are confusing third-party-scripts (JS that is loaded from a domain, that isn’t the one you are currently on) and third-party-cookies (domains that are “stored” on another domain than you are currently on).

If you embed Matomo tracking from matomo.thirdparty.example into example.com, you are loading a third-party-script, but the script is executed in your website and is therefore able to set a (non-third-party) cookie to example.com (which is what Matomo has always done).
grafik
Therefore Matomo is not affected by blocking third-party-cookies. (BTW, the same is true for Google Analytics)

One part of Matomo, that is affected by this, is the opt-out iframe. if you embed the opt-out iFrame from matomo.thirdparty.example into example.com, the Javascript in the iFrame runs on matomo.thirdparty.example and is therefore only able to set an opt-out cookie on matomo.thirdparty.example. If your browser is blocking all third-party-cookies, then the opt-out can’t be set because the iFrame can’t store anything.
One solution (technically the only solution) is not running the opt-out in an iFrame and instead in your website.
For that you can use the (fairly new) custom opt-out feature of Matomo:
https://developer.matomo.org/guides/tracking-javascript-guide#optional-creating-a-custom-opt-out-form
If you execute _paq.push(['optUserOut']); the tracking code running on your domain is able to set an opt-out cookie on your domain and again is not affected anymore.
The side effect is that the user is only opt out of example.com and not all websites tracked by matomo.thirdparty.example.

I hope everything is a bit more clear now.


(Andreas Schnederle-Wagner) #9

Shame on me … of course you are absolutely right … I was confusing the fact that Matomo already stores first-party-cookies on called Domain and not third-party-cookies on Matomo Domain …
Thinking errors ahead … :roll_eyes:

thx for your great explanation & sidenote about the opt-out iframe!

bye from sunny Austria
Andreas