First-Party Isolation is a new privacy feature of the Firefox web browser that Mozilla implemented in Firefox 55 for the first time.
The feature restricts cookies, cache and other data access to the domain level so that only the domain that dropped the cookie or file on the user system can access it.
This is a stark contrast to how cookies work normally, as marketing companies tend to drop cookies with their ads on sites, so that they may track users across all properties that the ads or scripts run on.
First-Party Isolation is another Tor feature that Mozilla implemented in Firefox directly. The browser got several already as part of a Tor Uplift initiative. Mozilla did implement anti-fingerprinting for system fonts in Firefox 52 for instance already, and plans to block sites from using HTML5 Canvas from fingerprinting users in Firefox 58.
Tor calls the feature Cross-Origin Identifier Unlinkable.
The Cross-Origin Identifier Unlinkability design requirement is satisfied through first party isolation of all browser identifier sources. First party isolation means that all identifier sources and browser state are scoped (isolated) using the URL bar domain.
The following items are affected by First-Party Isolation: cookies, cache, HTTP Authentication, DOM Storage, Flash cookies, SSL and TLS session resumption, Shared Workers, blob URIs, SPDY and HTTP/2, automated cross-origin redirects, window.name, auto-form fill, HSTS and HPKP supercookies, broadcast channels, OCSP, favicons, mediasource URIs and Mediastream, speculative and prefetched connections.
How to enable First-Party Isolation in Firefox
First-Party Isolation is not enabled by default in Firefox right now. One reason for that may be that the feature may interfere with the authentication system on some sites.
I suggest you try this out, and see if that is the case on your end. You can disable the security feature at any time to restore the status quo.
- Load the URL about:config?filter=privacy.firstparty.isolate in the Firefox address bar.
- Double-click on privacy.firstparty.isolate to set the preference to true.
This is all that needs to be done. There is also the Firefox add-on First Party Isolation which you can install instead. It does the same thing, but comes with an option to disable the functionality temporarily. (via Bleeping Computer)