- Archived
Cookies being written and automatically deleted
Hello, I work for Microsoft, and one of our sites offers users a way to opt out of personalized advertising on some Microsoft domains by setting a cookie. The site: http… (read more)
Hello,
I work for Microsoft, and one of our sites offers users a way to opt out of personalized advertising on some Microsoft domains by setting a cookie. The site: https://account.microsoft.com/privacy/ad-settings/signedout
When the user clicks the toggle to Off, we cycle through four domains via an iframe and write a TOptOut cookie on each one. If everything is working properly, the user should then be able to go to www.bing.com and see a TOptOut cookie on Bing that will prevent personalized advertising on that domain.
The problem is, this stopped working in Firefox. We have verified that it still works* in 115.7.0, but in 122.0.1 and 123.0, the cookie is written and then deleted on refresh. If the user doesn't already have Bing open in another tab, they'll never see the cookie at all. I have verified this behavior in Bing several times, on my work machine (Firefox 122.0.1 on Windows 10) and my personal machine (Firefox 122.0 snap on Xubuntu 23.10).
- It still works on our corporate VPN in 115.7.0, but not on my coworker's non-VPN machine. Same version. I'm really not sure what's up with that one.
This is a large concern for us. Because the cookies can still be written, it doesn't trip our test for third-party cookies being disabled. Because the cookie for microsoft.com is written, the toggle will show up as Off even after a refresh. This is misleading to our users.
I have gone over the Firefox docs on Enhanced Tracking Protection and Total Cookie Protection, but neither seem to handle this case. Firefox does not block any trackers on account.microsoft.com or on www.bing.com. It's fine if the cookies are in separate jars, we just want them to be written to the proper domains and not deleted. Can anyone tell me what changed in Firefox recently? Is this expected behavior, or a bug? If it's expected behavior, what can we do to allow users to opt out of personalized advertising?