[walterbell]

If you delete the Facebook cookie (i.e. are completely logged out including username), then click on a link in an email notification from Facebook, it will silently log you in again, restoring the cookie and web-wide tracking. This can be tested by pasting an email notification link to a new private browsing window.

[akerro]

If you use PrivacyBadger you don't have more facebook cookie on 3rd party websites, so they dont track you.

https://addons.mozilla.org/en-us/firefox/addon/privacy-badge...

https://chrome.google.com/webstore/detail/privacy-badger/pke...

[sdwisely]

also firefox "containers" now allow you to use a separate cookie set for different domains.

https://testpilot.firefox.com/experiments/containers/

[akerro]

I used it a few weeks ago in test-pilot program, it was hard to use, difficult to open new tabs in container I wanted.

[sdwisely]

Yeah, it wasn't that helpful. In the last few weeks they made it so you can right click on a page once opened in a container and "always open in this container"

[walterbell]

How do you login to Facebook when needed, if there is no cookie?

[cichli2]

It only blocks third-party cookies, so you can login to Facebook. What it would block is Facebook tracking outside the Facebook domain. Another option is to use something like Self-destructing cookies, which would delete the Facebook cookie when you close the tab.

[akerro]

Edited comment to explain it affects 3rd party websites. Facebook works as usually and all content it the same.

[walterbell]

Thanks for the pointer. Wish this worked on iOS, where the only option is to use a dedicated browser for accessing Facebook. Not sure how Brave deals with Facebook cookies on iOS.

[akerro]

Why can't you use firefox on iOS? All addons should work normally.

https://www.mozilla.org/en-GB/firefox/ios/

[walterbell]

Apple does not allow browser extensions. Firefox (any non-Apple browser) on iOS is a wrapper around Mobile Safari.

[SilasX]

So, they're spewing login credentials all throughout users' emails? How is their security team okay with this?

Do they require that it be from a previously used IP/user-agent or something?

[walterbell]

Works with a VPN, so not linked to IP. URL includes email used for FB auth.

Edit: received FB email about "login from unknown device".

[amelius]

But that can easily be explained as a feature, not a bug.

[walterbell]

Most other sites do not automatically transfer your username and password/token from (insecure) email to web. Most other sites require authentication for a fully-logged-out user.