This begs the follow up question: Why can’t my browser always send zero cookies for all third party requests in all tabs?

Presumably the like button wouldn’t work - but that’s what I want. So the Q is: what will break that I didn’t want to break?

You can disable third-party cookies in Firefox. See https://support.mozilla.org/en-US/kb/disable-third-party-coo...

It breaks things like "sign-in with github credentials" in CIs. But you know, these should be exceptional, therefore the default should be to load third-party content without cookies. The problem is that some content is loaded without your having to click on something (where you'd have a chance to right-click and request loading with selected credentials).

Not necessarily: OAuth Basic Flow does not require third-party cookies. With Basic Flow, you'd get redirected to github.com, making it a first party request. Github will then redirect you back passing an authentication code as a URL parameter.

I use uMatrix for this purpose, and to block third-party frames to defend against clickjacking. That said, Multi-Account Containers still are very useful.

I’ve been blocking third-party cookies for years and using OAuth authentication in several places. Don’t remember ever having an issue.

> Why can’t my browser always send zero cookies for all third party requests in all tabs?

It can. Blocking third-party cookies is available in the browser settings of at least Firefox, Chrome, and Safari. I think it’s even on by default in the latter.

I’ve been using it for years and never seen a broken page as a result.

The site of one of the banks I use relies on third-party cookies, because it outsources parts of the site functionality.

Sites that put a checkout flow hosted on a different hostname in a subframe break.

Some forms of "sign in with X" break.

The main thing I notice break when I enable things like "no cross origin cookies" is history on the AWS console. Stuff like "roles you've switched to" and "services you've used recently" get forgotten.

Single sign-on? (e.g. logging in to Trello with your Google account)

If you get tokens by callback urls you don't need any 3rd party cookies.

That's not relevant to the question.

An idea.. imagine putting SSO stuff into a Container and setting First Party Isolation off for just that Container.

ive had it disabled for years and never had any kind of issue with single signon websites

knowing what fb is doing with your data, why would you still want SSO?

Because it doesn't have a way to break only FB SSO. All SSO would break by default.

I mean it's too late now but there's nothing fundamental about the current SSO design. If browsers shipped with FPI from the beginning SSO would still work, it would just look different.

There’s uMatrix for that of course but is uBlock Origin and PrivacyBadger combo enough with this extension? As the de-facto tech guy in my family I know how to take care of my own privacy but I’m always searching for the most hands off solution for the tech illiterate family members who come to me asking to “fix their laptops”.

Have you considered Tracking Protection? https://support.mozilla.org/en-US/kb/tracking-protection I had to disable it for a few select sites but I guess there's currently no solution that won't ever break a site.

There's a "Same-Site" cookie flag that helps prevent CSRF by preventing cookies being sent in that scenario. Can the browser be made to treat all cookies as "same-site" for a quick 'fix' to this issue?

Obviously this would need a white-list (and a pair<from,to> whitelist, not just "this domain is OK list) to allow SSO scenarios.

Simply set the configuration value privacy.firstparty.isolate in your about:config.

This will treat every first party domain as it's own container for cookies and other stuff.

Yes, but as you say this breaks a large number of applications. The web browsers aren't super likely to break existing behavior since people simply blame the browser that whatever thing doesn't work.