It breaks non-tracking functionality for embedded things on the web as currently implemented in major browsers, in particular, which is one of the largest use cases.

What's an example of this?

Signing into a website through an iframe redirects you back to a sign in page inexplicably if the post-signin page requires a cookie.

Another example is you're signed into website A, and while on website B, iframes to website A behave in such a way that you're not signed in, and you cannot sign in.

If you disable third-party cookies, you can't download files or view videos in Google Drive without a workaround.

This is because the download is from googleusercontent.com while your browser remains at drive.google.com the whole time - and to download private files, googleusercontent.com expects you to have a login cookie. If you block third-party cookies the download gets stuck in a redirect loop, sending you to get a cookie over and over again.

Google is aware of this but hasn't fixed it.

We're on the road to that.

I mean, why are all these lengthy intermediate steps necessary? It's only a matter of changing the default value of one damn setting. I've had third-party cookies disabled for more than a year and the only websites I've had problems with were ridiculously poorly-made ones — like AliExpress, that for some reason has a zillion subdomains and relies on third-party cookies for authentication.

I have third-party cookies disabled, and have for years. A non-exhaustive list of sites where I have login or other problems as a result:

1) One of my local banks (who use weird third-party hosted modules for some of their functionality).

2) Verizon.

3) T-Mobile

If I were a normal user, any one of these ("I have to do _what_ to see my FIOS bill?") could be a show-stopper.

Which is what makes it hard to turn this on by default without driving away users.

On the other hand, if third-party cookies were going away for real, this would force website developers to finally fix their crap.

Leads to a prisoner's dilemma situation. A move like that has to be done by everyone in concert (example: killing Flash), or it's harmful to the one browser that blinks first.

This thread contains plenty of examples of legitimate uses for third-party cookies. If FF instantly and immediately broke those, users would be cursing, not praising Firefox, and switching to a browser that doesn't break what they use.

Can't we whitelist some of third-party cookies for the transition period?

If they were going away for real across all browsers, yes.

Historically getting some browsers on board with that program has been very difficult.

Concretely: a large fraction of website developers would much rather put up "only works in Chrome" notices than fix their crap.

[Disclaimer: I used to work at Mozilla, and have done my share of trying to push for turning off third-party cookies.]

It's funny you note that the only website that had issues was a top 50 website (https://www.alexa.com/siteinfo/aliexpress.com#section_traffi...) that no doubt has a lot of ordinary non-technical folk on it. Breaking sites like these would likely kill an already relatively niche browser.

because you're fighting the ad industry. The ad industry which also has their own browser and tells grandma whenever she searches about problems with cookies that there's a "better" browser out there.

It's google. I'm talking about google.

Precisely. Google is an ad behemoth AND has the majority of the market of browsers. If Firefox (or Safari of Opera or etc) changes to something that breaks Google but Chrome doesn't, they'll just get more of the market. For non chromium browsers to survive, they have to play a long game and show people why these changes are important. People are happy to sacrifice privacy for convienience, unfortunately.

> If Firefox (or Safari of Opera or etc) changes to something that breaks Google but Chrome doesn't, they'll just get more of the market.

Not on iOS

> relies on third-party cookies for authentication

A lot of websites depends on this via auth0, cloud identity, cognito... and the experience becomes subtly broken in a way that you need to be extremely technically savvy (a developer that has a whole lot of auth experience) to understand.

Safari already does this by default, if I understand correctly.