Spawn Virtual Browsers Effortlessly with Firefox Containers

You may have heard of Mozilla’s Facebook Container, an add-on for Firefox that keeps Facebook isolated whenever you open it. It’s an easy-to-use and simple tool for defending user privacy.

But you may not have heard much about the Firefox features that make the Facebook Container possible. They’re called Firefox Containers—and they represent a useful tool that sets Firefox apart in a powerful way.

How Do They Work?

Firefox Containers tag state that the browser can access—cookies, local storage, IndexedDB, etc.—with a special tag when you’re working inside a container. This means that each container gets its own completely isolated view of browser storage; a new container looks exactly like a brand-new browser to whatever websites you access through it.

The Facebook Container extension works by first flushing out all of your Facebook state, then intercepting attempts to navigate to Facebook.com and pushing them into the container that it creates for Facebook. So when you’re on the Facebook website and logged in, you look like you’re in a completely different browser—and are a different person—than when Facebook’s tracking scripts see you elsewhere on the Web.

The community has expanded on this work to create several variations on Facebook Container for the other 800-pound gorillas tracking us across the Internet. But the more I thought about this technology, the more I realized I could use it not only to isolate several different kinds of sites while still maintaining my logins, but also for development and administration tasks or providing an endless supply of disposable browsers across any website.

Thankfully, I didn’t have to write the extensions needed to make my ideas a reality—they already exist.

Multi-Account Containers

My first task was to find a way to isolate an arbitrary site, without either finding or making a specific container extension for that site. For this job, I turned to Mozilla’s Firefox Multi-Account Containers extension.

Multi-Account Containers allow you to define a new container at any time, then open a new tab in that container from its popup. Once you’ve opened your new container, you can open the site you want to contain and use it normally.

One of the really useful ways to use this as a developer is to isolate logins to multiple instances of the same site that have different login processes—for example, the stack of Microsoft accounts that I seem to need to use. With containers, I can keep each account isolated, navigating several Microsoft-backed services in their own tabs, all at the same time.

To complete the picture, you can then set any website to open in that container from there on out by navigating to that website inside the container, then opening the extension popup, and selecting the checkbox to always open the site in that container.

From then on, Multi-Account Containers will intercept any navigation requests to that website’s hostname and open it in the container instead. If you logged in inside the container, your login will be there when you go back—but no other containers, nor the browser’s main storage, will see that login. Having the login persist is huge—I used to dump cookies from all but whitelisted sites, but would then have to constantly dig out my authenticators.

This is a great first step, but you still have to contend with the browser’s main storage. Tracking will still happen with third-party scripts and inclusions across the web—they just won’t necessarily be able to associate that shadow profile with a real, logged-in person.

Additionally, as a developer, I’d really like to fit in disposable containers so I can test sites in isolation without interference from other browser state–a case where many developers use private browsing. With containers, there’s a better way.

Temporary Containers

The Temporary Containers extension fills that gap by allowing you to create disposable containers that can be cleaned up after their tabs are closed.

You may say, “Hey, wait, this is what private browsing does,” but that’s not exactly true. Private browsing piles disposable state from every site you visit while in a session together, and it requires you to switch your thinking between “this should be private” and “this should not” constantly depending on where you want to go. Temporary containers don’t have this problem; in fact, I rarely think about them, and they keep sites isolated from each other.

There’s lots of configurability here. I have it set to automatically spawn a new container in a new tab if I left-click a link that’s in a different subdomain. There’s even an automatic mode that will intercept new tab creation and replace it with a tab sporting a brand new container.

I had to play with the settings quite a bit to get it as I want it, so if you’d like a starting point, try these settings:

• Automatic Mode on
• Delete no longer needed Temporary Containers: After the last tab in it closes
• Isolation: Global: Mouse Clicks on Links should open new Temporary Containers: If the clicked Link Domain does not match the current Tabs Domain (Subdomains won’t get isolated)

This works smoothly for most cases, though sometimes I’ll click a link and want to stay in the current container, despite it taking me to a different site (e.g. to maintain third-party state across domains). If I need to do this, I can right-click the link and select to open it in a new tab, but in the same container.

All Together Now

Multi-Account Containers will take precedence over Temporary Containers, so you don’t need to worry about them fighting with each other. Any hosts you mark as needing to be opened in a persistent container will be handled by the former, and if you have Temporary Containers configured as I do, navigating outside of those sites will automatically spawn a temporary container for you.

I love this technology, and I’m glad Mozilla has invested effort in it—and that these extensions exist to use it to its full potential. I wish the experience was a little smoother, but I am fighting the m.o. of the Web, constantly trying to remember me. In the end, it works surprisingly well, and I’m looking forward to experience improvements and new uses for the technology in the future.