Love the idea. I wish chrome extensions had a more granular permissions structure and/or reminders/security checkups on installed extensions and their permissions.
As it is the content scripts manifest permission for https://*/* for content.js is always so jarring to see. For those that don’t know this allows the extension to run that script on every site you visit after clicking accept ONCE when you install the extension. That means it can see financial info, health info, legal info, your diary, etc…
Now this makes sense from a usability perspective (I never have to see a cookie banner ever again!), but the author could change content.js at any time and the extension would continue to run without prompting the user.
This is not an attack on you Mitch! It sure looks like you’re trying to provide value in this world rather than take it. Rather it’s an attack on Google’s extension security model I’m really shocked google has not taken a more careful and nuanced stance to protecting users from a security standpoint.
I write this as a fellow chrome extensions dev. I wish I had better more granular permissions structures to protect my users and give them more information about what I am requesting and why along with regular reminders so they can make informed decisions about what they want to share.
The broad permissions were required from a usability standpoint. Granting permission on every site for this extension would just be a 1 to 1 replacement of clicking reject on the banner or pop up for every site.
I would hope that before Chrome approves an extension to be added to the store that they are auditing the content of package.
Personally, I would still love a site-by-site "reject non-essential cookies" prompt from an extension that's in the same place, with the same UI, on every site. Still a click, but lots better than having to figure out how to accomplish it on each and every site.
Exactly. The biggest pain is to read and figure out what the next button actually does. Is the big Button an except all? Use selected? Or what ever wording they use. I might not want to block cookies for certain pages. So an extension that finally creates this single UX flow would be very helpful indeed.
One of the reasons Manifest v3 was started is that is impossible for an extension that eval's arbitrary code from the web (or downloads, say, a dynamic list of data and acts on it).
Fundamentally there is no reason anyone in their right mind should install an extension released by an individual with these permissions. It is a post-decryption access to every single thing you do online. It is absolutely insane to trust your web browsing to a random browser extension, even a useful one ("cloud to butt" is my favorite example of people deleting their entire security model for a joke).
Anyone can buy out or compromise this developer and slide complete takeover of your online life into an extension update.
uBlock Origin already has this. Enable the "Cookie notices" and "Annoyances" filters in uBlock Origin's settings.
Bonus pro-tip: Firefox for Android supports uBlock Origin, which means you can get rid of these godawful banners on mobile, too. Only iOS users are stuck having to put up with them.
You think these websites give a shit about your privacy because you clicked on a div with a "No" in it? Not a chance. It's like asking thieves to promise not to steal from you.
I'm currently at a small ad tech firm and while I can't speak for other outfits, we definitely are extra careful about respecting user consent indicators. Because we are small, it's not easy to do this, because there are many possible ways for users to "reject". This includes situations that merely imply non-consent due to inaction, rather than active non-consent like a reject cookie indicator, or living in a jurisdiction that makes non-consent automatic (as it should be!). Many of the "reject cookies" tools are especially useful because even if a website doesn't respect your choice (and therefore tries to send data to us) your browser can still tell us if you are non-consenting. This means it's easier for us to notice non-consent and drop the data as soon as possible, before any logging or analysis can occur.
We do not materially benefit from this in any way, nor do we market it. I am not a spokesperson for my company nor do I want to be publicly identified with it. I'm advocating here because you said "not a chance" but there is a chance.
It's not just that we are worried about some sort of regulatory enforcement, either, although existence of such regulations does help convince the less scrupulous people from pursuing a bad path.
The free internet is built on ads. I still believe in the free internet. I still think we can make it work. I welcome regulation and regulatory enforcement even though it's hard for a small outfit like us, because it reduces the chances that our ad tech has to compete with less scrupulous people. I think we've survived as a small outfit since roughly the dotcom era because we've tried to be good stewards. People wouldn't need uBlock if there was better regulation/enforcement, and companies like mine, who are trying to do the right thing (even as we operate in the loathed ad space), would benefit.
I'm worried about AI on this front because it means in the future your ads will be served up to you out of a black box instead of out in the open where we can all inspect who is trying to get what from us (and block bad parties via eg uBlock), and, to a degree, who is trying to shove what down our throats.
Just curious, but it sounds like this is the ideal use case for Do Not Track. Do you all use that as a signal to not track/remove nonessential cookies?
Yes, we do treat that as a valid signal. But users still shouldn't use it today anyway, since it has no teeth and many companies will use it as part of a composite identifier. If Do Not Track had more regulatory teeth, I think it might have gone somewhere.
Global Privacy Control (GPC) is the modern alternative, and the mechanism by which California's privacy legislation / CCPA is largely handled from a technical perspective. Unfortunately it is not available by default in Chrome, but it is in eg Firefox / DuckDuckGo browser. Because it has legal teeth, it has more power to give you a tracking free experience even if a company had the technical capability to track you.
It can still help you even if you're not in California because geolocation is not perfect, but it does provide the ability to monetize ads that are tracking free. The threat of enforcement has to be real and continue to be demonstrated, though, or it won't last.
iCloud Private Relay also causes tracking companies a lot of real pain (sort of a mini-Tor where Apple and CloudFlare each have only half of your unlock key), but it's a technical bandaid with a variety of flaws that can break many legitimate things.
Ultimately each situation is one that requires judgement, which is why I think a legislative/judicial answer is the only one that ultimately holds up. GPC allows for a little more nuance than DNT. People care about the intent of respecting "Do Not Track." It some cases it may requirement a judgement about whether or not a company violated that request, not whether it was "technically impossible for the company to violate that request (we thought) but oh oops it was possible...I guess that just means we need to make it harder, the company doing the violating was okay because they worked within the bounds of what was technically possible."
A company that violates this privacy, especially when you've indicated that you do no consent, should have to face penalties. And because we expect some companies to go out of business for violating these rules, we should also make sure that their "data assets" aren't simply transferred to some new company in bankruptcy court when an adverse ruling comes down.
Yes, that's exactly what I'm saying. The industry made us all believe they do, in what began as a differentiator from offline ads, that quickly spiraled into the current day insanity. Browsers have been playing cat and mouse to a degree, but except for the annoying cookie banners that everybody hates, regulation like GDPR is the thing that has restored some small piece of sanity. There should be more and better regulation + enforcement to better align ad tech with the interests of the public.
Check your internet bill, it might not be free after all.
I'd very much rather get back to the internet being about connectivity and nothing else. The internet would survive just fine by providing a means to contact authorities, companies and each other, without any of the "content" for which we supposedly need ads to produce
> The free internet is built on ads. I still believe in the free internet.
The internet I remember had free content because mostly individuals wanted to share something. Commercial offers were rare. I would be very happy to go back to that network, with 90% content gone and the remaining 10% provided without an ads driven model. In fact, if it was for me, one could widely ban most advertising also off-net. It is manipulative cancer. At least ban any sort of user tracking and analysis. Yes, this will kill a wide spectrum of offers. I am totally fine with that trade-off. We don’t need it for a well-functioning society. And yeah, look around, we do all sorts of interference with so-called free markets, because history has shown time and time again how horrible it gets when you allow capitalism to roam freely.
> You think these websites give a shit about your privacy because you clicked on a div with a "No" in it
Yes. For a subset of "these websites". Because this is enforced and EU has fined billions already. The fines for doing what you say they do, are steep and a severe risk for many "these websites".
So for websites that are not in that subset, they will still track you regardless of what you click on, so you still need browser-level protections for those websites, and those browser-level protections will also work on the websites that are in that subset, so you still gain nothing by clicking the No.
Yes. But "these websites" will then be prosecuted, their owners cannot enter the EU ever again without the risk of severe penalties, they cannot do business in the EU and can and often will, lose access to many services that do want to stay on the good side the EU (i.e. will see their google ads blocked, their stripe frozen, their hosting closed etc)
Edit: what I'm trying to say is: this "technical" problem has a real and working "solution" that's not technical at all: law and enforcement. Now, that won't work for all and everything, it never does. There will always be malicious, scammy, malware, criminal and illegal webservices around. But it makes it very hard for malicious actors to do so and make money.
Yeah but the question is how you, as a user, should best protect yourself. I'm saying clicking the "No" provides no advantage over using a browser that just protects you from tracking by default. Then it doesn't matter whether the website is following the law or whether the EU (where I don't live) will enforce the law or change it in the future or whatever.
> Now, that won't work for all and everything, it never does. There will always be malicious, scammy, malware, criminal and illegal webservices around.
Yeah, exactly. So if I have to protect myself from those websites anyway, I may as well apply the same protections to all websites. Clicking the "No" does nothing for me.
The act of indicating no is frictionless if automated through an extension, and if it turns out orgs are not respecting the action, it'll end up in a class action or other legal event eventually (assuming statute or other regulatory mechanisms exists on the topic). "Porque no los dos?" Strongly agree the browser should still aggressively act in the user's interest and protect them.
(privacy law and how it relates to customer user experience is a component of my work in finance)
I mean sure I guess, do whatever you want. I will always have uBo installed and I prefer to have less software on my machine (fewer things to go wrong), so uBo's list plus Firefox's protections is good enough for me.
> if it turns out orgs are not respecting the action, it'll end up in a class action or other legal event eventually
Yeah I find that list is more trouble than it's worth, because some sites will block interaction until you dismiss the cookie notice, so you get softlocked if the notice is hidden. I assume that's why uBO disables that list by default.
This is incorrect. The GDPR requires affirmative consent before processing user information, hiding is not "affirmative." Additionally, there's been increasing litigation via wiretapping statutes (most notably in California where there's statutory minimums for damages) that pose additional legal risk for companies using analytic cookies w/o affirmative consent.
for iOS users, you can just install eg AdGuard as iOS safari extension/blocker extension and enable the uBlock filter lists :)
Fully working ad blocker for mobile safari.
Note that "I agree to tracking" and "I agree to cookies" are two different things. If you agree to tracking then a website can fingerprint you in any way they see fit, including methods that do not depend on cookies.
this means they track you for your duration. ideal solution is accept all cookies and randomly modify the values so it becomes a jumbled mess to their analytics
I've been using this and it even blocks YouTube ads. But do note that it often reduces video quality and in shorts there seems to be an off-by-one error where if it's "hide toolbar" then if you click the like it'll click the dislike and if you click dislike it'll click comments.
Worth it IMO but I really wish there was a better way to submit bug reports than creating an account on their site. Fuck that dark pattern
Also, how's that compare to Consent-O-Matic in terms of effectiveness,safety (i.e. that it doesn't mangle the wrong thing on the site) and performance?
I use the EasyList ones, though I don't have any particular reason for that other than it is also the default "Ads" list chosen upon installation.
> Also, how's that compare to Consent-O-Matic in terms of effectiveness,safety (i.e. that it doesn't mangle the wrong thing on the site) and performance?
Dunno. I've never had any problems with it. All it does is hide the cookie banner DOM elements.
Cookie banners are a bad/wrong solution to the underlying problem, but it's the dark patterns within that really piss me off. I shouldn't have to invest deep cognitive attention to "only accept mandatory" but if you're not careful many dialogs will trick you into clicking accept all after you go to the trouble to untoggle all the optional shit. The answer is to use isolation containers, aggressively reset them and not to worry about any of this.
Less to think about, and it basically puts the web into the state it was in before we all got bent out of shape about tracking, which was fine.
(Now that I type that... I should have made an extension ages a go that just does "identify cookie banner and click on the left-most button automatically").
It's more that, as an end-user, I do not care whether I click accept or reject all; my goal is to get that UX speed-bump out of my face as quickly as possible.
Maybe it'd be better to randomize which button is selected so if the plugin becomes popular site admins can't reliably guess where to put the button.
I hate how web sites can weasel their way around consent by simply declaring their cookies as "necessary" or "mandatory." As the Dude would say: Yeah, well, that's just like, your opinion, man. How about we have an easy-to-use "Reject ALL cookies from this site (and deal with whatever breaks)" option?
You're assuming maliciousness. I run a site that uses cookies (encrypted session cookie) so they can add items to a cart, because not doing so would be a horrible UI. There's also a cookie created by the payment processor, but I only load their script on checkout. There's nothing else though. I don't even use tracking / analytics.
There's zero weaseling going on. No dark patterns. I'm just too busy to build a no-cookie version that passes info in the URL or w/e (which also seems less than ideal). Your two options are to use the site or don't use the site. If there was enough pressure from real customers to provide another option then I probably would, but it wouldn't change anything. It's just busy work / checking boxes.
IMO this needs to be built into the browsers rather than being yet another tax on builders due to spammers / scammers / advertisers. If we had meta referencing each cookie where you can disclaim exactly how it will be used and whether it's optional / required, then we would have a standard without dark patterns being possible.
It's much easier to blame the cookie banner on GDPR (which are not entirely related) than read the texts and jurisprudence about it to know how it works.
Every website showing a consent screen is either willfully ignorant (rarer these days) or they want your data while saying hypocritical things like «We value your privacy»
This is 100% a fair point of view and you’re right to be skeptical. With the blog post I was just trying to convey that cursor + auto select model was not great at this task. It gave me a project structure, but besides that everything had to be refactored.
I assume you're being facetious; because popular (and good, trustworthy) extensions written by initially passionate people often end-up being bought-out by dodgy orgs - with very-hard-to-refuse offers - and the Chrome Extension Store has no way of knowing about that.
I had a Chrome extension with about 20,000 users and I received unsolicited buyout offers a few times a year, and some offers were very hard to refuse - but it's not hard to imagine anyone else capitulating.
While I agree with you 200%, the code is there for you to review. I skimmed it and it didn’t seem difficult to grok, keep in mind I speak almost no JavaScript or typescript.
For example the Linux kernel has mirrors where it's source code can be downloaded from.
AI cannot even "mirror" the Linux kernel. Try it! Ask it to deliver a monolithic kernel that works on a bunch of architectures and has drivers for a bunch of hardware. It will yield nothing close to the Linux kernel.
I tried consent-o-matic. Aside from the name making it sound like it says ok to all forms of tracking, it broke a few websites for me and failed to get rid of the banners on many others, and I quickly had to turn it off. TBH I'm not sure how it could be expected to work either, unless all websites use the same consent banner solution.
> Data is collected on specific sites that the product is not working on. This data is sent explicitly by users and when it is collected we do not collect any information that could be tied to a specific user. Only the name of the site is collected and any additional information you include in the text of the report.
The original one that was deleted from the Github repo [0] is much simpler and to the point.
> How to rectify: Ensure your privacy policy contains details about user data collection, handling, storage and sharing. Omission of any section is not allowed.
So I added a section for each. I could make the "Information We Collect" section less verbose for sure.
Consent-O-Matic can easily be configured to reject cookies.
I suppose that technically you could also just remove the pop-ups, that means that you never agreed to anything and the site have no permission to place cookies on your computer.
My company puts the cookie banner everywhere and follows the "hiding the banner is not consent" pattern.
Not because we're required, but because that's how the off the shelf cookie banner thing we use works, and better safe than sorry should a European access our US marketing site, i suppose.
I always figured most of the popups would reject cookies if hidden, if for no other reason that everyone is too lazy to modify the default behavior (and the default behavior is designed for EU regulations)
The law for cookie and privacy consent is (afaik) applicable to any EU citizen or resident, even if they are not currently located in the EU. That means if you do business in the EU, you have to show the banner for everybody because you cannot know if they are an EU citizen/resident from their IP alone.
You assume the problem was to determine the user’s preference in the most efficient way possible. The problem, instead, was to fool as many users into consenting as possible; and from that point of view, it is indeed rational to ignore any advisory signals and annoy the user so they want to just make the message go away.
The issue is with how browsers implemented it. Instead of implementing it with a per domain granularity it was implemented as a global option. People may enable the option to block tracking from malicous parties, but may unknowingly block tracking from good companies. So now good companies would need to ask the user if they actually want tracking since they may accidently be blocking it.
No, the real problem was that it worked too good from the perspective of ad-tech and data-gatherers.¹
It relied on the goodwill of those who run these services to i) invest some effort and money to detect the DNT headers and then ii) not collect/store the data of these requests.
Back, when only a tiny portion of web-users would send these headers along, the industry was fine to implement it. If only for marketing purpose.
But, as soon as they saw that it actually worked, the industry saw a threat to their revenues and stopped.
I believe a DNT2.0 that's more granular could've been a basis for GDPR, but the GDPR refrained -rightfully so, IMO- from any implementation details. For one, the GDPR never once requires some "popup", it merely states that if you are an a*hole and collect data that you shouldn't and/or send that to other parties, you should at least ask concent to do so - the idea being that web-owners would then massively ditch these services so that they don't have to nag their users.
And because the GDPR refrained from implementation details, the Ad- and surveilance industry adopted a "dark pattern" that annoys people to no end (the popups) so as to paint the GDPR in a bad light. This industry could've easily said "If we see a DNT header with level:x and domainmask:*, we'll assume NO to every tracking cookie and won't collect them". And the browser makers then could add some UI to allow users per-domain or global, or wildcard or whatever settings "set-and-forget". But alas, this industry is malicious at best and will annoy users to no end for their own agenda.
It's not a dark pattern, but actually is similar to terms of conditions and privacy policies that sites show. Requiring users to go through legal agreements sucks, but companies can't just ignore the law in order to make a better user experience.
My website has no tracker nor any third party cookies so it doesn't need cookie dialog. And even if I had some analytics that stays on prem, doesn't store or gather PII, I wouldn't need one.
The first dark pattern, is that websites want to send all your PII and other data to other companies, and act as if this is normal.
The second dark pattern is how they do this. They could just not track and share this data, but allow you to flip some setting if you really want them to gather and sell or share this data. No popup needed. Or one that has some big button "proceed" that denies all tracking and a tiny link "advanced settings" that allows opt in to tracking. Instead, their UX is the exact opposite. Sometimes with deliberate javascript to make the "nope" button not work, slow or clumsy.
the GDPR refrained -rightfully so, IMO- from any implementation details
I would disagree with this. If you're going to force bad actors to take actions that they don't want to, and you give them wide latitude to decide how to comply, then of course they're going to try to find ways to satisfy the letter of the law while avoiding the law's underlying goal.
surveilance industry adopted a "dark pattern" that annoys people to no end (the popups) so as to paint the GDPR in a bad light
We should in fact blame lawmakers when they fail to anticipate the obvious consequences of their laws.
This industry could've easily said "If we see a DNT header with level:x and domainmask:*, we'll assume NO to every tracking cookie and won't collect them".
If they were the type of people to do that, then they wouldn't have been doing the invasive tracking in the first place.
The GDPR would be far better if it simply banned individualized tracking. It would be somewhat better if it explicitly specified that sites must honor browser headers and specified the exact UI to use when requesting permissions.
There's proper and good tracking possible just fine.
Tracking to discover latency, errors, weird behaviour, malicious actors and so on.
Tracking to see what content does well and what not.
Tracking to see what rough demographics (mobile, desktop, country, region, time-of-day etc) visit your premises.
E.g. plausible-analytics or even Matomo do a good job at i) keeping the data rough and broad and without any PII, and ii) storing the data on-premise rather than at commercial aggregators who will either re-sell or use it for own services.
>I never understood why the HTTP Do Not Track header wasn’t used to signal cookie preferences.
You aren't really giving preferences related to cookies with these "cookie banners".
The laws in the EU require companies to get user permission for certain types of data processing.
Cookies may be involved in that, but they may not be.
Browser features like local storage or session storage would also be covered, and a lot of processing done server-side without the use of cookies requires permission too.
A single indicator like the DNT header or the newer GPC header can't cover all of this, so it isn't suitable for complying with the ePrivacy Directive or GDPR.
It’s broken in the same way as do-not-stab. We tried that in my town, but people started slashing each other. One person got a big knife and kept it sheathed, then clubbed people with the handle.
There’s clearly no way to indicate what sort of knife based assault is acceptable using a single indicator.
when you say 'dont track', it seems like you could really mean 'dont not track', which would make more sense. since thats the safer option, maybe i should assume that. or maybe bring up a dialog that asks 'do you fail to consent to the lack of not tracking'
My gut feeling is that this would be somewhat useful yes at shielding privacy. But even if you delete cookies every day, at least for me, that's a day of various advertisers tracking my motions across the web. And it also involves the inconvenience of losing the sign in cookies that are greatly convenient for me to have. For my own sake, I'd prefer not accepting unnecessary cookies.
On a macro sense, I also feel like there's a virtue to making it clear to sites that no I don't want their unnecessary cookies. Exercising my right to opt out (actually I'm American I have no such rights in my state) is a clear & direct signal, one that I hope someday perhaps the majority of the world might exercise. At which point there's little value in keeping up this user-hostile practice. Just deleting my cookies does reduce their usefulness, but it's not as clear a sign; it could just as well be someone who doesn't have a secure personal device they can rely on. I'd rather make it clear that no, I'm explicitly rejecting the premise of your cookies.
> My gut feeling is that this would be somewhat useful yes at shielding privacy. But even if you delete cookies every day, at least for me, that's a day of various advertisers tracking my motions across the web.
Browsers mostly block third part cookies by default or have an option to let you do so, so its only site's own cookies that need to be deleted.
> On a macro sense, I also feel like there's a virtue to making it clear to sites that no I don't want their unnecessary cookies.
That gives them an incentive to find ways to track you, such as fingerprinting. Limited data might convince them that tracking data is of low value.
> So the omission of an acceptance should be on par with an explicit rejection
I know that is says "should" but how common that practice is followed by the websites? And in that case, wouldn't blocking the entire popups like ublock origin does becomes better option than installing a new plugin?
My understanding (as was explained by my compliance department at work) is that per EU law, omission of acceptance is on par with rejection. Many off the shelf cookie consent plugins used by websites will default to this behavior (including the one my work uses, despite being a US company).
Ublock does actually have an option to enable just hiding the popups.
In theory though, there's nothing requiring websites to actually treat a hidden pop-up as a rejection in the US, so i guess it doesn't hurt to explicitly reject instead.
I think the idea is poor: giving some answer is making a choice. I'd rather keep the site thinking I'm still choosing what to pick and have adblocker hide the crap.
Rejecting all consents is just a webcompat disaster waiting to happen, "Why is embedded youtube video not working?", "Why is this social embedded not showing?".
Back in the Matt's Script Archive days I would automatically reject anything written in PHP from serious consideration. Whatever it was, would inevitably be full of bugs, security issues, and either unmaintained or poorly maintained.
These days, I apply the same filter to anything written with "vibe coding". If the nominal author didn't bother to write the code, I'm certainly not going to bother running it.
I encourage my rivals and enemies (if any exist) to screech about how I will surely fall behind the zeitgeist and immediately fire all their devs in favor of six MBAs and a team of coops to be exploited ruthlessly.
In todays world, having a performant and robust (that can support extension) browser on widely used Platforms (Ios, Android) seems like a dream. Is it too much too ask for?
cookie banners make me want to toss my computer out the window tbh - you think we'll ever get to a point where browsers just handle all this and i don't have to babysit buttons or install a million plugins?
A rule based approach alone is insufficient and lacks maturity. The solution must be capable of understanding the context of a given webpage and taking actions based on that understanding.
I want a Firefox extension that will auto-accept all cookies.
Because I already use Cookie Auto-Delete and I'm just sick of the question popping up. Stop nagging and give me all the cookies so I can delete them 5s after I close your tab.
You could use ublock origin’s annoyance list for the same effect. Even better, you could use one of the ones that send “deny” listed elsewhere in this thread.
Note that most tracking is possible without cookies these days, so deleting the cookies on exit (or even always running in a private tab) doesn’t do as much as it used to.
Love the idea. I wish chrome extensions had a more granular permissions structure and/or reminders/security checkups on installed extensions and their permissions.
As it is the content scripts manifest permission for https://*/* for content.js is always so jarring to see. For those that don’t know this allows the extension to run that script on every site you visit after clicking accept ONCE when you install the extension. That means it can see financial info, health info, legal info, your diary, etc…
Now this makes sense from a usability perspective (I never have to see a cookie banner ever again!), but the author could change content.js at any time and the extension would continue to run without prompting the user.
This is not an attack on you Mitch! It sure looks like you’re trying to provide value in this world rather than take it. Rather it’s an attack on Google’s extension security model I’m really shocked google has not taken a more careful and nuanced stance to protecting users from a security standpoint.
I write this as a fellow chrome extensions dev. I wish I had better more granular permissions structures to protect my users and give them more information about what I am requesting and why along with regular reminders so they can make informed decisions about what they want to share.
Definitely agree, not a fan of the permissions.
The broad permissions were required from a usability standpoint. Granting permission on every site for this extension would just be a 1 to 1 replacement of clicking reject on the banner or pop up for every site.
I would hope that before Chrome approves an extension to be added to the store that they are auditing the content of package.
Personally, I would still love a site-by-site "reject non-essential cookies" prompt from an extension that's in the same place, with the same UI, on every site. Still a click, but lots better than having to figure out how to accomplish it on each and every site.
Exactly. The biggest pain is to read and figure out what the next button actually does. Is the big Button an except all? Use selected? Or what ever wording they use. I might not want to block cookies for certain pages. So an extension that finally creates this single UX flow would be very helpful indeed.
Exactly. So you could have 2 shortcuts: one for reject all non essential, one for accept all.
Much better UX than figuring out per site which button to click.
Why would you ever accept all? The options should be reject all non essential and reject all (may break something)
One of the reasons Manifest v3 was started is that is impossible for an extension that eval's arbitrary code from the web (or downloads, say, a dynamic list of data and acts on it).
For something like this, it's tractable.
https://developer.chrome.com/docs/webstore/review-process
Also frustrating that UBO Lite just changed from "permissionless" to requiring broad see everything permissions.
Fundamentally there is no reason anyone in their right mind should install an extension released by an individual with these permissions. It is a post-decryption access to every single thing you do online. It is absolutely insane to trust your web browsing to a random browser extension, even a useful one ("cloud to butt" is my favorite example of people deleting their entire security model for a joke).
Anyone can buy out or compromise this developer and slide complete takeover of your online life into an extension update.
It's open source.
So it can be audited. The problem is: who audits and how to know a new version is audited.
And by the time someone notices, how much of your private information is already gone and do you already have ransomware.
Google could change chome at any time to snoop on all your stuff too, yet we trust them more than extension authors?
They have a strong track record and more to lose.
Strong track record of already snooping on all your traffic within their browsers ?
What about literally every other application you download and install?
All your video games could be (and probably are if they include "anticheat") spying on you.
They’re only spying what Wine allows them to see.
uBlock Origin already has this. Enable the "Cookie notices" and "Annoyances" filters in uBlock Origin's settings.
Bonus pro-tip: Firefox for Android supports uBlock Origin, which means you can get rid of these godawful banners on mobile, too. Only iOS users are stuck having to put up with them.
Hiding the popup is not the same as clicking reject.
It should be but it's not.
You think these websites give a shit about your privacy because you clicked on a div with a "No" in it? Not a chance. It's like asking thieves to promise not to steal from you.
Protecting users is the browser's job:
https://support.mozilla.org/en-US/kb/enhanced-tracking-prote...
https://support.mozilla.org/en-US/kb/introducing-total-cooki...
I'm currently at a small ad tech firm and while I can't speak for other outfits, we definitely are extra careful about respecting user consent indicators. Because we are small, it's not easy to do this, because there are many possible ways for users to "reject". This includes situations that merely imply non-consent due to inaction, rather than active non-consent like a reject cookie indicator, or living in a jurisdiction that makes non-consent automatic (as it should be!). Many of the "reject cookies" tools are especially useful because even if a website doesn't respect your choice (and therefore tries to send data to us) your browser can still tell us if you are non-consenting. This means it's easier for us to notice non-consent and drop the data as soon as possible, before any logging or analysis can occur.
We do not materially benefit from this in any way, nor do we market it. I am not a spokesperson for my company nor do I want to be publicly identified with it. I'm advocating here because you said "not a chance" but there is a chance.
It's not just that we are worried about some sort of regulatory enforcement, either, although existence of such regulations does help convince the less scrupulous people from pursuing a bad path.
The free internet is built on ads. I still believe in the free internet. I still think we can make it work. I welcome regulation and regulatory enforcement even though it's hard for a small outfit like us, because it reduces the chances that our ad tech has to compete with less scrupulous people. I think we've survived as a small outfit since roughly the dotcom era because we've tried to be good stewards. People wouldn't need uBlock if there was better regulation/enforcement, and companies like mine, who are trying to do the right thing (even as we operate in the loathed ad space), would benefit.
I'm worried about AI on this front because it means in the future your ads will be served up to you out of a black box instead of out in the open where we can all inspect who is trying to get what from us (and block bad parties via eg uBlock), and, to a degree, who is trying to shove what down our throats.
Just curious, but it sounds like this is the ideal use case for Do Not Track. Do you all use that as a signal to not track/remove nonessential cookies?
Yes, we do treat that as a valid signal. But users still shouldn't use it today anyway, since it has no teeth and many companies will use it as part of a composite identifier. If Do Not Track had more regulatory teeth, I think it might have gone somewhere.
Global Privacy Control (GPC) is the modern alternative, and the mechanism by which California's privacy legislation / CCPA is largely handled from a technical perspective. Unfortunately it is not available by default in Chrome, but it is in eg Firefox / DuckDuckGo browser. Because it has legal teeth, it has more power to give you a tracking free experience even if a company had the technical capability to track you.
It can still help you even if you're not in California because geolocation is not perfect, but it does provide the ability to monetize ads that are tracking free. The threat of enforcement has to be real and continue to be demonstrated, though, or it won't last.
iCloud Private Relay also causes tracking companies a lot of real pain (sort of a mini-Tor where Apple and CloudFlare each have only half of your unlock key), but it's a technical bandaid with a variety of flaws that can break many legitimate things.
Ultimately each situation is one that requires judgement, which is why I think a legislative/judicial answer is the only one that ultimately holds up. GPC allows for a little more nuance than DNT. People care about the intent of respecting "Do Not Track." It some cases it may requirement a judgement about whether or not a company violated that request, not whether it was "technically impossible for the company to violate that request (we thought) but oh oops it was possible...I guess that just means we need to make it harder, the company doing the violating was okay because they worked within the bounds of what was technically possible."
A company that violates this privacy, especially when you've indicated that you do no consent, should have to face penalties. And because we expect some companies to go out of business for violating these rules, we should also make sure that their "data assets" aren't simply transferred to some new company in bankruptcy court when an adverse ruling comes down.
> The free internet is built on ads.
And ads don't require pervasive and invasive tracking. The industry made us all believe they do.
Yes, that's exactly what I'm saying. The industry made us all believe they do, in what began as a differentiator from offline ads, that quickly spiraled into the current day insanity. Browsers have been playing cat and mouse to a degree, but except for the annoying cookie banners that everybody hates, regulation like GDPR is the thing that has restored some small piece of sanity. There should be more and better regulation + enforcement to better align ad tech with the interests of the public.
> The free internet is built on ads.
Check your internet bill, it might not be free after all.
I'd very much rather get back to the internet being about connectivity and nothing else. The internet would survive just fine by providing a means to contact authorities, companies and each other, without any of the "content" for which we supposedly need ads to produce
> The free internet is built on ads. I still believe in the free internet.
The internet I remember had free content because mostly individuals wanted to share something. Commercial offers were rare. I would be very happy to go back to that network, with 90% content gone and the remaining 10% provided without an ads driven model. In fact, if it was for me, one could widely ban most advertising also off-net. It is manipulative cancer. At least ban any sort of user tracking and analysis. Yes, this will kill a wide spectrum of offers. I am totally fine with that trade-off. We don’t need it for a well-functioning society. And yeah, look around, we do all sorts of interference with so-called free markets, because history has shown time and time again how horrible it gets when you allow capitalism to roam freely.
> You think these websites give a shit about your privacy because you clicked on a div with a "No" in it
Yes. For a subset of "these websites". Because this is enforced and EU has fined billions already. The fines for doing what you say they do, are steep and a severe risk for many "these websites".
> For a subset of "these websites".
So for websites that are not in that subset, they will still track you regardless of what you click on, so you still need browser-level protections for those websites, and those browser-level protections will also work on the websites that are in that subset, so you still gain nothing by clicking the No.
Yes. But "these websites" will then be prosecuted, their owners cannot enter the EU ever again without the risk of severe penalties, they cannot do business in the EU and can and often will, lose access to many services that do want to stay on the good side the EU (i.e. will see their google ads blocked, their stripe frozen, their hosting closed etc)
Edit: what I'm trying to say is: this "technical" problem has a real and working "solution" that's not technical at all: law and enforcement. Now, that won't work for all and everything, it never does. There will always be malicious, scammy, malware, criminal and illegal webservices around. But it makes it very hard for malicious actors to do so and make money.
Yeah but the question is how you, as a user, should best protect yourself. I'm saying clicking the "No" provides no advantage over using a browser that just protects you from tracking by default. Then it doesn't matter whether the website is following the law or whether the EU (where I don't live) will enforce the law or change it in the future or whatever.
> Now, that won't work for all and everything, it never does. There will always be malicious, scammy, malware, criminal and illegal webservices around.
Yeah, exactly. So if I have to protect myself from those websites anyway, I may as well apply the same protections to all websites. Clicking the "No" does nothing for me.
> So if I have to protect myself from those websites anyway, I may as well apply the same protections to all websites.
And what is the protection?
I posted links up thread: https://news.ycombinator.com/item?id=43832541
The act of indicating no is frictionless if automated through an extension, and if it turns out orgs are not respecting the action, it'll end up in a class action or other legal event eventually (assuming statute or other regulatory mechanisms exists on the topic). "Porque no los dos?" Strongly agree the browser should still aggressively act in the user's interest and protect them.
(privacy law and how it relates to customer user experience is a component of my work in finance)
I think that's a distinction without a difference in general, but certainly under the GDPR where any form of consent must be explicit.
I mean sure I guess, do whatever you want. I will always have uBo installed and I prefer to have less software on my machine (fewer things to go wrong), so uBo's list plus Firefox's protections is good enough for me.
> if it turns out orgs are not respecting the action, it'll end up in a class action or other legal event eventually
Not a chance.
Yeah I find that list is more trouble than it's worth, because some sites will block interaction until you dismiss the cookie notice, so you get softlocked if the notice is hidden. I assume that's why uBO disables that list by default.
Agreed. YouTube is a notable example of this, at least in the EU.
This is incorrect. The GDPR requires affirmative consent before processing user information, hiding is not "affirmative." Additionally, there's been increasing litigation via wiretapping statutes (most notably in California where there's statutory minimums for damages) that pose additional legal risk for companies using analytic cookies w/o affirmative consent.
Legally it is the same
Doesn't mean people implement it correctly though
for iOS users, you can just install eg AdGuard as iOS safari extension/blocker extension and enable the uBlock filter lists :) Fully working ad blocker for mobile safari.
My ideal solution to this would be: accept all cookies, then delete them after page unload
Note that "I agree to tracking" and "I agree to cookies" are two different things. If you agree to tracking then a website can fingerprint you in any way they see fit, including methods that do not depend on cookies.
This is what Brave's "Forgetful Browsing" does. There's even a slight delay, in case you accidentally closed the tab.
You can configure the "Cookie Autodelete" extension to behave in a similar way.
This is what the extension Cookie Autodelete does. It even allows you to make an exclusion list of ones you wish to persist.
this means they track you for your duration. ideal solution is accept all cookies and randomly modify the values so it becomes a jumbled mess to their analytics
this is called incognito mode
Orion for iOS supports Firefox and Chrome extensions.
I've been using this and it even blocks YouTube ads. But do note that it often reduces video quality and in shorts there seems to be an off-by-one error where if it's "hide toolbar" then if you click the like it'll click the dislike and if you click dislike it'll click comments.
Worth it IMO but I really wish there was a better way to submit bug reports than creating an account on their site. Fuck that dark pattern
Could you clarify which options you mean?
https://i.imgur.com/QnedRVZ.png
Also, how's that compare to Consent-O-Matic in terms of effectiveness,safety (i.e. that it doesn't mangle the wrong thing on the site) and performance?
I use the EasyList ones, though I don't have any particular reason for that other than it is also the default "Ads" list chosen upon installation.
> Also, how's that compare to Consent-O-Matic in terms of effectiveness,safety (i.e. that it doesn't mangle the wrong thing on the site) and performance?
Dunno. I've never had any problems with it. All it does is hide the cookie banner DOM elements.
Not the op, but I just enable all of them.
It is a very rare for me to see a site that's broken by ublock origin.
How do I keep chrome from uninstalling ublock these days every time I restart?
Use a better browser: https://www.mozilla.org/en-US/firefox/
I was back on Firefox for a few months, and it's noticeably slower and drains battery (on M2 Air).
If Safari is OK you could move to Orion: https://kagi.com/orion/
I would love to but I can't use the MacOS default password manager :(
Safari supports 3rd-party password managers like 1password no problem.
I tried it briefly but I think it's semi-abandoned? Maybe I should give it another shot. Only non negociables for me are Stylish and Violentmonkey.
Orion is not abandoned, the last beta, version 0.99.133 was released on April 21, 2025. See https://kagi.com/orion/updates/orion-release-notes.html.
Take a look at Zen browser - it's a fork of firefox ESR, with some dramatic UI changes made to look similar to the Arc browsers.
I've been using it on my Mac M1 and I only notice the memory footprint when I have > 30 - 40 tabs open.
Install it using an enterprise profile and enable the ExtensionManifestV2Availability flag: https://news.ycombinator.com/item?id=43340358
Still works for me to this day, but this option might get axed come June 2025.
You can still install the extension manually. This is a good video on how to do it https://www.youtube.com/watch?v=jQX2lgePAKk
Ublock-lite is there, but better switch to firefox or brave
Oh neat. I did not know this. Thanks for sharing.
Cookie banners are a bad/wrong solution to the underlying problem, but it's the dark patterns within that really piss me off. I shouldn't have to invest deep cognitive attention to "only accept mandatory" but if you're not careful many dialogs will trick you into clicking accept all after you go to the trouble to untoggle all the optional shit. The answer is to use isolation containers, aggressively reset them and not to worry about any of this.
The underlying problem that the cookie banner operators have is there are laws preventing them from abusing the data they collect.
Annoying banners increase pressure on people to contact their representatives to overturn those laws, allowing the operators to abuse the data
I just always click accept all.
Less to think about, and it basically puts the web into the state it was in before we all got bent out of shape about tracking, which was fine.
(Now that I type that... I should have made an extension ages a go that just does "identify cookie banner and click on the left-most button automatically").
> and click on the left-most button automatically
Why do you think the left-most button is always accept all?
Why do you think the accept all button will be in the same position on all reloads of the same site?
It's more that, as an end-user, I do not care whether I click accept or reject all; my goal is to get that UX speed-bump out of my face as quickly as possible.
Maybe it'd be better to randomize which button is selected so if the plugin becomes popular site admins can't reliably guess where to put the button.
I hate how web sites can weasel their way around consent by simply declaring their cookies as "necessary" or "mandatory." As the Dude would say: Yeah, well, that's just like, your opinion, man. How about we have an easy-to-use "Reject ALL cookies from this site (and deal with whatever breaks)" option?
There was the "Do Not Track" header, but I don't think any sites that actually honored it. And it is deprecated now.
On Firefox we still have webRequestBlocking, so it is quite simple to block cookies. See for example https://addons.mozilla.org/en-US/firefox/addon/ximatrix/
> There was the "Do Not Track" header, but I don't think any sites that actually honored it. And it is deprecated now.
Sites used that header to fingerprint and track users.
Source?
As it wasn't widely implemented, and few people turned it on, Safari removed it in 12.1 as a potential fingerprinting variable: https://developer.apple.com/documentation/safari-release-not...
I think I remember a larger article about this, but can't find it now
You're assuming maliciousness. I run a site that uses cookies (encrypted session cookie) so they can add items to a cart, because not doing so would be a horrible UI. There's also a cookie created by the payment processor, but I only load their script on checkout. There's nothing else though. I don't even use tracking / analytics.
There's zero weaseling going on. No dark patterns. I'm just too busy to build a no-cookie version that passes info in the URL or w/e (which also seems less than ideal). Your two options are to use the site or don't use the site. If there was enough pressure from real customers to provide another option then I probably would, but it wouldn't change anything. It's just busy work / checking boxes.
IMO this needs to be built into the browsers rather than being yet another tax on builders due to spammers / scammers / advertisers. If we had meta referencing each cookie where you can disclaim exactly how it will be used and whether it's optional / required, then we would have a standard without dark patterns being possible.
Session cookies don't require a banner or any kind of notification.
That's good to know (and reasonable)!
GDPR was adopted 9 years ago. It's insane to me that people still go out of their way to know nothing about it.
Well I don’t live in or operate a business in the EU and none of my customers are in the EU.
I did start looking into it out of curiosity, but TBH it wasn’t obvious what I needed to do, if anything.
I doubt most Europeans know much about Canada’s data protection laws either, and it would be insane for me to expect them to.
It's much easier to blame the cookie banner on GDPR (which are not entirely related) than read the texts and jurisprudence about it to know how it works.
Every website showing a consent screen is either willfully ignorant (rarer these days) or they want your data while saying hypocritical things like «We value your privacy»
How it’s implemented: Vibe coding is the answer
Sorry, you want me to give browser privileges to code written by AI?
This is 100% a fair point of view and you’re right to be skeptical. With the blog post I was just trying to convey that cursor + auto select model was not great at this task. It gave me a project structure, but besides that everything had to be refactored.
Thanks for clarifying!
You should stick with extensions that have lots of stars, that way you know they're trustworthy and secure.
I assume you're being facetious; because popular (and good, trustworthy) extensions written by initially passionate people often end-up being bought-out by dodgy orgs - with very-hard-to-refuse offers - and the Chrome Extension Store has no way of knowing about that.
I had a Chrome extension with about 20,000 users and I received unsolicited buyout offers a few times a year, and some offers were very hard to refuse - but it's not hard to imagine anyone else capitulating.
What were the larger offers you received?
They were all below $10,000 USD, but some were very close to that.
While I agree with you 200%, the code is there for you to review. I skimmed it and it didn’t seem difficult to grok, keep in mind I speak almost no JavaScript or typescript.
Where is it shown that it was written by vibe coding?
Click the Show HN link and scroll down to the second heading.
Thanks
AI is mere mirror of human code.
It's a very bad mirror then.
For example the Linux kernel has mirrors where it's source code can be downloaded from.
AI cannot even "mirror" the Linux kernel. Try it! Ask it to deliver a monolithic kernel that works on a bunch of architectures and has drivers for a bunch of hardware. It will yield nothing close to the Linux kernel.
The common one I use in the space is https://consentomatic.au.dk/ but good on you for making an alternative. More options is great.
+1 for Consent-O-Matic, it's great
Have you seen consent-o-matic? https://github.com/cavi-au/Consent-O-Matic https://addons.mozilla.org/en-GB/firefox/addon/consent-o-mat...
I tried consent-o-matic. Aside from the name making it sound like it says ok to all forms of tracking, it broke a few websites for me and failed to get rid of the banners on many others, and I quickly had to turn it off. TBH I'm not sure how it could be expected to work either, unless all websites use the same consent banner solution.
It by default only accepts essential cookies. I too thought the same thing based on the name of the extension.
Om FF works fine for me for many years in combination with ublock origin.
I noticed you deleted the privacy policy in Github, and link to this one instead https://privacy.reject-cookies.bymitch.com/
The one you link to doesn't really make sense:
> Data is collected on specific sites that the product is not working on. This data is sent explicitly by users and when it is collected we do not collect any information that could be tied to a specific user. Only the name of the site is collected and any additional information you include in the text of the report.
The original one that was deleted from the Github repo [0] is much simpler and to the point.
[0] https://github.com/mitch292/reject-cookies/commit/18a87b2bee...
Agree! Unfortunately, that one was rejected by chrome.
Interesting. Did they explain why?
They had this in the reply
> How to rectify: Ensure your privacy policy contains details about user data collection, handling, storage and sharing. Omission of any section is not allowed.
So I added a section for each. I could make the "Information We Collect" section less verbose for sure.
Does this kind of privacy policy they demand follow any law, or it's just their "you should do this way"?
I'm honestly not sure.
Could you provide more details?
Added some additional details under another reply in the same thread!
Consent-O-Matic can easily be configured to reject cookies.
I suppose that technically you could also just remove the pop-ups, that means that you never agreed to anything and the site have no permission to place cookies on your computer.
This is only true in Europe - it is not required by the US privacy laws and the default most companies deal with will be set to implicit allow
I sort of assumed that companies wouldn't even show the cookie/tracking consent in areas where they are not legally required, but that's a good point.
My company puts the cookie banner everywhere and follows the "hiding the banner is not consent" pattern.
Not because we're required, but because that's how the off the shelf cookie banner thing we use works, and better safe than sorry should a European access our US marketing site, i suppose.
I always figured most of the popups would reject cookies if hidden, if for no other reason that everyone is too lazy to modify the default behavior (and the default behavior is designed for EU regulations)
The law for cookie and privacy consent is (afaik) applicable to any EU citizen or resident, even if they are not currently located in the EU. That means if you do business in the EU, you have to show the banner for everybody because you cannot know if they are an EU citizen/resident from their IP alone.
Was an interesting experience travelling to Italy and suddenly starting to get cookie banners on sites I visit daily that normally don't have
I never understood why the HTTP Do Not Track header wasn’t used to signal cookie preferences. It seemed like the perfect solution.
You assume the problem was to determine the user’s preference in the most efficient way possible. The problem, instead, was to fool as many users into consenting as possible; and from that point of view, it is indeed rational to ignore any advisory signals and annoy the user so they want to just make the message go away.
The issue is with how browsers implemented it. Instead of implementing it with a per domain granularity it was implemented as a global option. People may enable the option to block tracking from malicous parties, but may unknowingly block tracking from good companies. So now good companies would need to ask the user if they actually want tracking since they may accidently be blocking it.
No, the real problem was that it worked too good from the perspective of ad-tech and data-gatherers.¹
It relied on the goodwill of those who run these services to i) invest some effort and money to detect the DNT headers and then ii) not collect/store the data of these requests.
Back, when only a tiny portion of web-users would send these headers along, the industry was fine to implement it. If only for marketing purpose. But, as soon as they saw that it actually worked, the industry saw a threat to their revenues and stopped.
I believe a DNT2.0 that's more granular could've been a basis for GDPR, but the GDPR refrained -rightfully so, IMO- from any implementation details. For one, the GDPR never once requires some "popup", it merely states that if you are an a*hole and collect data that you shouldn't and/or send that to other parties, you should at least ask concent to do so - the idea being that web-owners would then massively ditch these services so that they don't have to nag their users.
And because the GDPR refrained from implementation details, the Ad- and surveilance industry adopted a "dark pattern" that annoys people to no end (the popups) so as to paint the GDPR in a bad light. This industry could've easily said "If we see a DNT header with level:x and domainmask:*, we'll assume NO to every tracking cookie and won't collect them". And the browser makers then could add some UI to allow users per-domain or global, or wildcard or whatever settings "set-and-forget". But alas, this industry is malicious at best and will annoy users to no end for their own agenda.
¹ edit: source: https://pc-tablet.com/firefox-ditches-do-not-track-the-end-o...
>adopted a "dark pattern" that annoys people
It's not a dark pattern, but actually is similar to terms of conditions and privacy policies that sites show. Requiring users to go through legal agreements sucks, but companies can't just ignore the law in order to make a better user experience.
My website has no tracker nor any third party cookies so it doesn't need cookie dialog. And even if I had some analytics that stays on prem, doesn't store or gather PII, I wouldn't need one.
The first dark pattern, is that websites want to send all your PII and other data to other companies, and act as if this is normal.
The second dark pattern is how they do this. They could just not track and share this data, but allow you to flip some setting if you really want them to gather and sell or share this data. No popup needed. Or one that has some big button "proceed" that denies all tracking and a tiny link "advanced settings" that allows opt in to tracking. Instead, their UX is the exact opposite. Sometimes with deliberate javascript to make the "nope" button not work, slow or clumsy.
the GDPR refrained -rightfully so, IMO- from any implementation details
I would disagree with this. If you're going to force bad actors to take actions that they don't want to, and you give them wide latitude to decide how to comply, then of course they're going to try to find ways to satisfy the letter of the law while avoiding the law's underlying goal.
surveilance industry adopted a "dark pattern" that annoys people to no end (the popups) so as to paint the GDPR in a bad light
We should in fact blame lawmakers when they fail to anticipate the obvious consequences of their laws.
This industry could've easily said "If we see a DNT header with level:x and domainmask:*, we'll assume NO to every tracking cookie and won't collect them".
If they were the type of people to do that, then they wouldn't have been doing the invasive tracking in the first place.
The GDPR would be far better if it simply banned individualized tracking. It would be somewhat better if it explicitly specified that sites must honor browser headers and specified the exact UI to use when requesting permissions.
> tracking from good companies
Say what?
There's proper and good tracking possible just fine.
Tracking to discover latency, errors, weird behaviour, malicious actors and so on.
Tracking to see what content does well and what not.
Tracking to see what rough demographics (mobile, desktop, country, region, time-of-day etc) visit your premises.
E.g. plausible-analytics or even Matomo do a good job at i) keeping the data rough and broad and without any PII, and ii) storing the data on-premise rather than at commercial aggregators who will either re-sell or use it for own services.
If it's not tracking the user then I don't understand what the problem is with DNT here
Maybe GPC will do a better job
https://en.wikipedia.org/wiki/Global_Privacy_Control
>I never understood why the HTTP Do Not Track header wasn’t used to signal cookie preferences.
You aren't really giving preferences related to cookies with these "cookie banners".
The laws in the EU require companies to get user permission for certain types of data processing.
Cookies may be involved in that, but they may not be.
Browser features like local storage or session storage would also be covered, and a lot of processing done server-side without the use of cookies requires permission too.
A single indicator like the DNT header or the newer GPC header can't cover all of this, so it isn't suitable for complying with the ePrivacy Directive or GDPR.
It’s broken in the same way as do-not-stab. We tried that in my town, but people started slashing each other. One person got a big knife and kept it sheathed, then clubbed people with the handle.
There’s clearly no way to indicate what sort of knife based assault is acceptable using a single indicator.
I don’t get it. All browsers have a “do not track” toggle implemented.
And still, we get consent banners. Wasn’t I clear when i said don’t track?
Wilfully ignored because i guess it's not mandated by law.
You need someone powerful like Google to say they will lower Page Rank for sites that don't comply with the Do Not Track flag.
when you say 'dont track', it seems like you could really mean 'dont not track', which would make more sense. since thats the safer option, maybe i should assume that. or maybe bring up a dialog that asks 'do you fail to consent to the lack of not tracking'
yes, that’s what i thought. but then, what would be the point of rejecting anything, except to actively consent to something else?
What's the difference between this and "I still don't care about cookies"[0]?
[0] https://github.com/OhMyGuus/I-Still-Dont-Care-About-Cookies
It rejects cookies & reduces how much you are tracked, rather than accepting all tracking & cookies.
I don't care about cookies plus an extension that deletes frequently plus firefox container tabs will make tracking quite misleading.
My gut feeling is that this would be somewhat useful yes at shielding privacy. But even if you delete cookies every day, at least for me, that's a day of various advertisers tracking my motions across the web. And it also involves the inconvenience of losing the sign in cookies that are greatly convenient for me to have. For my own sake, I'd prefer not accepting unnecessary cookies.
On a macro sense, I also feel like there's a virtue to making it clear to sites that no I don't want their unnecessary cookies. Exercising my right to opt out (actually I'm American I have no such rights in my state) is a clear & direct signal, one that I hope someday perhaps the majority of the world might exercise. At which point there's little value in keeping up this user-hostile practice. Just deleting my cookies does reduce their usefulness, but it's not as clear a sign; it could just as well be someone who doesn't have a secure personal device they can rely on. I'd rather make it clear that no, I'm explicitly rejecting the premise of your cookies.
> My gut feeling is that this would be somewhat useful yes at shielding privacy. But even if you delete cookies every day, at least for me, that's a day of various advertisers tracking my motions across the web.
Browsers mostly block third part cookies by default or have an option to let you do so, so its only site's own cookies that need to be deleted.
> On a macro sense, I also feel like there's a virtue to making it clear to sites that no I don't want their unnecessary cookies.
That gives them an incentive to find ways to track you, such as fingerprinting. Limited data might convince them that tracking data is of low value.
oh this feels like a must need for a person like me.
> So the omission of an acceptance should be on par with an explicit rejection
I know that is says "should" but how common that practice is followed by the websites? And in that case, wouldn't blocking the entire popups like ublock origin does becomes better option than installing a new plugin?
My understanding (as was explained by my compliance department at work) is that per EU law, omission of acceptance is on par with rejection. Many off the shelf cookie consent plugins used by websites will default to this behavior (including the one my work uses, despite being a US company).
Ublock does actually have an option to enable just hiding the popups.
In theory though, there's nothing requiring websites to actually treat a hidden pop-up as a rejection in the US, so i guess it doesn't hurt to explicitly reject instead.
Consent-O-Matic is an extension that works fairly well and is cross browser.
https://github.com/cavi-au/Consent-O-Matic
Can you release it for firefox too please?
For those who use Safari, there's Hush: https://oblador.github.io/hush/
Brave does this by default and it works flawlessly apart from on fairly obscure websites (a lot of obscure websites don't have cookie notices anyway).
I don't know why more people don't use Brave - you can turn all the annoying crypto/ad stuff off and it never bothers you about it again.
I guess because Firefox doesn't make me turn off annoying crypto and ad stuff in the first place (plus I've been using it for like ten years now)
I --still-- don't care about cookies so I use https://chromewebstore.google.com/detail/i-still-dont-care-a....
I think the idea is poor: giving some answer is making a choice. I'd rather keep the site thinking I'm still choosing what to pick and have adblocker hide the crap.
Rejecting all consents is just a webcompat disaster waiting to happen, "Why is embedded youtube video not working?", "Why is this social embedded not showing?".
Are you aware of https://addons.mozilla.org/fr/firefox/addon/consent-o-matic/?
I kind of like cookie banners, just to see which of the sites I frequent like to share my data with their 1957 partners.
Back in the Matt's Script Archive days I would automatically reject anything written in PHP from serious consideration. Whatever it was, would inevitably be full of bugs, security issues, and either unmaintained or poorly maintained.
These days, I apply the same filter to anything written with "vibe coding". If the nominal author didn't bother to write the code, I'm certainly not going to bother running it.
I encourage my rivals and enemies (if any exist) to screech about how I will surely fall behind the zeitgeist and immediately fire all their devs in favor of six MBAs and a team of coops to be exploited ruthlessly.
In todays world, having a performant and robust (that can support extension) browser on widely used Platforms (Ios, Android) seems like a dream. Is it too much too ask for?
Firefox is that browser. Its not on ios but neither is any other browser that matters.
Kagi browser for iOS supports Firefox and Chrome extensions.
I’ve been running UBlock Origin and Privacy Badger. Planning to add a cookie consent denier after I type this.
cookie banners make me want to toss my computer out the window tbh - you think we'll ever get to a point where browsers just handle all this and i don't have to babysit buttons or install a million plugins?
> you think we'll ever get to a point where browsers just handle all this
1. The Do Not Track header set by browsers was used by sites to fingerprint and track users.
2. World's largest tracking and advertising company is also making the world's most popular browser.
and
3. GDPR was adopted 9 years ago
So the answer to your question is: no, they never will.
Exhibit A: Google assumes Chrome is just another service to track you: https://x.com/dmitriid/status/1908951546869498085
Exhibit B: Chrome's "more private web" sells your browsing data and behaviour by default: https://x.com/dmitriid/status/1664682689591377923
What works on iOS mobile? That’s the ultimate limitation on customization.
The whole cookies law in EU is a prime example of government overreach and complete misunderstanding of how technology works.
Imagine instead, if they legislated that a browser can merely be an html client, and not a spy tool for advertising companies.
All of this would not be nescessary if the GDPR closed the "Legitimate Interest" loophole and enforced the one click rejection.
I guess firefox is missing
nice how do you know where to reject is that a closed list?
A rule based approach alone is insufficient and lacks maturity. The solution must be capable of understanding the context of a given webpage and taking actions based on that understanding.
I want a Firefox extension that will auto-accept all cookies.
Because I already use Cookie Auto-Delete and I'm just sick of the question popping up. Stop nagging and give me all the cookies so I can delete them 5s after I close your tab.
that is covered off in the article, for what it's worth
Thank you! I just installed "I still don't care about cookies" in FF and this has improved my browser experience a lot!
You could use ublock origin’s annoyance list for the same effect. Even better, you could use one of the ones that send “deny” listed elsewhere in this thread.
Note that most tracking is possible without cookies these days, so deleting the cookies on exit (or even always running in a private tab) doesn’t do as much as it used to.