|
|
Subscribe / Log in / New account

Firefox and cookie micromanagement

Firefox and cookie micromanagement

Posted Mar 24, 2016 9:35 UTC (Thu) by malor (guest, #2973)
Parent article: Firefox and cookie micromanagement

OK, it was this specific issue that finally made me drop Firefox, when I'd been a user since before it was even called that. (I thought about going to the physical Mozilla launch party; I didn't go, but I did think strongly about it.)

First, this objection is baseless:

The underlying assumption here is that it is possible for a user to assess whether you should accept a cookie based on the modal dialog. That is fundamentally not the case because you cannot know a-priori whether that cookie is used "just" for tracking or for login functionality.

Here's how I used the feature. I clicked Allow for Session, always. And I'd check the 'do the same for all cookies from this site'. This meant that essentially all websites worked perfectly, but their cookies evaporated when I closed the browser. The next time I visited them, I'd be all shiny new, and I wouldn't have to click anything. Their cookies would be evanescent. No matter how many times I returned, I'd be a brand-new user on each visit. My experience would be basically identical to what someone with permanent cookies would see, but then all the local tracking data went poof. This was a great feature.

In the rare case where I actually did need a website to retain data, like my login cookies for lwn, then I'd just Allow. Very occasionally, I decided I wanted to stay logged in on a site after using it for awhile, and in those cases, I'd go into the config pages, and change that site's settings to Allow. This was a little painful, but happened so rarely that it wasn't much of a hassle.

So: my use case was perfectly tuned to the feature, and its removal meant I ended up accumulating tracking cookies for weeks before I noticed. They didn't just stop asking, they also silently stopped honoring the underlying settings. I actually spotted it when I went into settings to explain to someone how to duplicate what I was doing, and realized that I no longer could. (I hadn't noticed that the popups had stopped, because I got so few of them anymore.)

And this absolutely infuriated me. This struck me as the heart of what's wrong with modern Mozilla; user welfare has been pushed way down their priority list. They're jamming crap down my throat that's not good for me, and isn't for my benefit. Rather, they're pushing things that are good for Mozilla, like that Pocket payware abscess. The fundamental disrespect in just silently ignoring a privacy setting.... god, that's just so blatantly rude. It was good for them, but it was sure as heck not good for me.

I mean, couldn't they have freaking deprecated it for a release? Every time I blink they've got a new version. Surely they could have given me a warning message that the feature was going away in the following release, six entire weeks later. Ideally, they should have given me an alternate method, and converted my existing settings. But, even if they didn't want to invest that much engineering time, they couldn't be arsed to implement a popup for a couple revs so we'd know about the problem? Instead of taking the time to analyze things properly, they explicitly decided to ignore my carefully expressed wishes without any warning whatsoever.

I used to love Mozilla, but I no longer believe that's mutual. And I was a paying customer, after a fashion, donating money at the end of each year. I gave more money to Mozilla than I gave to freaking Consumer Reports. No more; I'm on Chromium now.

It was pretty hard to get the same 'almost everything goes away' setting in Chromium. It tends to accumulate a lot more data than Firefox does, especially site local storage, which I think is a Chrome-specific, cookie-like function. Fortunately, I found a nice workaround: a combination of the "Vanilla Cookie Manager" extension, and setting all data to be evanescent. ("Keep local data only until you quit your browser.") When you close the last Chromium window, Vanilla kicks in, saves any cookies from sites you've whitelisted, and then Chromium nukes pretty much everything else except history, which, sadly, has to be manually erased. There is a bug there, though: Vanilla doesn't seem to trigger if you choose the Quit option from the pulldown menu, so if you quit that way, your permanent cookies will be lost. (I wanted to report the bug, but the author is explicitly uninterested in bug reports: he says that he will accept only pull requests on Github. I don't think that's working very well, because at least when I last looked, it's had no activity for ages.)

I'm pretty comfortable, these days. The set of extensions I settled on: Alternate Tab Order (so tabs open like they do in Firefox), uBlock Origin, uMatrix (also from gorhill: an absolutely SUPERB noscript-style utility), and Tampermonkey, to run some user scripts that Chromium won't run natively. And I'm real happy. I used Firefox since before it was Firefox, and they finally drove me away. And their market share drops another 0.00001%.

It just makes me terribly sad. I once loved Mozilla. I gave them money. But I'm no longer convinced they're on my side. This was so poorly handled that my trust in them was finally broken, and I don't think they can get it back.

to post comments

Firefox and cookie micromanagement

Posted Mar 24, 2016 14:18 UTC (Thu) by james (subscriber, #1325) [Link] (2 responses)

I still get exactly the same effect you got by choosing the preferences "Accept cookies from sites", "Keep until I close Firefox", and putting lwn.net in the exceptions. And then I don't have to click anything while browsing, and it still works on Firefox 45.

I also find that rejecting third-party cookies breaks surprisingly little.

Firefox and cookie micromanagement

Posted Mar 24, 2016 15:21 UTC (Thu) by malor (guest, #2973) [Link]

>"Accept cookies from sites", "Keep until I close Firefox", and putting lwn.net in the exceptions.

Huh, I'd have expected Firefox to genuinely purge things if I told it to purge them. That would have been an easier way to do it, but it seems to me that they're overloading the same control panel with two separate meanings, both allowing the cookies to originally be set, and then what happens when the browser closes.

Regardless, it's the underlying disrespect that drove me away. What I'm *really* objecting to is the absolutely shoddy way the feature removal was handled. After all the rather shitty things they've done over the last year or two, I don't trust Mozilla anymore. I'm pretty sure they're not serving me, and even if I could duplicate my existing setup in a faster and better way, that doesn't restore my trust. I can't count on that team to honor my wishes. Silently ignoring a security/privacy setting like that is extraordinarily bad form. I could have coped with a feature removal, but I can't cope if they hide the change.

I'd also make two observations that you might want to consider. First: are you sure that the cookies aren't being preserved? Because my settings were still all Allow For Session, but they weren't being purged. You might have a ton of cookies you don't know about.

And, second: how confident are you that they'll continue to honor that setting? How do you know they won't silently change that, too?

Firefox and cookie micromanagement

Posted Apr 13, 2016 17:00 UTC (Wed) by nye (subscriber, #51576) [Link]

>I also find that rejecting third-party cookies breaks surprisingly little.

Same. I've had third party cookies blocked since approximately forever, and I think the only breakage I've *ever* noticed that I was able to attribute to this was Disqus.

Firefox and cookie micromanagement

Posted Mar 24, 2016 15:34 UTC (Thu) by anton (subscriber, #25547) [Link]

Silently diasabling privacy and security on upgrades seems to be a Firefox specialty. I disable JavaScript for security reasons (probably also helps privacy). Some time after a Firefox upgrade, I found that JavaScript was enabled again. And that's despite Firefox still being able to disable JavaScript (now through about:config).

Firefox and cookie micromanagement

Posted Mar 24, 2016 21:38 UTC (Thu) by MattJD (subscriber, #91390) [Link]

> It tends to accumulate a lot more data than Firefox does, especially site local storage, which I think is a Chrome-specific, cookie-like function.

Local storage is now a standard and most browsers implement it, including Firefox (source: http://caniuse.com/#feat=namevalue-storage ). It does act like cookies, but AFAIU it is more flexible to developers if you want to store large amounts of data in the browser. It also doesn't have the same recognition as cookies, so it isn't as likely to be blocked.

I don't know what the rules are on third-party storage like third-party cookies, so I don't know how well it can be used for tracking across sites. Inside a site, it definitely can.

Firefox and cookie micromanagement

Posted Apr 13, 2016 16:55 UTC (Wed) by nye (subscriber, #51576) [Link]

>a combination of the "Vanilla Cookie Manager" extension, and setting all data to be evanescent. ("Keep local data only until you quit your browser.") When you close the last Chromium window, Vanilla kicks in, saves any cookies from sites you've whitelisted, and then Chromium nukes pretty much everything else

I don't see what you gain from the extension here. How is this any better than whitelisting them directly? It seems from what you've described like the extension adds an extra redundant step, which - as you point out - doesn't always even work.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds