LWN: Comments on "Firefox and cookie micromanagement"

Firefox and cookie micromanagement

nye — Wed, 13 Apr 2016 17:00:58 +0000

>I also find that rejecting third-party cookies breaks surprisingly little.

Same. I've had third party cookies blocked since approximately forever, and I think the only breakage I've *ever* noticed that I was able to attribute to this was Disqus.

Firefox and cookie micromanagement

nye — Wed, 13 Apr 2016 16:55:40 +0000

>a combination of the "Vanilla Cookie Manager" extension, and setting all data to be evanescent. ("Keep local data only until you quit your browser.") When you close the last Chromium window, Vanilla kicks in, saves any cookies from sites you've whitelisted, and then Chromium nukes pretty much everything else

I don't see what you gain from the extension here. How is this any better than whitelisting them directly? It seems from what you've described like the extension adds an extra redundant step, which - as you point out - doesn't always even work.

Firefox and cookie micromanagement

flussence — Sun, 03 Apr 2016 20:01:34 +0000

Well now that you mention it, I could swap mouse3 with the mouse4/5 side buttons on this one... but browsers hardcode *those* to unload-this-page actions too. Maybe I'd be better off with a USB touchpad.

Firefox and cookie micromanagement

lsl — Fri, 01 Apr 2016 20:28:45 +0000

You should probably get a decent mouse that doesn't confuse the scroll wheel with the paste button. Unfortunately, those can be a bit hard (or expensive) to get these days. Still, worth every penny IMHO.

Firefox and cookie micromanagement

flussence — Wed, 30 Mar 2016 17:49:57 +0000

I'm slightly irked that middle click does *nothing* on ambient page content in Chromium, but I've used scroll wheels for long enough to know I don't want it to behave like a misclick in a shell window. It's one of the antifeatures I immediately turn off in other *nix browsers.

Firefox and cookie micromanagement

zdzichu — Tue, 29 Mar 2016 21:05:23 +0000

https://bugs.chromium.org/p/chromium/issues/detail?id=11612

Chromium was completely missing open-url-from-primary-selection-on-middle-click functionality. After some discussion they've implemented it when middle-clicking on ”new tab” button. It's half the fix – paste target was reduced from whole page into small button.

Firefox and cookie micromanagement

nix — Tue, 29 Mar 2016 19:27:33 +0000

For a time, after Aura became on by default on Linux, middle-button paste was indeed broken: see e.g. <https://crbug.com/319011>. It was fixed literally years ago.

Firefox and cookie micromanagement

flussence — Sun, 27 Mar 2016 17:30:33 +0000

Now I'm curious... what's it doing wrong? I've dumped other software over similar problems so I'd want to know if it was doing something stupid.

Also that tone is uncalled for. Chromium devs are *nothing* like the rockstar stereotypes of some “too big to fail” FOSS projects — if you could put forward your complaint in a reasonable way on their issue tracker they're likely to *fix* it; they certainly don't respond to anyone contributing their free time with the sheer rudeness I've witnessed elsewhere.

Firefox and cookie micromanagement

Seegras — Sun, 27 Mar 2016 15:40:19 +0000

It's not "a better browser" until fucking Chrome starts honouring the X selection paste.

Firefox and cookie micromanagement

MattJD — Thu, 24 Mar 2016 21:38:34 +0000

> It tends to accumulate a lot more data than Firefox does, especially site local storage, which I think is a Chrome-specific, cookie-like function.

Local storage is now a standard and most browsers implement it, including Firefox (source: http://caniuse.com/#feat=namevalue-storage ). It does act like cookies, but AFAIU it is more flexible to developers if you want to store large amounts of data in the browser. It also doesn't have the same recognition as cookies, so it isn't as likely to be blocked.

I don't know what the rules are on third-party storage like third-party cookies, so I don't know how well it can be used for tracking across sites. Inside a site, it definitely can.

Firefox and cookie micromanagement

ewen — Thu, 24 Mar 2016 20:11:28 +0000

I've used that feature for years. You don't get new questions every few seconds. Except when going to a site you've never been to before, and realising that the "use my answer for all cookies on this site" response is ignored for parallel requests that started before your first answer, forcing you to answer for every tracking cookie on every image, etc, of a site that just Really Really wants to track you. Otherwise it only questions periodically on visiting some new site, where mostly I don't want to be tracked, but sometimes cookies are needed to use the site (eg online store, or broken redirects). Off the top of my head it probably only comes up 1-2 times a day in normally use, and it's been like that for years.

Apparently I now have the window between the "new major version every n (n < 10) weeks" coming out and when the "LTS" version updates to drop this useful functionality to find a workable alternative. Which hopefully is not "surrender to being tracked everywhere" or "log into *all* sites again on browser restart" (I restart my browser fairly often to shed the cookies needed to make some sites work for any visit, as well as session login cookies for site that I want to be *really* sure I've logged out).

I guess I can feel validated in going with the "LTS" version to at least get *some* advanced notice of "breaks your work flow, sorry, not sorry" changes coming.

Ewen

Firefox and cookie micromanagement

mathstuf — Thu, 24 Mar 2016 20:00:27 +0000

Yeah, those need settings for "nope" too.

Firefox and cookie micromanagement

mcatanzaro — Thu, 24 Mar 2016 17:14:18 +0000

Fine-grained cookie configuration perhaps made sense 10 years ago when it was the only way for sites to store local data in your browser, but nowadays sites can use local storage or IndexedDB, which are much more powerful. In an age where sites can store a persistent SQL database in your browser, manually approving each cookie does not seem so useful anymore.

Firefox and cookie micromanagement

flussence — Thu, 24 Mar 2016 15:53:03 +0000

> The functionality was "unmaintained, bogus and not really nice to use on today's Web," he said.

Maybe they should take a look at Chrome's workflow for cookies (which they also use for Javascript); it has all the functionality one would expect from a browser that respects its users' privacy (and their right to not be forced to execute arbitrary code while web browsing).

After all, Google isn't an enemy or an evil thing, we should stop saying 'copying 20 more UI elements from Chrome each release is wrong...' — nothing wrong with that, it's just a better browser. ;)

Firefox and cookie micromanagement

anton — Thu, 24 Mar 2016 15:34:39 +0000

Silently diasabling privacy and security on upgrades seems to be a Firefox specialty. I disable JavaScript for security reasons (probably also helps privacy). Some time after a Firefox upgrade, I found that JavaScript was enabled again. And that's despite Firefox still being able to disable JavaScript (now through about:config).

Firefox and cookie micromanagement

malor — Thu, 24 Mar 2016 15:21:29 +0000

>"Accept cookies from sites", "Keep until I close Firefox", and putting lwn.net in the exceptions.

Huh, I'd have expected Firefox to genuinely purge things if I told it to purge them. That would have been an easier way to do it, but it seems to me that they're overloading the same control panel with two separate meanings, both allowing the cookies to originally be set, and then what happens when the browser closes.

Regardless, it's the underlying disrespect that drove me away. What I'm *really* objecting to is the absolutely shoddy way the feature removal was handled. After all the rather shitty things they've done over the last year or two, I don't trust Mozilla anymore. I'm pretty sure they're not serving me, and even if I could duplicate my existing setup in a faster and better way, that doesn't restore my trust. I can't count on that team to honor my wishes. Silently ignoring a security/privacy setting like that is extraordinarily bad form. I could have coped with a feature removal, but I can't cope if they hide the change.

I'd also make two observations that you might want to consider. First: are you sure that the cookies aren't being preserved? Because my settings were still all Allow For Session, but they weren't being purged. You might have a ton of cookies you don't know about.

And, second: how confident are you that they'll continue to honor that setting? How do you know they won't silently change that, too?

Firefox and cookie micromanagement

james — Thu, 24 Mar 2016 14:18:59 +0000

I still get exactly the same effect you got by choosing the preferences "Accept cookies from sites", "Keep until I close Firefox", and putting lwn.net in the exceptions. And then I don't have to click anything while browsing, and it still works on Firefox 45.

I also find that rejecting third-party cookies breaks surprisingly little.

Firefox and cookie micromanagement

jwakely — Thu, 24 Mar 2016 11:40:32 +0000

I used the "ask me every time" feature for many years, but had to give up because it was broken for the best part of a decade and could render your firefox unusable for several minutes while you tried to find the cookie dialog that had focus and close it (https://bugzilla.mozilla.org/show_bug.cgi?id=420155, https://bugzilla.mozilla.org/show_bug.cgi?id=515521). Given the history of those bugs I'm not surprised to see that the feature was simply dropped, rather than fixed.

I switched to the Self Destructing Cookies add-on instead, so I no longer have to care about the brokenness, or absence, of the "ask me every time" option.

Firefox and cookie micromanagement

malor — Thu, 24 Mar 2016 09:35:53 +0000

OK, it was this specific issue that finally made me drop Firefox, when I'd been a user since before it was even called that. (I thought about going to the physical Mozilla launch party; I didn't go, but I did think strongly about it.)

First, this objection is baseless:

The underlying assumption here is that it is possible for a user to assess whether you should accept a cookie based on the modal dialog. That is fundamentally not the case because you cannot know a-priori whether that cookie is used "just" for tracking or for login functionality.

Here's how I used the feature. I clicked Allow for Session, always. And I'd check the 'do the same for all cookies from this site'. This meant that essentially all websites worked perfectly, but their cookies evaporated when I closed the browser. The next time I visited them, I'd be all shiny new, and I wouldn't have to click anything. Their cookies would be evanescent. No matter how many times I returned, I'd be a brand-new user on each visit. My experience would be basically identical to what someone with permanent cookies would see, but then all the local tracking data went poof. This was a great feature.

In the rare case where I actually did need a website to retain data, like my login cookies for lwn, then I'd just Allow. Very occasionally, I decided I wanted to stay logged in on a site after using it for awhile, and in those cases, I'd go into the config pages, and change that site's settings to Allow. This was a little painful, but happened so rarely that it wasn't much of a hassle.

So: my use case was perfectly tuned to the feature, and its removal meant I ended up accumulating tracking cookies for weeks before I noticed. They didn't just stop asking, they also silently stopped honoring the underlying settings. I actually spotted it when I went into settings to explain to someone how to duplicate what I was doing, and realized that I no longer could. (I hadn't noticed that the popups had stopped, because I got so few of them anymore.)

And this absolutely infuriated me. This struck me as the heart of what's wrong with modern Mozilla; user welfare has been pushed way down their priority list. They're jamming crap down my throat that's not good for me, and isn't for my benefit. Rather, they're pushing things that are good for Mozilla, like that Pocket payware abscess. The fundamental disrespect in just silently ignoring a privacy setting.... god, that's just so blatantly rude. It was good for them, but it was sure as heck not good for me.

I mean, couldn't they have freaking deprecated it for a release? Every time I blink they've got a new version. Surely they could have given me a warning message that the feature was going away in the following release, six entire weeks later. Ideally, they should have given me an alternate method, and converted my existing settings. But, even if they didn't want to invest that much engineering time, they couldn't be arsed to implement a popup for a couple revs so we'd know about the problem? Instead of taking the time to analyze things properly, they explicitly decided to ignore my carefully expressed wishes without any warning whatsoever.

I used to love Mozilla, but I no longer believe that's mutual. And I was a paying customer, after a fashion, donating money at the end of each year. I gave more money to Mozilla than I gave to freaking Consumer Reports. No more; I'm on Chromium now.

It was pretty hard to get the same 'almost everything goes away' setting in Chromium. It tends to accumulate a lot more data than Firefox does, especially site local storage, which I think is a Chrome-specific, cookie-like function. Fortunately, I found a nice workaround: a combination of the "Vanilla Cookie Manager" extension, and setting all data to be evanescent. ("Keep local data only until you quit your browser.") When you close the last Chromium window, Vanilla kicks in, saves any cookies from sites you've whitelisted, and then Chromium nukes pretty much everything else except history, which, sadly, has to be manually erased. There is a bug there, though: Vanilla doesn't seem to trigger if you choose the Quit option from the pulldown menu, so if you quit that way, your permanent cookies will be lost. (I wanted to report the bug, but the author is explicitly uninterested in bug reports: he says that he will accept only pull requests on Github. I don't think that's working very well, because at least when I last looked, it's had no activity for ages.)

I'm pretty comfortable, these days. The set of extensions I settled on: Alternate Tab Order (so tabs open like they do in Firefox), uBlock Origin, uMatrix (also from gorhill: an absolutely SUPERB noscript-style utility), and Tampermonkey, to run some user scripts that Chromium won't run natively. And I'm real happy. I used Firefox since before it was Firefox, and they finally drove me away. And their market share drops another 0.00001%.

It just makes me terribly sad. I once loved Mozilla. I gave them money. But I'm no longer convinced they're on my side. This was so poorly handled that my trust in them was finally broken, and I don't think they can get it back.

Firefox and cookie micromanagement

pabs — Thu, 24 Mar 2016 06:29:08 +0000

Unfortunately the changes also *broke* some cookie management plugins, Cookie Monster for example.