
Google Removes Cookie Control from Chrome - all
http://lauren.vortex.com/archive/000763.html
======
mtigas
tldr: Author is referring to the ability to enable the "ask me every time a
site wants to set a cookie" prompt ( _a la_ Firefox). Looks like this has been
disabled in the latest Chrome nightly. FUD, etc.

However: In general, cookie controls are still _entirely there_ , so I'm
positive that specific feature is what they're referring to. I use an
extensive cookie domain blocklist and that's all there and functional. (I've
never used said "ask me every time" feature in Chrome, but I went through a
phase of using that on Firefox.)

\-----

UPDATE:

Found the relevant checkin:
<https://code.google.com/p/chromium/issues/detail?id=51375>

Looks like the previous behavior can be re-enabled via the "--enable-cookie-
prompt" command line argument.

Perhaps support for re-enabling that by default should go in that bug (or a
new one that references it)?

~~~
lionhearted
> I use an extensive cookie domain blocklist and that's all there and
> functional.

Care to share a rough overview of sites you're blocking, and a little of your
reasoning? I tried putting fairly restrictive settings on Firefox one time to
see how browsing differed - I noted a lot of sites didn't work without
explicit permissions, so that's sort of a hassle. Beyond that, is it privacy
considerations? Do you work in a field that you wouldn't want your browsing
habits logged and cross-referenced? Vagueness on answer is ok, I'm just kind
of curious what your reasoning is, and if there's any utility to me building
some kind of blocklist for myself.

~~~
stanleydrew
I know you weren't asking me, but I have a similar setup. I block everything
by default and only enable specific cookies when necessary for functionality.
Same with javascript, which Chrome makes pretty easy. I don't have any
specific reason except that it feels cleaner not to send a bunch of data over
the wire that isn't really necessary.

~~~
joey_bananas
So, how do you do that then? Some extension I assume?

~~~
stanleydrew
Nope, the functionality's just built into Chrome. It's actually really easy
and convenient.

------
thezilch
Title here and there are a bit misleading. My hope is Lauren has simply missed
the cookie icon, in his location bar.

Running 7.0.536.2 (dev), in the cookie settings, I can set Chrome to "Block
sites from setting any data." Now, upon browsing to a site attempting to set,
in the URL (location) bar is a cookie with an "X" overlaid -- similar in style
to the padlock with an "X" when an HTTPS URI is using an unsigned SSL cert.
Clicking on the cookie presents me with the list of "cookies and other site
data." Each can be selected and "Allowed" or "Allowed for session only."

The claim that one needs to allow "willy-nilly" or only having the option of
"manually entering cookie exceptions into tables," these are just hand-waving.
I'm not sure what more is needed; I certainly don't want popups for every
cookie without my taking action.

~~~
ck2
What about third party cookie control which is important?

I barely use chrome but I know firefox has a toggle for this.

~~~
thezilch
While I'm not familiar with which Firefox controls you are referencing, the
following is a shot of the cookie+"X" and the impending modal for selecting
0..n cookies and site data to be allowed indefinitely or for this session
alone:

<http://i.imgur.com/va1xW.png>

~~~
Tichy
Key thing is really to disallow third party cookies, as that (among other
things) is what is being used to track you by all the advertisers, spammers,
Facebookers and so on out there.

~~~
flipbrad
what will the response to this be? Could the site host set a cookie that then
(from the server) is read and the content reported directly to the advertiser?

~~~
DennisP
Sure. But a third-party cookie does more than track your activities on the
site that gave it to you. If you get a DoubleClick cookie, then DoubleClick
will be able to track you on every site that runs DoubleClick ads. Ie.,
they'll be able to tell that the same computer is hitting all these sites.
This lets them target ads to you based on your whole history across all
DoubleClick-serving sites, and to market your profile to their customers.

------
js2
Relatedly:

 _Ultimately, the problem is that blocking third-party cookies doesn't really
buy you much (if any) privacy from folks who are motivated to track you. On
the other hand, blocking third-party cookies does break some real use cases
about federated identity and web sites that span more than one host name.

We decided to keep the option because it make some of our users happy, but we
decided not to make it the default because we don't think the trade-off is
advantageous for the majority of users.

If you'd like more information about this topic, you might be interested in
reading this paper:

<http://crypto.stanford.edu/safecache/sameorigin.pdf> _

From <http://code.google.com/p/chromium/issues/detail?id=51031>

------
stretchwithme
The author says google is pushing out new versions of the browser
automatically now. I was pretty sure I didn't enable the automatic updating
feature but when I checked "About Chrome", I was informed that the browser had
been updated. Seems to be no way to disable this either. Am I missing
something?

~~~
aj
Yes, that is a feature that Google has hardcoded into Chrome. You CANNOT
disable auto-updates or even make it so that you are asked for confirmation.

~~~
masklinn
Of course you can (disclaimer edition note: but it's not necessarily for the
faint of heart, and isn't officially supported. On their updater and update
policy, Google manages to be worse than Apple on Windows, which is already
pretty fucking bad).

1\. On Windows and OSX (at least), the actual updating is performed by a
single service running in the background for all Google applications (the
Google Updater). This service is installed and/or activated by all Google
applications, every time you install them (or run them, in OSX, not sure for
Windows). I'm sure you can find how to do the same in Windows but my know-how
is not good enough, but in OSX you can disable GUS forever by uninstalling it,
emptying its directory and then setting it write-only. This way, it's not
possible for GUS to be reinstalled.

2\. A good enough outbound firewall (I'm partial towards Little Snitch on OSX)
will allow you to block connections to the update server, and make GUS unable
to query it, and therefore to update Chrome without your consent.

~~~
barrkel
On Windows, Autoruns from SysInternals ([http://technet.microsoft.com/en-
us/sysinternals/bb963902.asp...](http://technet.microsoft.com/en-
us/sysinternals/bb963902.aspx)) works fairly well for finding out about these
things that happen automatically, and disabling them, as easy as unchecking a
checkbox. There's at two categories relevant to googleupdate:
CurrentVersion\Run, and Task Scheduler.

~~~
barrkel
Too late to edit: there's a third one, in Services, on my machine
gupdate1ca54[more hex digits] - it also links to googleupdate.exe.

------
LaurenWeinstein
Addendum -- I was unable to see any change from adding the specified command
line argument, at least with 7.0.517.24

Any contradictory reports? Thanks.

------
jrockway
Summary: "I noticed a bug in the latest Beta version of Chrome. I know Beta
versions are 100% stable and never have bugs, though, so I assume this is some
conspiracy by Google to ruin my life or something. Two more pages of whining
about this."

I wish everyone contributed to open source projects, so they would know when
to blog and when to file a bug report.

~~~
kelnos
There's actually an issue on Chromium's tracker that suggested removing this
feature (which was then closed as implemented). See link somewhere in the
comments.

------
LaurenWeinstein
Hi all. The original blog post on this topic is mine.

Let's assume you're a very "privacy conscious" person who only accepts cookies
for sites where you feel they are necessary -- say ones where you're going to
login, or you really want to read articles there and you can't without the
cookies, or whatever. Under Firefox (and Chrome under the old modality) your
cookie setting choice was "Block but notify on new cookies."

Under the old model, when you first tried to access that site, create an
account, login, register, etc., you'd get the initial pop-ups that you needed
to respond to, that made it very clear that there were cookies involved now
_that you might want to accept_. This is in fact a modal decision, because not
accepting those cookies at that point will have consequences (like
registration sequences that keep repeating, login prompts that won't accept
your input, and so on).

Now the new model. As you browse the Web the little cookie icon is constantly
popping up in the bar. Sometimes it shows clear and sometimes it shows blocked
-- but after a while you're just going to ignore it as you go flying from page
to page. There's nothing in that icon to alert the user that they've reached
an important decision point about an initial cookie from a site. Even if they
think to click that icon at the right moment on a new site, they have to do
more clicking to dig down into the cookie management system to accept it if
they wish to.

Old model: You're on a page where you want to login. You get a pop-up that
there's a cookie. One click on Yes. Finished. Easy to do, and impossible to
miss that there's a key decision point.

You really do want people to make a go/no-go decision on initial cookies from
sites, and not create a situation where they can easily go winging by those
initial cookies and have them fall into a default blocked state -- since the
consequences of doing this are a mess and require going in and deleting cookie
blocks manually.

It's really initial presentation of first cookies on a new site (when the user
is defaulting to blocking cookies) that is the major concern. In that
situation, the user _should_ be presented with a modal choice so that they
cannot easily miss the fact that they are at an important "exception" decision
point -- that is, accepting a cookie when their default is not to accept all
cookies.

And remember, by not choosing the simpler "accept all cookies" option, the
user has already demonstrated that they have concerns in this area, and are
likely to be very accepting of UI sequences that make it easier for them to
function within that choice with a minimum of confusion or risk of not
noticing new initial cookie decisions for a site.

Sorry about any formatting nasties in this response -- I copied most of it in
from a text-based e-mail.

Thanks.

\--Lauren-- lauren@vortex.com <http://lauren.vortex.com>

------
btilly
This smells like a bug.

Has he tried reporting it to <http://crbug.com>?

------
wooptoo
Is it me or Google is slowly turning evil?

------
barrkel
I'm starting to get the impression that Chrome is the browser for inept
people, and that if you want good control over the browser behaviour, it's not
a good choice. Chrome's responsiveness to public feedback is similar to
Google's responsiveness, i.e. not responsive at all, and tends to
authoritarianism.

My worry is that Firefox may take too much of a lead from it, and similarly
start removing features.

~~~
bradgessler
Cookie management is kind of a tin-foil hat feature that is already served by
Incognito mode. For the more technically inclined that really care, there are
switches to turn on cookie management (and no doubt third party extensions)

~~~
dhess
As far as I can determine, Incognito mode just creates a 2nd sandbox for
cookies and history that's shared across all Incognito tabs/windows, and is
only deleted once you close them all. Cookies you create in one Incognito tab
or window are visible to all other Incognito tabs/windows, just as cookies
created in plain tabs/windows are visible to all other plain tabs/windows. So
if you go into Incognito mode and browse there for a few hours, soon you've
got a bunch of cookies that are following you around the Internet until you
close all your Incognito tabs. In my case, I have Chrome set up to delete all
cookies on exit, so Incognito doesn't buy me much: I might as well just quit
the browser and restart.

If Incognito mode worked in such a way that each _tab_ were its own cookie
sandbox, then I'd be reasonably satisfied with it as a cookie management
solution, but as it stands, it's not good enough. (Because each tab is a
separate process in Chrome, one would think that it would be reasonably easy
to support that behavior.) In lieu of that, what I'd really like is a Chrome
extension like Firefox's CookieSafe, where I can block all cookies by default
and then whitelist them back in on a site-by-site basis, but nothing like that
exists at the moment.

For now, the best I can do is the Tab Cookies extension, which removes a
domain's cookies once you close the last tab that's browsing the domain. For
my purposes, it's inferior to both of the other solutions I mentioned (per-tab
sandboxing and whitelisting), but at least I can keep my footprint reasonably
small, as long as I'm diligent about closing tabs.

~~~
stanleydrew
> what I'd really like is a Chrome extension like Firefox's CookieSafe, where
> I can block all cookies by default and then whitelist them back in on a
> site-by-site basis, but nothing like that exists at the moment.

Wait what? That functionality is built into Chrome, and you configure it in
the same place that you toggle deletion of all cookies on exit. What you
describe above is exactly how I browse in Chrome. No extension necessary.

~~~
RK
There's really a night and day difference between CookieSafe style cookie
management and what Chrome offers in terms of usability. CookieSafe is much
nicer and no Chrome extensions seem to offer anything similar.

~~~
stanleydrew
I haven't used CookieSafe but I have no doubt that its functionality is more
advanced than Chrome's built-in options. Chrome doesn't expose the internal
APIs required to control Cookie functionality to the extension system. So
we're "stuck" with that Chrome gives us, which is more than good enough for my
needs.

