All sites should run in containers and no advertiser should be able to track you across sessions. When I want 3rd party interaction, I should need to opt in and connect the current site with Facebook or some other 3rd party.
As much as I hate third party cookies, turning them on drastically simplifies the captcha solving process. So much so, I now use a separate browser profile with third party cookies allowed, just for the sake of captcha heavy sites.
Given that Google benefits by tracking my activities and free labor from my captcha solving, they will always punish privacy conscious users via such dark patterns.
The pessimist in me thinks that if a browser were to disallow third party cookies, users might simply switch to a different browser that does allow them.
— Essentially off: Challenges only the most grievous offenders
— Low: Challenges only the most threatening visitors
— Medium: Challenges both moderate threat visitors and the most threatening visitors
— High: Challenges all visitors that have exhibited threatening behavior within the last 14 days
— I’m Under Attack!: Should only be used if your website is under a DDoS attack (Visitors will receive an interstitial page while we analyze their traffic and behavior to make sure they are a legitimate human visitor trying to access your website)
I think a lot of companies set it to "High" and forget about it, not realizing that it's ruining the experience for a lot of users.
It's very good at blocking malicious traffic though and it's totally worth losing a pair of users for that.
That needs to bring everybody to the same table, Firefox will not do that alone and Google Chrome is not there for nothing.
Basically, Google must accept the proposal of disabling third-party cookies by default which will effect their income negatively, so they may just refuse to implement that feature for Chrome and even may prevent that feature from become a standard.
Kinda hard to find though.
I make no claim that the above is a good idea. It is possible, but it strikes me there are unintended consequences that I won't think of.
I've been accused of being a bot before also.
It feels like Google is using me as a mechanical turk to solve their autonomous car rubbish, which will make them millions, and I have no choice but to do it, or I'm barred from the sites I need to access. It's profoundly despicable, as if I didn't hate Google enough already.
That explains why the majority of ReCaptchas I get are along the lines of "Click the squares that contain a street sign" or "Click the squares that contain a bicycle."
And now people seem to enjoy reimplementing all the internet protocols on top of HTTP. The world has gone mad. I'm going to get a "gopher should've won" tatoo and live in as an hermit on some nearby mountain.
I'm glad that there appears to be a lot of discussion surrounding internet privacy lately, including in the mainstream. However I think that focusing all the discussion of Facebook is becoming counter-productive. Facebook exploited the weaknesses of the web very successfully but it only exploited tools that existed long before it was created. I have absolutely no illusion that Google & friends are doing pretty much the same thing, and if you have an Android phone the amount of info Google can harvest is nothing short of terrifying when you think about it from an Orwellian perspective. Don't miss the forest for the Facetree.
Assuming that internet giants will adhere to some "code of conduct" is naive at best. "Do no evil", yeah right. We let them have to tools to do these things, we need to pry some of them away from their hands through technology and regulation (probably in that order).
I wonder why you say that. I concede that web has evolved from no-security in the 90s, when random applets and ActiveX controls were 1-click away from rooting your machine, through faulty security in 2000s, where stack smashing IE was a hobby of mine, and up to the current era of sandboxes. Which do work, sandbox evasion zero days have become very rare and remote execution has largely ceased to be an infection vector against the masses.
The problem with 3rd party tracking is not technological, the web was deliberately engineered to work in this manner. The browsers work exactly as specified, and that specification is the problem. It's compounded then as a political problem, where major browser investment are controlled by advertising companies that have a massive conflict of interest regarding the users privacy, and are likely to promote bandaids like "Do not track" instead of the fundamental privacy re-engineering the web urgently requires.
> The world has gone mad. I'm going to get a "gopher should've won" tatoo and live in as an hermit on some nearby mountain.
When I'm thinking like this is usually a sign of age. Hang in there buddy, we'll be fine. There is a promised land just around the corner with rich, secure web applications and strong privacy. If only everybody agreed we want it.
I consider that the widespread fingerprinting and user tracking is a form of sandbox evasion but I agree that it goes way beyond JS. The only identifying info that ought to be sent to some website by default is your IP address since it's necessary to actually send you back the data. Having the size of my view port, the version of my browser and OS, the type of video codecs I support and other shenanigans shouldn't leave my browser without my consent. The problem is that I can easily spoof most of my browser's info but JS makes it almost impossible to sanitize everything.
>The problem with 3rd party tracking is not technological, the web was deliberately engineered to work in this manner. The browsers work exactly as specified, and that specification is the problem
How is that not a complete contradiction? I'm not saying it's a bug, I know very well it's just a huge dump of features that keeps pouring in year after year. I'm just saying that web standards are the embodiment of "we were so preoccupied with whether or not we could that we didn't stop to think if we should".
IMO there are broadly two different use cases for the web currently: Web applications like Google Docs on one hand and glorified PDF reader for mostly static content like HN, internet forums, news websites, Wikipedia etc... on the other. Web Apps are the part that require this ridiculous complexity to expose rich content. That's the stuff you'd use Java applets, XUL, Flash or ActiveX for in the past. Those apps could be whitelisted on a site-by-site basis in the same way that you install an app on your smartphone for instance. You know that you expose yourself to bugs and privacy leakages but you know what you're in for.
99% of the websites I browse everyday don't expose any functionality that ought to require any form of interactive scripting or advanced features beyond displaying text and images (and maybe video). Yet my browser will gladly let them access all these advanced APIs by default, load custom fonts, let them run code on my GPU, make 3rd party requests, mine cryptocurrencies... That's just ridiculous.
The safest code is code that doesn't run.
>When I'm thinking like this is usually a sign of age
Come on, we're not old, we're wise! At least I hope so...
We're so deep in this that a first party isolation would break almost every single website. In a cooperation with Tor, Mozilla actually ported the first-party isolation feature in mainstream Firefox (available in Nightly, don't know about stable), but since it would break almost every single website, there are no plans to turn it on by default. You can, of course, enable it yourself by turning on "privacy.firstparty.isolate" in about:config.
Disclaimer: I'm a Mozilla Foundation affiliate that has nothing to do with Mozilla Corporation nor Firefox.
What I proposed above is that we introduce an opt-in feature: before the browser is allowed to connect to 3rd parties (in the tracking and cookie sense), the user needs to opt-in, for example by clicking in a notice window displayed at the corner of the browser window. Instead of nagging every user of every site that "This site is using cookies", developers should nag only when connecting to other applications, using a standardized browser API. After sometime from standardization, you can roll out this functionality to all users and nothing legitimate would break.
There should be no presumed used consent - because there really is none, the outcry against Facebook and advertiser tracking shows people don't expect the web to work the way it does.
First-Party Isolation (FPI) did have the highest breakage scores: ~18-19% of users reported problems with it, and 9-10% of FPI users disabled the study.
Those are low relative numbers, but at entire-market scale, they are big absolute numbers. :/
I think the stats are iffy because a lot of the breakages are things I would want broken.
Using the extention: https://addons.mozilla.org/en-US/firefox/addon/first-party-i...
Is there any plan to create an exceptions mechanism? "Allow Facebook access to your activities on this webpage?" or something like that?
While we are at it, I keep wondering (in a strictly SSL world) if it would be a good idea to restrict CORS calls only to sites using the same certificate as the webpage. Would make life easier for folks like facebook.com making CORS to fb-blablabla.fbcdn.com.
Basically, you couldn’t do it without breaking a large part of the internet.
Firefox just blocks them. Safari blocks them unless you visited that site in a first-party context. Shipping the thing Firefox implements breaks a lot more than what Safari ships.
So for example, if you visited facebook normally, third-party Facebook cookies won't get blocked in Safari.
Firefox _could_ ship the same thing as Safari. The upshot is entrenching existing monopolies, because only big enough players are then able to track you via third-party cookies.... This is the main reason Firefox hasn't done this, as far as I know.
Disclaimer: I work on Firefox, but not on the cookie bits.
Apple can do this, because they have a limited yet consistent market share that mostly consists of their own customers.
But Firefox? If they block third-party cookies and Chrome does not, they might just end up losing even more users.
Websites can be changed to work without third party cookies. I'm blocking cookies since years and I have come across less than 10 sites that require it. When that happens, most of the time I just go elsewhere or I'll send them an email.
There are also lots of one-off cases where developers split functionality across multiple domains in ways that were fine at the time but now get blocked. These are all fixable, unlike the iframing case, but it's still a lot of sites.
Breaks because it was abusing lack of FPI.
<snark>So, nothing you'd want to use.</snark>
Fortunately, many US companies are starting to consider a GUID and your IP address to be PII, and no longer allow that information to be stored.
It seems to me, if users act differently, there "should" be a way to fingerprint them.
Every newspaper I read has decided that autostarting video and streaming is a good idea.
Yes, HN is OK, but sites that it points to are not.
I'm giving up on the web.
It's annoying to follow a link from a search engine and not notice it's Reddit only to be hit with the "INSTALL OUR APP. EVERYTHING WILL BE BETTER!" shtick every time.
I browse Reddit on mobile in Incognito mode in Chrome, frequently, for various reasons.
This means that there is no cookie history, and (when Chrome shits its pants and dumps the Incognito session), the settings are lost. This seems to occur every few days, occasionally every few hours. Reminds me a lot of Netscape 4 days.
Every. Fucking. Goddamned. Time. I go to Reddit, I get:
1. The "Use our Mobile fuckwitted app" fucking nag screen.
2. I have to disable that fucking nag.
3. I have to select "use Desktop".
(Chrome's own "use Desktop site" option isn't sticky across sessions, or even tabs, AFAICT, when selected on a site-by-site basis.)
And I'm finally where the fuck I wanted to be in the first fucking place.
I maintain a small but fairly well-received sub, and moderate a few others. For numerous reasons, these haven't taken off or succeeded in generating much by way of active discussion (Reddit has long been an exemplar of how to design site mechanics to fully kill and destroy any active conversation). Mind, that's a hotly-contested field, but for all it does vaguely well (and yes, Reddit does have some nice features and a large and not entirely useless community), there are a few small things that could be changed to improve this ... which manifestly haven't happened.
Another site I criticise heavily, Google+, actually does this fairly well, given a number of preconditions.
1. The discussion has to be actively and effectively moderated.
2. There's got to be a good, and not overly-large, discussion cohort. I find ~5-10 people is a minimum (with the right 5-10), and in rare cases, up to a few thousand probably an upper bound. The most lively conversation I saw was in a private community of about 50 people, tightly monitored for behaviour but not (with a few bounds) content.
3. The fact that a discussion stays live for an extended period of time and the Notifications loop back earlier participants is key.
4. Individual discussions can only run to 500 comments. This keeps things from running on too long.
5. Discussion is flat, not threaded. This isn't my initial choice, but it actually works ... fairly well. I'd ultimately prefer client-based determination of order, much as with Usenet or decent email (that is: Mutt) clients, including threads.
I'm not saying G+ is great. It has many, many, many flaws. But it is the best general-use system I've found on today's Internet, despite my many reasons for wishing that weren't the case.
I've found and met some great people, and had really good conversations, many lasting days and weeks, more than a few months and years.
And no, not all discussions go well. One of the best hosts on the site is its former chief architect, Yonatan Zunger. And even he has increasingly had to shut down discussions that ended up as shitshows. See: https://plus.google.com/+YonatanZunger/posts/cnqAekPSFgB
The fact that Google doesn't have to crank up impressions on the service for advertising dosh probably helps. The other games the company's played for generating activity stats have quite negatively impacted it in many peoples' eyes, my own included. The G+/YouTube fiasco being the worst.
1. Mutt offers: threaded, date, sender, and subject sorts, reversible ordering, and extensive filtering, including the ability to arbitrarily tag items and view only those. It remains hands down the best messaging tool I've ever used, though I find email almost entirely untractable for other reasons these days.
2. This ended up with the three top stories on HN on that date being either items I'd posted elsewhere being submitted here, or related fairly directly to those. Interesting experience.
I don't understand the drive to force people to use the app. Medium trys similar but less annoying tactics. Either way you get eyeballs on your site. Perhaps there's better tracking that they can get hold of from the app.
But yeah when ever you don't follow the path that the major sites want you to go down you have to keep jumping around
Similar with Gmail, all links in the email go via Google tracking so you have to do a right-click and get the link then open a separate tab and paste it (obviously a signal for me that I shouldn't be using Gmail in the first place).
Apps will cut down multi-site use too, stop users "changing the dial".
Also sometimes now the location of the "n comments" button becomes a "share" button, with the comments moved over to the side. but again, only sometimes. I keep clicking share on accident, because it happens infrequently enough that I haven't learned to check.
I've started switching to using their .compact site, which has neither problem. Only a small "switch to the new mobile site" button at the top of the page. The thumbnails aren't as large but thats fine with me
according to comments works for this specific purpose. Haven't used it myself.
I was hoping ublock did it but doesn't appear to.
If i.reddit.com is a different IP then a hosts file entry might do it.
Does pi-hole do this?
This is not without problems; there are sites that don't work/don't work well. I frankly don't care about most of them, so that's fine with me, and I leak much less data to the various panty-sniffers.
Life is much nicer when you take back control of what runs on your machine.
 I block FB, Google and several others' IP space, but the smaller adtech/government/who-knows surveillance shops are impossible to keep up with, and, well, defense-in-depth is the way to go.
Browsing the web (especially news sites) on my Android has gone from "a complete nightmare" to "tolerable" because of this.
Now if I could just force pages to load in Brave instead of web view, that'd be amazing.
Related tip: if you open the Google app, menu -> settings -> Accounts & privacy -> disable Open web pages in the Google app, that will fix it for google now links.
Super annoying. In Firefox in about:config, you can set: media.autoplay.enabled to false. That works well for me.
these ublock origin rules ended that:
www.reddit.com##.modal-open:style(overflow: visible !important)
Also it is easier to root your phone with a malicious app than with a web page. Heck, if you are an app developer why even bother to root phones when you can just do whatever you want, after all if the user does not give you all-in permissions you won't even let the app run.
They said, while posting on a web forum
which, to be fair, is accessible via numerous 3rd party apps: https://news.ycombinator.com/item?id=14684105
If you're using Firefox, go to about:config and set media.autoplay.enabled to false.
There are good alternatives like reading books, watching movies or going out. Web sites are shooting themselves in their feet. Blockers end up being too much work with this arms race. They think they're "winning" when they're actually just selecting the people that can't choose.
For sessions where I know I want js to "just work", like online shopping from a set of presumed-trustworthy sites, I use a different browser profile without privacy extensions, but I use it just for those purposes and avoid general browsing with it.
To make multi-profile browsing simple, I theme the profiles differently, so it's obvious which one I'm in. On desktop, my launcher for firefox does --ProfileManager --new-instance and on mobile I just use different firefoxes - ff-beta and ff itself.
Is this "too much work?" - I can see how it might look like that, but I've been using this system for a few years, and though it takes a few minutes to set up on a new system or device the maintenance overhead is low, so I'd say it's not "too much." Also, the time gained not waiting for js-encrusted sites to load probably outweighs the setup/maintenance by a considerable factor.
But overall I get a much better experience using the free, open, 3rd party app Slide ( https://www.reddit.com/r/slideforreddit/ ) so, maybe give that a try? (Assuming you're on Android - ios, I've no idea.)
Enable cookies at that point then, don't turn them on globally for everyone.
> Blame the stupid EU cookie law for that though, not the sites.
If every site didn't turn on cookies by default as if they're somehow needed to read a text page a didn't contain a billion trackers then there would have been no law in the first place.
The need for this law lies squarely at the feet of the sites themselves, the industry has shown no desire to regulate itself.
Prior to that you could just disable them if you liked.
One can say that policy makers had good intentions - certainly. However, I can not imagine a valid evaluation that wouldn't conclude this policy as failure.
The browser not being able to distinguish between essential and non-essential cookies does not change the fact that cookies are and were entirely voluntary.
AFAIK some prominent cookie notices are also part of the Fanboy Annoyances list: https://easylist.to/
The only prominent nags that are not very well targeted with those lists are in webapps like reddit mobile. Primarily because of their dynamic, non-descriptive ids.
I never disconnect from anything, i just open a non container tab. I never connect to anything on my laptop, i open the site in the desired account container.
This website is in a state I don't want ? New container, and it's sees me as a new customer.
I have a "personal" container that I use for my Google/PayPal login, and sites that I use Google oauth with, same for a "work" container.
If each site used it's own container, I couldn't sign in with Google without signing in multiple times (let alone the mess of signing out old sessions, which I do once in a while).
I use this feature with container tabs and it's fine. There are so far one or two sites I've come across that this breaks, neither of them anything I care about.
Container tabs works for me very well, so I don't see much point in switching over and dealing with little bugs like this.
I'm logged into four, including a Gapps account.
I still don't fully trust it, but that's a different matter.
Your home device may not live in such a family, but it's hard for Google to determine that.
But again, the issue is not your specific configuration (or GP's specific configuration), the point is that Google cannot assume same IP or browser fingerprint is a definitive association of identity, whereas signing in additional users in Google's app definitely does.
For a very odd definition of the term 'good' I suppose that's may be the case. It's certainly not been in any place I've worked in the past 20 yrs.
But suffice to say, it's very common for Chrome extensions to be able to both modify any content on websites you view and read data you enter into them. Both adware and spyware is prolific on the Chrome Web Store, and it's the number one infection vector I see.
Controlling extensions is downright basic competency for network security. With regards to Chrome, I currently operate an outright block, though obviously we can whitelist extensions as necessary. (One thing Chrome does particularly well is their ADMX templates: It's easy to blacklist and whitelist extensions, and install them compulsorily for users as well.)
It'd hard to ban Google from your life even if you want ti. I think governments should help citizens achieve that when they choose so.
But with its own IP, possibly a non-routable, private IP ?
I think not ... and that's too bad because that is what we really need. We need the ability to chroot jail a GUI program just like we jail named or (whatever).
A different root, a different IP, and no access (or knowledge) of the rest of the system. If I used facebook, that's the browser I would run it in.
The minor difference is that with OAuth they cannot log-in to the site pretending to be you, but if they don't hash the passwords, or use weak method to do it, then it's possible.
Regarding other user data stored in the DB (which is usually more valuable than just the passwords) there is no difference between the login method.
Strict site isolation > Enable.
CAD or any similar cookie deleting add-on will essentially kill any cookie that isn't required for your active tabs. This way nothing is left behind to track or trail you.
So instead of standing out of the crowd why not disguise so well that the tracker doesn't know the real you.
The idea is to use something that gives a fake readout of your fingerprint thus making you look normal but keep changing it occasionally so it leads no where for long time. Try Canvas blocker and/or Canvas Defender for fake readout.
What is "normal" in this case? One correct way to counter fingerprinting is to standardize the fake readouts to a specific value and not change it every so often. So if everyone's browser is reporting the same value for this feature that feature will become meaningless in the context of fingerprinting since its entropy is very low.
That's what Tor Browser has been doing with font enumeration, reported windows size, screen resolution etc. - they all report the same value. On the other hand, you can correlate these values and identify Tor Browser users.
I use uBO with dynamic filtering + I've replaced 'CAD' with 'Forget Me Not' works like a charm.
That might be more usable than blocking third party cookies for sites that break because of SSO.
Personally I use Containers and block third party cookies and I don't have any troubles.
9/10 times I navigate off a link from one container and boom I've pulled in everything in that new container by ctrl+l reflex.
When I'm on some site and want to quickly search the web using Google (when DDG isn't enough) on the same tab and then return back to the site, or if I use a container temporarily to check a Gmail account, I don't want to mix those up by mistake later (I never search on Google while logged in). This problem may not exist if I spent time to pre-decide the use/assignment of websites/accounts for each container.
Since I also use sites like HN to jump to other sites (several of which may be trying to track), auto-deleting cookies gives me peace of mind once I close a tab (I set the timeout value in the extension configuration quite low). I was using Self-destruct Cookies  before (when legacy addons were still supported on Firefox).
For additional protection, I do some more extensions.
That gets you a clean container every time you click the button. Very useful for development testing, too :).
For example, I have YouTube (and any other Google website) to always open on a temporary container but other sites like HN and Reddit are on a normal and permanent container.
It's also unclear to me where one Incognito session stops and the next starts, although I'd assume they live and die with their window.
More importantly, Incognito opens a new window while Temporary Containers open in the same window with coloured tabs. So you can have _lots_ in the same window if you want.
Sure, by saving passwords in Firefox it isn't a huge hassle, but a cookie is still more practical...
Edit: fb also buys geolocation data from organizations that do the modern equivalent of wardriving. Correlating GPS location with RSSI of specific wifi SSIDs and AP MAC addresses. If anyone near you uses the app, even if their phone has all location services turned off, you're still geoprofiled to within a city block.
So even though you’re on desktop and haven’t provided them with location permissions, they can still identify your location based on your IP address.
Just force your kids to use that on mobile and use Tor on desktop with Facebook as the homepage.
You can tell your kids that 'Tor' means 'Facebook' in Icelandic.
If you check the "Always open this page in this container thing" - then it prompts you with an "are you sure you want to open this page in this container" every time you go to that page which is very annoying. Edit - this is not true - there's a checkbox to "remember your choice". I don't know why I didn't see it.
They are error prone enough that they aren't good tracking protection. Just use ublock origin or a similarly good privacy plugin to globally block as much tracking as you can.
The facebook container eliminates some of those annoyances, but only for facebook.
That isn't true - you say yes/no the first time and then it's automatic. Works great for me.
I create a container for every service I want to stay logged into and whitelist the specified sites with Cookie Autodelete (which is container aware), then auto delete all other cookies on tab close.
Also, I'd love to do this in my bookmarks, instead of having to visit each site and set the container one-by-one.
I have some sites that I almost always want to open in a specific container. Except when I don't.
I suspect this double-confirmation is for people like me: I can chose between "always open this site in this container" and "always suggest opening this site in this container".
I thought containers were clunky too until I went looking for bug reports for the functionality I wanted (always open domain in container) and found out I just wasn't using them right.
I'm actually really impressed with how polished it is given the complexities it entails
Not sure of it or something similar was referenced at some point during the extension install process.
And as others have said, the "always open in this tab" shouldn't act how you describe.
Finally, there is an option in about:config called "firstparty.isolate" or something similar that does what containers do, for the most part, by default. It will break SSO with Google/Facebook/etc. though.
And yes, that's terrible discovery in ux.
Profiles in Firefox is somewhat clunky to use at the same time (I end up just using two installations).
I tried containers as well, but gave up, due to reasons you describe.
$ alias ff='firefox -ProfileManager -no-remote &'
For developers, containers and this extension also make it super easy to test what a page looks like when logged in as a different user.
- Every website (domain) should get its own container by default. I don't want to configure stuff when visiting a new domain.
- If I want domains to share a container, then I don't mind having to configure that.
- When clicking a link inside a container that points to a different domain, then the link should open in the container for the domain pointed to.
- When clicking a link, I should have the opportunity to edit the link before opening it, to avoid information leakage from one container to another.
- Cookies may be saved per container (default). But I should be able to turn cookies off for a specific container.
- Containers should work against fingerprinting, i.e. by perturbing browser characteristics slightly. This should work by default per container and per session. It should be configurable.
- If some well-known websites only work with multiple domains, then that is ok. These domains can be grouped into one container. Firefox can distribute a "whitelist" for such configurations. Please don't bother me with the specifics, but enable me to figure out what the settings are for a container, and to change those settings.
- Container settings should be synced over my devices. Needless to say, containers should work on all platforms.
You prevent the big bad company from spying on your browsing activity while, at the same time, explicitly posting to the big bad company's first-party site messages containing all the juicy bits of private information that you went through all that effort to prevent them from inferring through your other activities.
And we pretend this is helping, rather than just adding noise to an already confusing technical landscape.
But big invasive entities have always existed. In france, coal mines almost owned the lifz of their worker : when they shop, where they slept, etc. News were only on a few newspapers or tv channels linked to the same top people, one source of info to tell you what to think, do and to buy.
The government has always collected a lot of infos to.
Before that, the church did. They polished the global personnal data collection but called it confession. They mastered the ad, it was for all people to see on sunday. Very useful for population control and black mail.
So unless people learn to see the red flags and react, the next wolf will it the sheeps like always.
Comments like "sigh" are not at all constructive, and I would encourage you to consider not being immediately dismissive to people who at least try to do something about problems you care about.
That way any Facebook-owned service like logins and website comments plugin will work as expected but will not follow you around in your regular browser window!
From the extension page:
> "Clicking Facebook Share buttons on other browser tabs will load them within the Facebook Container. You should know that using these buttons passes information to Facebook about the website that you shared from."
> "Because you will be logged into Facebook only in the Container, embedded Facebook comments and Like buttons in tabs outside the Facebook Container will not work. This prevents Facebook from associating information about your activity on websites outside of Facebook to your Facebook identity.
> In addition, websites that allow you to create an account or log in using your Facebook credentials will generally not work properly. Because this extension is designed to separate Facebook use from use of other websites, this behavior is expected."
— kesselborn’s Conex, a Spotlight-like quick container switcher/tab finder. It’s set to auto-hide tabs not in the current container, and I use it to routinely create one-off containers for specific tasks
— piro’s Tree Style Tab, with a workaround setting to make it play well with Conex and a couple of custom styling rules
— MarsCat’s Switch Container, which allows to re-open a tab in another container (used with caution)
What unblocked the switch for me:
— There’s now a working tree-style tabs extension in Quantum
— The new Web Authentication API removes the need for Keychain integration in the long run
I’m wary of getting too used to a heavily customized setup, and am still figuring out the best way to back up my Firefox profile. Previously I relied mostly on stock Safari and Chrome, which is still great for its developer’s tools.
For the major browsers, yes. Some Chromium off-shoots have them though.
Curious if anyone can weigh in with similar alternatives available on macOS.
Concepts on which Doogie is built sound very reasonable and I’m pretty sure they inspired my current setup. Native approach to bubbles vs. workspaces is better than shoehorning containers and tree-style tabs into that with a bunch of extensions in Firefox.
Compared to other browsers, if anyone’s interested:
There was no perceived performance hit after migrating 60+ tabs from Safari and Chrome to Firefox. Browser startup time is definitely faster. For now it seems I no longer have to think about the number of tabs I have open.
I usually have fewer than a dozen tabs in any given container. With Conex, tabs in other containers don’t seem to get loaded unless I switch to them (tabs not in current container are hidden).