I’ve been using this for a couple years now, and absolutely love it. Thanks, team!
I also love that it’s owned by the University of Aarhus, as I am more willing to trust academia with something that has a disturbing level of (client-side) access to my browsing data.
I really wish the browser vendors would develop better permission models to guarantee my data can’t be exfiltrated by a malicious plugin (aka a once-good plugin that got bought out by a bad actor).
For example, I’d love to see the browser impose a policy of “no outbound network requests except to pre-registered endpoints with pre-defined headers and data payloads”, so that plugins could fetch allow lists but could not exhilarate my browsing history.
It is very hard to prevent exfiltration by code that is allowed to write to the DOM in today’s browsers.
There is Content Security Policy (csp) which applies to the whole page and sometimes governs scripts injected by extensions but not the extensions themselves.
I would love to see browsers add a chain-of-custody to scripts and DOM nodes, so it is easy to tell which nodes were added/touched by a script, and if a script adds a script tag, that newly loaded script would show up as branches in the custody tree. Then we could say, “no nodes or scripts in this tree may trigger requests to unauthorized domains”. It would be sort of like CSP, but with a runtime-tracked implicit capability/taint for extensions.
I'd like to see a separation between read and write permissions to the DOM for plugins personally. I would feel much better if I didn't have to give any plugin that might need to modify parts of a limited set of pages the ability to silently manipulate anything and everything I see in the browser. Read-only access could be granted by default, then only when a plugin sees something it wants to act on it could pop up and request my approval before doing so. The current approximation of that by disabling the plugin globally and enabling it on specific pages is so clunky and adds so much extra friction that I don't ever bother with it.
while we're wishing for impossible things i'd also love if the consent dialogs were an actual standard. if sites could describe a list of what they needed consent for and the browser supplied the actual dialog, so i could just configure it to always allow all if i wanted to, that would be fantastic.
> if the consent dialogs were an actual standard. if sites could describe a list of what they needed consent for and the browser supplied the actual dialog
There is a standard for this called P3P, which was implemented by Netscape, Firefox, Internet Explorer and Microsoft Edge before eventually dropping support for it. But there was nothing requiring website owners to use it. Various data protection regulations across the world require them to obtain consent for collecting data, but they are not required to recognise consent or non-consent expressed via P3P settings.
These standards will only get used if the website owners are forced to use them, either by regulators or by monopolistic/oligopolistic market forces.
With how aggressive websites are in shoving popups down our throats for every little random thing, we need an in-browser AI bot to get rid of them appropriately.
It's leaking too. I got a popup on my keyboard on my phone yesterday, and literally thought "this is too much, I wish I was dead" (I'm doing fine, just an intrusive thought :). Time to dial it back in folks. It is unbearable.
To those of us with ADHD this firehose of notifications and distractions feels like a deliberate attack on our agency. It does make me feel like I want to die, not because I’m depressed or suicidal generally but because I can’t imagine aging gracefully with this escalating source of entropy.
The idea of pushing more contracts than you can read, all of what you must accept just to survive is a deliberate attack on our agency. You are just more sensitive to it.
I had the thought for much the same reason. It amounts to a denial of service attack on the human psyche.
There are places with laws about advertising pollution in public spaces. That needs to extend beyond advertising to a more general set of aggressive attention grabbing features, and to our digital lives, where we spend a huge amount of our time. It's not going to self-regulate. Ironically, the ubiquitous GDPR popups sort of broke a dam that have led to popups of all sorts being forced on us all over the place.
This is precisely why I'm sidling up to the idea of an old flip phone. The deluge of "communication" that is force-injected into my eyes every day is an immense waste of my mental energy. I hate this age of attention assault.
May I suggest a well configured uBlock Origin and additionally to cut out some websites completely from your life? Doesn't solve the problem in general, but it will hopefully make you feel better. And it will make your browsing faster, because you are not loading all that crap.
> we need an in-browser AI bot to get rid of them appropriately.
Not just popups. We need browsers to die and be reborn as User Agents again.
Currently the best browsers do is some translation and summarization, but there's currently zero automation.
An ability to tell user agent a command, in a natural language, like "go through first 10 pages of those Amazon search results, check every one of them including photos, descriptions and reviews, filter products according to those and those criteria (and not whatever Amazon lets me search and filter on) and give me a nice clean list of images and links with zero extra junk" will be a game changer.
We have all the tools, it's about time we show a middle finger to dark patterns and enshittification. Sure, it'll be a game of cat-and-mouse with websites fighting against robotic agents empowering end users (ad industry is going to hate this so much), but it's a battle worth fighting.
Well, they surely aren't committing seppuku. No such thing as a corporate honor or shame, only business interests. At least, not with any large corporations.
And this status quo needs to change. Too much power and information disparity at the moment, the markets are essentially broken.
IMO, the easiest and most healthy way to get from here to there is by splitting those companies. There are plenty of ways they can be reborn, many even without hurting anybody.
But also that the popups do not conform to what GDPR demands. Remember, rejecting everything should be the same amount of effort as accepting the settings, and by default non-functional stuff should of course be turned off. If websites followed those rules, we would have way less of a problem here.
I like this proposal to add a "purpose" field to the cookie header. This could allow consent settings at the browser level, preventing all these pop-ups.
The problem isn't lack of a solution, we've had DNT for years. It's that the people who want to track you generally don't want to make it easy for you to opt out.
No, it's not legal. It's clearly not legal, it doesn't need a case. It's well established in the law as it was written.
It's just that the enforcement agencies are large, lazy and won't enforce anything. They don't even enforce when you can prove beyond a shadow of a doubt when and how the corporations have leaked your private information, let alone when their use of cookies is illegal.
It depends on the country. When I filter for specific countries, it really can be very rare.
Look at the difference between Germany and say Austria, for example. Or if you must compare two large countries Germany and France. There is quite a large gap between different countries.
While you aren't wrong, somebody might get the dumb idea that "If a tool instantly rejects the consent then the user hasn't truly consciously made a rejection."
This is the flimsy excuse made not to respect the Do Not Track header. By making it so that it's a tool for expressing the user's opinion, be it negative or positive, it becomes harder to spin it as being a tool that does not actually embody the user's view.
For the GDPR, that argument would fail immediately. Since the GDPR requires consent to be explicitly granted, and neither conscious rejection nor automatic rejection would constitute an explicit granting of consent, the site would not have a consent to track.
Perhaps I was unclear. IMO someone picking "sure fine everyone track me" when setting up browser (DNT preference) first time should count as explicit consent for every site. And similarly choosing DNT for all should legally count as telling site not to track and not to ever prompt.
In addition to being explicit, consent must also be informed in order to be valid under the GDPR. This is not a blanket understanding of "I may be tracked on the internet." but a specific "X information may be used by Y data processors for Z purposes." If somebody is not informed of X, Y, and Z prior to giving consent, then it doesn't count. A browser-wide preference from years ago is not informed consent.
There is one and only one legal default under the GDPR: Do not track.
> There is one and only one legal default under the GDPR: Do not track.
This is immediately followed by every head of marketing (at least for US-based companies) asking "Okay, so how do we track those people?"
I'm not saying this is right. But it is reality. We normalized for two decades marketing leadership having the expectation that they can track every interaction, and prying that data away has been painful, especially for folks who really want to do the right thing but are told otherwise by their managers.
I agree, and that's why I try to avoid any prevarication on the point. Because the head of marketing will at some point ask developers to break the law. Treating privacy law as a grey area gives the marketers more room to pressure developers, and more room to throw developers under the bus afterward.
>This is the flimsy excuse made not to respect the Do Not Track header.
Not exactly. The issue was that a specific version of IE enabled that header without giving the user a choice. If a user explicitly chooses to toggle the header, or install an add-on, then that argument would not hold up.
'I still don't care about cookies' works on almsot every website I browse.
This extension on the other hand used to work maybe on a third, don't know if it improved but I would suggest the first if you're fed up with the cookie popup.
Note "I don't care about cookies" and "I still don't care about cookies" will accept tracking if that's the easiest route to get rid of the popup, which is a significant difference to the extension in this topic.
Pair it with uBlock Origin and Firefox Enhanced Tracking protection and it doesn't matter.
I don't have a plugin for disabling the banners, but I accept them if that's the easiest thing because I can already see that uBlock Origin blocked all their trackers anyway.
I understand the shortcoming but to be fair, if a website owner wants to track you he can do it even without cookie. I appreciate the gdpr for many reasons but the cookie banner constant spam is not one of them, I believe people just want to get rid of it even if it means agreeing to everything.
The problem is that it needs to be manually adapted to each side that doesn't have a well known cookie banner... So if you mostly visit "exotic" pages it doesn't work.
I believe ublock origin blocks these via the annoyances filters, but just the popup element without setting the cookie. I haven't really looked into it.
The issue is that some sites will not work until you made a decision in the cookie pop-up. So then I have to reload the page without blocking, reject the cookies, and then reload the page with blocking...
So for now I disabled the blocking of cookie pop-ups and I let C-O-M automatically reject cookies for me.
> The issue is that some sites will not work until you made a decision in the cookie pop-up. So then I have to reload the page without blocking, reject the cookies, and then reload the page with blocking...
My solution in these cases is to leave the website in question and do something that doesn't involve getting abused.
It blocks some of them, usually the most basic. I also seem to remember that by not answering those prompts (and hiding them instead), you actually consent until you decline.
It absolutely can't block the more advanced, sometimes multi-stage prompts Google, Youtube, and many newspapers use. Consent-o-Matic actually goes through those prompts and declines the maximum possible amount of tracking, while consenting to the necessary options required to make the site work.
That is false, you only consent by your explicit action - clicking "accept". If you inspect element and remove the consent popup entirely, you have not consented.
Exactly. Consent is opt-in, not opt-out. That's the law.
If a website does not respect that, it probably won't respect your choices either, so you might as well block the cookie banner and all tracking scripts.
Yes of course without accepting the cookie. THis malicious compliance BS has to end. i won't do the 20 clicks I need to deselect legitimate interest everywhere... I'm just blocking your popup.
Sure, if we're really lucky that'll be implemented before 2030 and maybe a handful of us will still be alive to see the day most of the mainstream web actually gets rid of all their obnoxious dialogs :)
It is great to see but I'm also happy if we can have even half a solution like this in the meantime.
The entire thing has been performative regulation.
Did asking honest businesses to restrict how they use cookies protect users from invasive tracking? Nope. Data brokers simply employed other methods or bent the "legitimate interest" exception.
Did all websites provide a single button to reject tracking, with equal prominence and proximity to the accept button? Years on this is still rare, despite being the rule.
Did data brokers find new ways to obtain the same data? Sure did and more.
Was the end result a disproportionate burden on users, including those not even in the EU, while not delivering the intended benefit. Sure is.
Do entire websites, particularly those in the USA, simply geo-block all EU countries. Yep.
Did European-based services and news websites switch to a "let us track you or pay now" model. Yes.
Did data brokers exploit the EU's inability to police the matter by incorporating dark patterns, artificial pauses, and obnoxiously long lists to stymmie user's attempts at refusing tracking? Yep.
Did bad actors ignore the regulations. Yep. Was the EU toothless to stop that? Also yes.
So what did happen?
Instead developers of web browsers incorporated anti-fingerprinting technologies to negate the problem, a part of browser development that continues to be an on-going arms race.
I keep considering this and similar tools, but I have a concern that they will miss things and effectively opt-in when I want them to opt-out.
For instance: if the code/config for a particular site or family of sites becomes out of date for a while due to said site(s) adding a bunch of “legitimate interest”¹ checkboxes, then I may have just given consent (or passed by the opportunity to object) without knowing.
----
[1] In other words “we see your preference not to be stalked by our partner(s), but fuck you and your preferences we want to let them anyway”.
I just came to the realization how ducked up things are, that right now every website view involves solving a stupid puzzle of toggles... that the privacy-conscious think might help them protect some of it, but I have a suspicion will do duck-all for said privacy anyway.
I like this, but would like it to avoid the loading time of the consent popups.
Too often, the consent dialogue takes over a second to load, and when you finally click 'accept' there is a little spinner for what seems like ages before the dialogue goes away and you get to see the content you came to see.
Can we simply detect the "<script src=consent.js..." tag, and simply not load it for the most common and annoying types of popup?
In the case that the popup doesn't load/the user never makes a choice, what is the cookie behavior?
How about if you hit the "x" button on the cookie popup instead of either "accept all" or "reject all"?
My assumption is that, despite what the law says/is meant to do, doing anything than going through the checklist will result in all cookies being enabled.
Since you'd probably do this for each of the big consent-popup-providers, you could simply have custom javascript for each which sends off the necessary ajax call to disable cookies in the background (although personally, I don't really care - if I wanted to disable cookies, I would do it client side. I trust the tech more than I trust their accurate following of the law)
I just installed it on Chrome, and it hasn't worked on a single site, but upvoting as I love the idea as horrible as the whole consent banner thing is :(
For example bing.com, britishairways.com all show their consent popup. It does try and do that minimize thing, as something flashes to the bottom right. But the model still appears in the same place as always.
I've been using this on mobile for a couple of years now, I've noticed it failing in the way you mention quite often in the last 3 months or so. I'm not sure how maintained the rules are, they might need updating.
Previously it was working nicely, although probably only on 40% or so of pages.
I've also used ublock to block cookie consent popups, which catches more but occasionally has to be disabled as sometimes it will break scrolling or interaction with the page.
Asking genuinely as I never experimented myself -- Does the Internet experience in general cripple if one rejects the cookies on all websites? Or there is very little loss of functionality? I often allow 'essential cookies'. Would go to 'reject all' if that works fine.
For years my own practice on sites that impose cookie pop-ups has been:
- Zap that element (uBo element zapper or custom CSS style rule via Stylus).
- Globally deny ALL cookies for that site, via uMatrix.
Note that uMatrix (and AFAIU Fireox) already block all third party cookies. This just makes that prejudice global to the site itself.
The number of sites for which I require some level of state preservation is parlous few. Hacker News itself is most of them, my Fediverse home the other.
(I largely don't use the Internet for commerce. That's always struck me as a bad idea, getting worse. If I cared ... another very small number of exceptions would deal with that.)
Generally, no. Despite the claims that "this will not cause you to see less ads", sometimes it even does cause you to see less ads as ad slots are less likely to fill if they have less user info. (Sometimes the opposite happens and you get the shittiest weight loss ads however). That said, I assume most people likely to use this extension already run an ad blocker.
Storing login tokens and cart information falls under "legitimate interest", which does not need consent. They just aren't allowed to use that information to do anything else with it.
I've rejected all optional cookies/tracking for many years and I've never noticed any missing functionality.
I wonder how many websites declare the Google Tag Manager a technical necessity (as part of the consent layers). In my world, it is a tool to manage different tracking and ad tools, far from being technically necessary to host a website.
The tracking pop-ups used to be the scapegoat of UX but these days the experience is broken by "are you a robot" walls, subscribe to my blog walls, paywalls, your ip is from the wrong country walls, login walls and other all kind of wall.
These days when I see a link to a news outlet or a blog that intend to consume seriously, I just use archive.is. It removes all the annoyances, it's brilliant.
Is there even a Disney defense here? Lawyers can bring all kinds of arguments, what matters is if they are upheld. Note that in this case Disney didn't even own or operate the restaurant so it's questionable why they even are a defendant here.
If that was true, then Easylist/uBO Cookies list wouldn't work, as the thing they're blocking would have been developed not to be blockable by those things.
Shouldn’t this just be called “no”? Or “I do not consent”?
Anyone who cares enough to automate this will disable all optional cookies.
Also, don’t we all think the law should have simply required websites to respect the browser setting for this instead of requiring it every goddamned time?
I've been a very happy user of this plugin for some time and it works great for me. I'm always bewildered by how many cookie consent dialogs I see on my work browser which is locked down so doesn't have this plugin.
I love the idea but giving "root access" to an extension that's "not monitored for security" is a non-starter. I wish Mozilla would step in and do something good for a change.
I don't like "ecosystems" where a gatekeeper decides what we can and can't do with our own devices, browsers, etc. That's different from a software repository guarding users against malicious updates, e.g. due to compromised extension publishing account. The blast radius on extensions with permissions like that is huge, they could steal all of our session cookies and login info, for example.
My comment was a bit harsh, and that harshness wasn't aimed at authors of this extension. I'm merely asking Mozilla to be more proactive with extensions that are extremely security sensitive, but also further their own purported mission, like this one.
With GDPR conform cookie consent popups/banners, managing ones preferences is actually very easy. First time visiting a website just click decline and all is good. Unless of course we are talking about websites, which only pretend to be conforming, but are actually intentionally not. I say intentionally, because it is way more likely, than everyone responsible at a company having lived under a rock for the last ... what? 10 years now? ... and not actually knowing better. Nope, we have widespread shameless blatant violation of the law at our hands.
On my pension provider's website I get the cookie consent warning every time I visit (whether I decline or accept). Even more annoyingly, this happens in the iOS app of the provider (which has a webview).
EU regulations like this are so poorly thought-out. They should have just banned nefarious tracking cookies outright. The EU never seems to understand the practical consequences of their technical regulation.
Sadly this is the wrong solution: proper solution is to create generic "get to the base information" solutions to get past all dark pattern bullshit.
Trusting advertisers, web developers under coercion, annoying paywall based sites has been proven to be a bad choice over and over in history repeating itself hellscape.
Firefox's "reader view" was the right idea, that doesn't quite go far enough. We need options like "i just want text, non ad pictures, and original videos".
Any higher layers where we allow these brutal dark patterns are too much work to track and fix every little thing they can do with code
> We need options like "i just want text, non ad pictures, and original videos".
That's called an ad blocker.
This is touching on the larger battle for control over user experience, that has been going on since the birth of the WWW.
Most of the sites want you to see everything other than "text, non ad pictures, and original videos" - the latter is a bait and a vector to expose you to ads, dark patterns, and other marketing shenanigans. They'd serve you their page as a PDF if they could get away with. They almost did get away with Flash. They do get away with this with mobile apps. About the only thing stopping them from replacing websites with some ungodly mix of canvas, WebAssembly, and React-like frameworks, is accessibility[0].
Point I'm making is, it's not a PvE game, it's a PvP one. A beefed up Reader Mode is not a solution - try to build one, and half the industry will cry foul, and proceed to invent workarounds. The Web, as we know it today, is funded by the enemy.
--
[0] - specifically, the legal requirements in some scenarios and jurisdictions, which create a sort of back pressure on the industry that keeps the web from full-blown appification.
This comes up every time gdpr or ads are discussed. But it’s pretty simple I think: not enforcing privacy regulations forces site owners to break them.
The reason is that so long as some sites show tracking ads, the monetization possible by privacy-friendly ads is almost nothing.
The long term goal must be that no one cheats, so that ad the revenue from well-behaving advertising can go up.
Remember the consent dialogs aren’t ever asking permission to show ads.
I've been using the annoyingly-named superagent for a while for the same task, but it often seems to fail to detect some of these annoying boxes. I'll definitely give this alternative a try and see if it works any better.
Thank you so very, very much to the EU and whatever other government agencies are responsible for making the web more annoying to use.
They're also violating the ePrivacy directive with any consent dialogs that don't give at least equal weight to the "Reject all possible and continue" option or hide it behind extra clicks.
Sadly the ePrivacy implementations were a bit lacking in some member states and the EU directive to replace them with a direct EU-wide law doesn't seem to be fully in effect just yet but I have high hopes we'll see companies fined over these deliberate misdirections soon and that will hopefully put an end to it.
Sure, for advertiser thingies. But website features like optionally storing your preferences in localStorage, or assigning device IDs to be able to understand and optimize website performance both require consent pop-ups.
Some preferences are not required for the website to work, but do improve the experience. These are classified as "functional cookies", "preference cookies", or "user interface cookies" in ePrivacy Directive and UK GDPR literature, examples like remembering your selected language, and still require consent. See https://ico.org.uk/for-organisations/direct-marketing-and-pr....
Consent-o-Matic uses this text to describe this category of cookies (for me, it's the first item in extension's config UI):
> Preferences and Functionality: Allow sites to remember choices you make (such as your user name, language or the region you are located in) and provide enhanced, more personal features. For instance, these cookies can be used to remember your login details, changes you have made to text size, fonts and other parts of web pages that you can customize. They may also be used to provide services you have asked for such as watching a video or commenting on a blog. The information in these cookies is not used to track your browsing activity on other websites.
These require consent if, for example, they involve the use of a third-party service. Setting a first-party dark mode cookie does not require opting in even if it's "non-essential". It does however require disclosure.
The jury's also still out to what degree third-party cookies need to be disclosed in detail (e.g. whether you really need to keep track of the dozens of cookies Google Maps or YouTube sets or whether you can just refer to their privacy policy for the details). But embeds for YouTube, Twitter, Facebook or Google Maps, or the use of Google Fonts or the use of third-party CDNs for non-essential functionality definitely do require consent (i.e. opt in).
I’m wondefing if those embeds would work in an `<iframe sandbox="allow-scripts" />`. This prevents them from reading/writing cookies, but everything else should work fine.
I don't see how that fixes anything as your browser is transmitting PII simply by fetching the iframe content. The sandbox only limits what they can do client-side, they still get to see your IP and user agent.
I also love that it’s owned by the University of Aarhus, as I am more willing to trust academia with something that has a disturbing level of (client-side) access to my browsing data.
I really wish the browser vendors would develop better permission models to guarantee my data can’t be exfiltrated by a malicious plugin (aka a once-good plugin that got bought out by a bad actor).
For example, I’d love to see the browser impose a policy of “no outbound network requests except to pre-registered endpoints with pre-defined headers and data payloads”, so that plugins could fetch allow lists but could not exhilarate my browsing history.
reply