Shouldn't web browsers ask us before storing cookies?

Instead of asking for each site, just allow first-party cookies and delete them by default when the last tab of that domain is closed. The user should be able to favorite cookies to keep indefinitely, with the rest being cleared on a user-defined schedule (onTabClose, 1 hour, 24 hours, 1 week, etc). There was a free Safari extension called Safari Cookies that handled the favoriting but it stopped working several years ago. https://sweetpproductions.com/safaricookies/index.htm

I'm surprised this isn't a standard feature built into browsers. Seems like it would be obvious to have a level of granularity between accept all first-party cookies and accept none.

Edit: to clarify, I don't think setting cookies is the issue (and not worth the UX hassle to ask everytime); the issue is storing the cookies for longer than the interaction persists. To me, it's analogous to someone remembering who you are during a conversation vs adding you to their rolodex and storing that info indefinitely.

As I remember it, this was an option you could enable in Netscape Navigator back in the dialup days. In practice it meant that every time you went to a new website you'd have to click ok on a dozen popup menus asking for permission to store each individual cookie before the page would load. I'm sure there are ways to make that process go a little more smoothly but in practice it's still probably something that most users would immediately turn right off.

It used to be an option in Firefox. You have to go dig around bugzilla to find the reasons they removed it -

https://bugzilla.mozilla.org/show_bug.cgi?id=1249151

https://bugzilla.mozilla.org/show_bug.cgi?id=606655

From my perspective, a lot of the problem is that there are very legitimate uses for cookies and other types of local storage, outside of advertising and other sorts of tracking. IE remembering user preferences, knowing what messages they've seen, that kind of thing. It would be a huge hindrance to not be able to persist any kind of state between visits. The real issue in most cases are third party cookies from ads and other trackers, but in almost everyone's understanding these are all lumped together into the single category of 'cookies'.

Of course, it's not quite as simple as "first party cookies fine, third party bad", since when you're on a domain like google.com for example, a whole lot of tracking goes on with first party cookies. But still, that can be dealt with. If I were coming up with a regulation (be it enforced at the browser or site level) it would make a distinction between first party cookies on domains serving up to X users per month, first party cookies on domains serving over X users per month, and third party cookies on all domains. The first of those categories could, I think, be unregulated. Save messages and/or restrictions for the other two and I think it would go a lot further toward achieving the goals of these sorts of initiatives, while being much less of a useless annoyance.

Firefox is going in this direction somewhat with their default blocking of third party cookies, but there's nothing they can really do unilaterally to treat first party cookies on google.com differently from bobsblog.com.

I agree that "this law is hurting the web" but I don't see how shifting that from the website to the application is going to solve the root issue. Prompts like these are annoying speed bumps that I have a hard time believing are in anyway effective -- paranoid people already deeply evaluate the software and services they use whereas the casual user is likely to just to "yah yah, get this out of my face" click it.

How about, if you install software such as a web browser on your computer that has a certain functionality intentionally exposed via an API, and you then visit sites that make use of that API, you have given consent for them to use it. And if you don't like it, you can reconfigure said browser to block them.

I'd like to point out that GDPR compliant sites don't need to ask permission for strictly necessary cookies.

I also recommend using Cookie AutoDelete for Chrome [0] or Firefox [1]. You can define a whitelist of websites where you actually need Cookies (because you want to stay logged in), and the rest will be forgotten when you close the tab. It even allows different rules in Firefox Containers.

0: https://chrome.google.com/webstore/detail/cookie-autodelete/...

1: https://addons.mozilla.org/en-US/firefox/addon/cookie-autode...

The GDPR consent prompts are less about technicalities (are you using cookies or local storage) and more about giving the side permission to stalk you no matter what method they use.

The real problem here is the lack of enforcement of the regulations. The majority of GDPR consent prompts are obnoxious because they aren't actually compliant - compliant ones are much more pleasant. See this comment I just posted on another GDPR thread: https://news.ycombinator.com/item?id=21429666

Finally there's this misconception (it could be a lie perpetuated by companies looking to profit from GDPR-related consulting, or those looking to push back on the regulation by making it seem more annoying than it actually is) that all cookies require consent. That is blatantly false. Cookies to store site preferences (like language, font size), shopping carts or login sessions don't require consent as they're necessary for the functionality you're trying to use.

IE had it up to version 11:

https://www.technipages.com/wp-content/uploads/2014/07/IE-Ad...

Edge is dumbed-down and removes, among other things, that option:

https://answers.microsoft.com/en-us/edge/forum/all/cookie-co...

Storing data in a cookie is not the dangerous bit, it's the intent, the what you're storing that data for which matters.

A browser popping up a prompt saying "google.com wants to store a cookie, is that okay?" isn't enough.

The design of these cookie and enhanced data protection laws is that websites need to spell out their intent. To tell people what data they're storing any why. Yes, you could code that into headers and have the browser relay that information, but that's the stalemate we're in.

How about Firefox Temporary Containers?

https://addons.mozilla.org/en-US/firefox/addon/temporary-con...

I think they compartmentalize each tap until it is closed. Dunno if it only clears cookies or all other forms of storage.

Cookies get all the bad press when there is many other ways to store data. Or does the word "cookie" encompass all forms of persistent storage?

100% agree, I've argued for this same thing in the past.

https://www.reddit.com/r/worldnews/comments/7h28hi/google_co...

Note that the GDPR isn’t just about cookies, it’s about all collection of personalized information, in any form. It also outlines plenty of scenarios that don’t require a separate permission request beyond simply doing business with a company.

We’re only in the midgame of this particular regulation— the rules changed “suddenly” and specified outcomes rather than methods. Regulators and businesses are in the messy stage of negotiating best practices as businesses change as little as possible and regulators give fines for misconduct.

The hope is twofold: that enough users will opt out to make problematic business models less profitable, and that the lower user friction of models that don’t require tracking will become relatively more successful. Neither of these goals is served by allowing a blanket permission setting.

"Shouldn't" implies some kind of higher authority capable of enforcing such a feature universally across browsers, when no such authority exists.

Browsers give you all kinds of opt-out capabilities, if that's something you're interested in. The fact is, most people aren't interested.

IIRC, in the early days, they did ask for every cookie.

Your suggestion makes a lot of good sense. Cookies aren't the real threat though. Surely cookies are used for both wanted and unwanted tracking. Passive tracking however (fingerprinting of any form) will remain the threat we can't block and we won't know is happening.

If we add a mechanism to allow the OS to handle cookies, bypassing possible untrusty browser vendors. We won't solve much and create a false expectation, while (arguably) break more than we fix.

This doesn't mean we shouldn't, but if a method is found, it should include a significantly more comprehensive form of anonymity.

--2 cents

I usually right click and select an element blocker.

There was a time wayy back when a browser would prompt user when site requests to push out a cookie [up to about mid 90's AFAIR], but that was before the web was hijacked for commercial interests.

now there are often so many cookies with the typical website that a manual dialogue would waste all your user time.

so i think thats where the decision was made to include all cookies, in one broad permission setting.

Internet Explorer (in the time of Windows 95) did that and people didn't liked and always checked the "Never ask my again" checkbox

Browse in anonymous/private mode.

There’s unfortunately little difference between cookies used to keep you logged in and to track you. Therefore no cookies = log in every time. As long as you’re ok with that, go for it!

GDPR does not require "cookie consents forms" and neither do the EU e-privacy rules. There are clear exemptions for authentication and other technical cookies.

Basically, the form is only required if you're doing something nastier, like tracking.

I've never understood why sites just run with the concept and implement the "permission form" when it really isn't required for good actors.

https://wikis.ec.europa.eu/display/WEBGUIDE/04.+Cookies#sect...

ps: for firefox I use "cookie autodelete" extension https://addons.mozilla.org/en-US/firefox/addon/cookie-autode...

Upcoming ePrivacy law should fix this nonsense with cookie banners. Although, having cookies permissions settings, like notifications and location in browser UI would be great.

It's just the beginning. Given the logic of the allmighty regime, each web link has to have a label describing all privacy impacts it might have if you click on it. The link will only open if you confirm.

But that would place the responsibility to enforce GDPR on browsers vendors, not publishers. GDPR is about private information, the browser isn't interested in that, the publisher is, so the responsibility falls on the publishers.

They used to. Everyone hated it. They stopped.

Do you really want 120 questions for each site you open?

It would be almost impossible to enforce. Publishers have a point of contact, an address or a hosting company, some sort of physical place where you can find whoever is in charge of the site. In other words, somewhere to send legal documents and summonses should a government wish to pursue legal action.

This is only partly true for web browsers. Google, Mozilla and Microsoft have addresses. But what all the browsers that have forked from open source projects? If someone forks Chromium and adds nasty features, how do you track them down if they did everything anonymously?

More to the point, if a law is passed that says "all browsers must do X,Y and Z". How to you enforce that in a world where open source is so prevalent? The big players may add the requirements to their flagship browsers, but if those browsers have open source underpinnings they have no control over the forked versions.

It's the publishers who are abusing browser capabilities, its much easier to force them in to compliance rather than trying to legislate how browsers work.