Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Mozilla Firefox Privacy

Firefox 44 Deletes Fine-Grained Cookie Management (mozilla.org) 471

ewhac writes: Among its other desirable features, Firefox included a feature allowing very fine-grained cookie management. When enabled, every time a Web site asked to set a cookie, Firefox would raise a dialog containing information about the cookie requested, which you could then approve or deny. An "exception" list also allowed you to mark selected domains as "Always allow" or "Always deny", so that the dialog would not appear for frequently-visited sites. It was an excellent way to maintain close, custom control over which sites could set cookies, and which specific cookies they could set. It also helped easily identify poorly-coded sites that unnecessarily requested cookies for every single asset, or which would hit the browser with a "cookie storm" — hundreds of concurrent cookie requests.

Mozilla quietly deleted this feature from Firefox 44, with no functional equivalent put in its place. Further, users who had enabled the "Ask before accept" feature have had that preference silently changed to, "Accept normally." The proffered excuse for the removal was that the feature was unmaintained, and that its users were, "probably crashing multiple times a day as a result" (although no evidence was presented to support this assertion). Mozilla's apparent position is that users wishing fine-grained cookie control should be using a third-party add-on instead, and that an "Ask before accept" option was, "not really nice to use on today's Web."

This discussion has been archived. No new comments can be posted.

Firefox 44 Deletes Fine-Grained Cookie Management

Comments Filter:
  • Deny ALL Cookies (Score:5, Insightful)

    by zenlessyank ( 748553 ) on Thursday February 04, 2016 @05:42PM (#51442125)
    Seems to be as fine grained as I need.
    • by AmiMoJo ( 196126 ) on Thursday February 04, 2016 @06:23PM (#51442449) Homepage Journal

      Says the guy logged in to Slashdot.

    • by Anonymous Coward

      Everything we need to know about the sorry state of Firefox is shown by the new Brave web browser [slashdot.org] that Brendan Eich [wikipedia.org] is creating.

      Look at what Brave's FAQ page says: [brave.com]

      5. Why aren’t you using Mozilla’s Gecko engine on laptops?

      We were, under a partially sandboxed, multi-process architecture called Graphene. But we did a careful head-to-head comparison and by every measure, Electron/chromium won. We wish Mozilla well, but as a startup, we must use all sound leverage available to us. For web compatibili

    • This post would have been a lot more believable if it had actually come from an Anonymous Coward.

  • by Anonymous Coward on Thursday February 04, 2016 @05:43PM (#51442131)
    Ah, I see they are following the Gnome school of user interface design.
  • by phoenix0783 ( 965193 ) on Thursday February 04, 2016 @05:45PM (#51442147)
    They seem to be really trying to shoot themselves in the foot lately.
    • by elrous0 ( 869638 ) on Thursday February 04, 2016 @06:08PM (#51442339)

      It all makes a lot more sense if you consider that almost all of Mozilla's income comes from Google and Yahoo.

    • by Chas ( 5144 )

      Yeah, but looks like they missed and blasted themselves in the balls.

    • by arth1 ( 260657 ) on Thursday February 04, 2016 @09:27PM (#51443533) Homepage Journal

      They seem to be really trying to shoot themselves in the foot lately.

      No worries, the feet will be removed in v45.0
      You will still have plugins for right foot, left foot, and foot extensions, someone just need to write them. And sign them for every new version.

      In 46.0, the rendering engine will be removed, but no worries, you can use a plugin.
      in 47.0, the plugin loader will be removed, but no worries, you can load an extension for loading plugins.

    • People also like to bash about bloat in FF... Moving features that aren't used often into extensions is a great solution...

      They are easier to maintain, and can be developed independently of FF... Faster iterations, and release of features to end-users, etc..
  • by kheldan ( 1460303 ) on Thursday February 04, 2016 @05:46PM (#51442151) Journal
    I have an add-on that keeps only the cookies I explicitly select, the rest get deleted whenever I close Firefox, or when I manually delete cache and cookies with shift-control-delete. Just get that and have all the 'fine-grained' control you want.
    • Most of the cookie add-ons used FF's built-in functionality; they just made it easier to interact with...

      I'm a little pissed off at this.

      • by Barny ( 103770 )

        Yeah, not sure what the fuss is. I have 'delete cookies when I close firefox' as default action, then I can allow sites to specifically keep their cookies.

        This has been a standard feature of firefox for quite a while now and despite my other misgivings about their browser (the main of which being that all the features they have removed and said 'third party addons will replace this', have indeed been replaced and the browser runs like crap with the amount of them I now need to use) it still functions better

        • by vanyel ( 28049 )

          Close firefox? Only when the system crashes or I have to reboot for some reason. Too damn many windows I have to restore.

          • by Barny ( 103770 )

            There is an option to "reopen last session" on start. You get all your tabs back :)

            • by vanyel ( 28049 )

              Yes, and that's a lifesaver, but many of them need to be logged into again, and then it flashes up bazillions of windows for a while while recreating them and it's generally a nuisance.

        • There's a bunch of things firefox has included in the core browser that probably should be replaced with an addon. There have been many examples of this already. What they are missing here is a prompt on upgrade if their change in behaviour applies to you so you aren't surprised by it.

          Most users don't read the release notes, or follow some obscure blog where this change may have been discussed.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Please identify WHICH add-on.

      • by kheldan ( 1460303 ) on Thursday February 04, 2016 @07:01PM (#51442721) Journal

        Please identify WHICH add-on.

        'selectivecookiedelete' v4.1.1 [mozilla.org]
        Just checked it, it's still doing it's job, keeping the whitelisted cookies, deleting everything else.

      • by ShaunC ( 203807 ) on Thursday February 04, 2016 @07:20PM (#51442867)

        I use Self-Destructing Cookies [mozilla.org], which accepts cookies long enough to make a session work and then deletes them automatically when you close the related tab. There's a whitelist feature.

        Of course as per usual with a Firefox update, I now have no clue whether or not that extension will continue working, or whether I need to tweak some arcane setting to keep it working, or whether said arcane setting has been removed from the browser entirely... So I'll just stick with my current version for awhile. Other people can be the guinea pigs and I'll look for their reports. The trouble with that approach is that with each release, there are fewer other users out there. Mozilla seems determined to run Firefox into the ground and it's just a sad thing to watch.

        • by tgv ( 254536 )

          I use that one too. Works well, and still seems to work. Before that, I used FF's built in mechanism, and I think it's an utter disgrace that they removed it without offering an alternative. I still trust Mozilla a bit better than Google, but at this rate, FF runs the risk of being abandoned by its last users.

          Perhaps that's what they want anyway.

    • by vux984 ( 928602 )

      Yeah Mozilla probably is making the right decision here.

      The feature *would* have been irritating as hell to use, and removing it to streamline the code and letting those users who wanted that sort of cookie control use an extension is the *right* move.

      The 3rd party example you gave would actually be a functionally better solution for most people to use then what Mozilla had built-in. (What addon is it by the way that you use?)

      The only real criticism i really have of Mozilla on this issue was the lack of cle

    • Thanks for this. I used this functionality for a long time, so I need a replacement.
    • I fully agree that functionality that can be provided by add-ons need not be provided by the core program. In fact, this level of extensibility is a great selling point for Firefox.

      The problem is what to do with those who set the preference in the past and have yet to install an add-on. I think it would have been better to take the "paranoid" default (deny all), making sure they have at least as much security as they had before. I find it hard to believe that there are many users who were regularly appro

    • by dltaylor ( 7510 ) on Thursday February 04, 2016 @06:43PM (#51442607)

      Yes, I "shouted". Obviously to OP has no clue.

      Denying the creation of a cookie in the first place has nothing to do with deleting them when Firefox is closed (whoever closes ALL of their FF windows anyway?).

      I hope Pale Moon keeps the feature, but, IMO, FF44 is now nearly useless.

    • Right, Firefox have been simplifying options that break web sites for years. If you want to mess with your browsing experience in a way that might break how websites work, install an addon.

      There's no point having what amounts to a "Make all websites work" checkbox.

      • by Ken D ( 100098 )

        it only breaks web sites that I want to break.

        If a site only works if I drop my pants and bend over then I want to know that before my pants are around my ankles.

        • How many users will hit the "block all cookies from this domain" button, and then blame firefox for being broken? There are good reasons for reducing the number of ways users can screw up their configuration.
    • Care to share the name of such add-on? Many thanks.
  • by Anonymous Coward on Thursday February 04, 2016 @05:47PM (#51442163)

    I leave a site, its cookies explode.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      ^^^ This

      Self-Destructing Cookies [mozilla.org] was a genuine break-through in cookie privacy.

      I wish the idea would be extended to other tracker-enabling downloads like fonts and HTML5 web storage. [w3schools.com]

      • For web fonts and similar 3rd party assets you want Smart Referer [mozilla.org]. Unless the primary website's address or id is encoded in the URL, this stops such tracking.

  • Was Yahoo p***d off about people who don't allow some cookies to be set?
    • "p***d? Pissed? If you're thinking it you might as well say it.

    • Was Yahoo p***d off about people who don't allow some cookies to be set?

      That's a serious accusation, did you even care to read the bug before writing that?
      FYI, while the deal isn't public, it was rather clear that it was contingent on Yahoo reinventing their search engine as they did.
      So you can be confident that it's more likely Mozilla that pressures Yahoo than the other way around.

      Besides the bugs, mailing lists, wiki, regular monday meetings, irc channels, etherpads, source code, review notes, commit comments, is all open.
      I work at Mozilla there is very little private

  • ...users wishing fine-grained cookie control should be using a third-party add-on instead...

    That's a laugh. What third-party add-ons are going to remain after another year or so of breaking them with nearly every damned release?

    Mozilla seem absolutely determined to jump the shark.

    • Re: (Score:2, Insightful)

      by narcc ( 412956 )

      after another year or so of breaking them with nearly every damned release?

      You guys just can't be satisfied. "This or that feature should be a plugin!" Mozilla removes features and suggests they are better handled by plugins "No! Not that feature!"

      Their plugins sometimes break between releases because of the way plugins are structured, so they announce that they're replacing their plugin architecture with something guaranteed to have a more stable API. "No! You're destroying everything! NoScript will never work again!" "We're working with NoScript to ensure it continues to func

      • Re:Add-ons? (Score:4, Interesting)

        by Anonymous Coward on Thursday February 04, 2016 @06:41PM (#51442595)

        You are mostly right. Although it is unclear how many other extensions won't be adaptable to the new model. They are working with NoScript because NoScript is the 3rd most popular add-on for firefox. But what about those odd-ball add-ons that only have a couple of hundred users?

        Meanwhile one thing that is legitimately and inarguably stupid is this add-on signing requirement they keep pushing back every couple of releases. They want to force you to submit your add-on source code to them for signing. At first they were doing automated code inspection and rejected add-ons that didn't pass, even for stylistic reasons. It took a couple of months of bitching before they finally backed off that level of scrutiny, doh!

        But it is still a problem for people who have internally developed extensions - forcing them to choose between running an unsupported version of firefox or exposing their source code to mozilla who can not guarantee that it won't be pilfered away via corporate espionage.

        All they need to do to fix it is make mozilla check for a list of exceptions to the signature requirements in an admin-only writable location (like /usr/lib/mozilla/ on linux or an admin-only part of the registry on windows). The code to do that is already 99% written because they already pull config data out of those locations, just need to verify it is admin-only writable.

        But they keep resisting the obvious, instead insisting that anyone who wants to run an unsigned add-on must run a completely separate installation of firefox and thus forgo all the security benefits of getting auto-updates straight from them. The end result is much reduced security for those people - no crypto signatures for any add-ons and they must do manual compiles each time there is a new firefox release - and really, only the most hard-core of users is ever going to do that in a timely fashion. Just because you have an odd-ball add-on doesn't mean you are that hard-core.

        I'm not that hard-core, but I still run the defunct "redirect cleaner" because none of the replacement add-ons quite match the original's functionality in corner cases. If I had enough time to compile every new release of firefox, I would have enough time to fix one of the replacement redirect-cleaner extensions to handle the corner-cases too.

        • by vux984 ( 928602 )

          But it is still a problem for people who have internally developed extensions

          They have release channels that don't require the signed code.

          In my opinion, their default model is correct for the general masses.

          They DO HAVE a release channel suitable for advanced users who require internally developed unsigned stuff. One is not forced to stay on an old version.

          But letting you simply turn off the signing as an option in the main release channel would be pointless, because then any malware would simply *do that* as its first action.

          Having the version that doesn't require signed extension

      • Re:Add-ons? (Score:4, Insightful)

        by sumdumass ( 711423 ) on Thursday February 04, 2016 @07:04PM (#51442753) Journal

        Sure we can be satisfied. All they have to do is give control to the user instead of making inane changes because they know better for us.

        If no one was maintaining this feature, the proper thing to do would be disable on new installs, check settings on upgrades, and put a job posting out for someone to volunteer to maintain it. While they are at it, notify the users of the problem and stop pretending their shit don't stink.

        In fewer words, show the users some respect.

      • by MacTO ( 1161105 )

        It is hard to believe a company when they have worked hard to destroy their credibility with their own user base. For example: claiming to support privacy, while removing features that can improve privacy.

        Also, Slashdot users are not a singular entity. Different people have different opinions. It is quite probable that those opinions will contradict each other.

      • by Kjella ( 173770 )

        You guys just can't be satisfied. "This or that feature should be a plugin!" Mozilla removes features and suggests they are better handled by plugins "No! Not that feature!"

        There's a huge gap between "You can have the car painted any color you want as long as it's black" and "We've stripped it down to the chassis, pick the parts that are right for you". I always thought extensions were going to cover niche functionality and act as a test bed so you could slowly pull in core shortcomings into the main browser at a leisurely and well structured pace because there's an overhead to extensions when you have many installed and your browser runs like shit because of some bad plug-ins

    • Comment removed based on user account deletion
  • No browser works the way I want it to "as is." I have to install a handful of 3rd party addons or whatnot before a fresh install is not crazy-making. I'm not sure why this is a big deal. You can still manage cookies however you want with 3rd party extensions so who cares?
    • Comment removed based on user account deletion
      • That's a great approach, in a perfect make-believe world where add-ons are all reliably maintained. In the real world, if you have 10 essential features split up as 10 different add-ons maintained by 10 different people/organizations, you have 10x the chance of one of them breaking in a future update. Being a feature of the core program entails more reliable maintenance. Of course even that can fail sometimes, as in the case of this article where they were unable to find anyone to maintain the feature... bu

      • If you want bookmark management, use an add on..

        Simple bookmark management should be built in. But perhaps even that should be an add on, just one that is installed & enabled by default.

  • Because Reasons (Score:5, Interesting)

    by ewhac ( 5844 ) on Thursday February 04, 2016 @05:59PM (#51442271) Homepage Journal
    It occurred to me after submitting the article that the per-cookie approval feature has been part of Firefox since it was called Netscape, so it's been around for a very long time.

    Moreover, the allegation that enabling the feature destabilized the browser is pharmaceutically pure bullshit. I've been using the feature since its inception, and have Firefox windows open and running for days at a time without ill effect.

    Contrariwise, I just went to check my cookie store, and found a bunch of new, unapproved, unwelcome, provably unnecessary cookies have appeared in just the week since I moved from v43 to v44. Deleting them after the fact is not a solution. Once set, tracking can take place immediately. The damage has already been done.

    The proffered reasons for the change are easily shown to be false, so I do not hold out any hope that Mozilla management will have a change of heart on this matter and reinstate the long-standing feature.

    Would anyone care to recommend a cookie management add-on?

    • by kwalker ( 1383 )

      Same here. I've been using this in Firefox FOREVER. Turning that feature on and installing AdBlock are the first two things I do on a new Firefox install. I have Firefox running for days or weeks without issue (Only issue is when having too many Javascript-heavy tabs open and the whole process bloats up to over 1GB then starts chugging).

      Crashing multiple times per day my ass! The only crashes related to this is when some site I've never been to before bombards me with so many cookie requests that the popups

    • Re:Because Reasons (Score:4, Informative)

      by Anonymous Coward on Thursday February 04, 2016 @06:23PM (#51442447)

      > Would anyone care to recommend a cookie management add-on?

      Self-Destructing Cookies [mozilla.org]

      Cookies are automatically deleted when you navigate away from the web page that placed them. You can designate some to persist, although it isn't the most convenient UI.

  • they lose their identity and userbase. It's strange how they fail to understand that.

    The Australis UI was the first step. Now this. Soon, a looming XUL deprecation which is an even worse idea -- I wonder what's the point of using Firefox will be then.

    In short we had a fantastic web browser, now we have a Chrome wanna-be. Soon, we'll have a Chrome copy with Gecko underneath, but who on earth cares what rendering engine they are running?

  • Mozilla's apparent position is that users wishing fine-grained cookie control should be using a third-party add-on instead, and that an "Ask before accept" option was, "not really nice to use on today's Web."

    The same could be said for Firefox 44, really.

  • Fuck Mozilla (Score:5, Insightful)

    by sexconker ( 1179573 ) on Thursday February 04, 2016 @06:11PM (#51442373)

    I built a new Windows image for our workstation PXE deployments, this time without Firefox.
    If you're going to be just another trash browser you're no longer getting installed on the systems I'm responsible for.

    In true Mozilla fashion, the discussion on the bug tracker has been censored, so people can't even effectively complain about it.

    • Re:Fuck Mozilla (Score:5, Insightful)

      by sexconker ( 1179573 ) on Thursday February 04, 2016 @06:27PM (#51442477)

      And in true Mozilla fashion, my post to the mailing list, where Mozilla told people to discuss the issue, was rejected by the moderator:

      To: firefox-dev@mozilla.org
      Subject: Cookies in Firefox 44

      The recent change to how cookies were handled in Firefox 44 should be reverted.
      Stifling discussion on the bug tracker is also bad form.

      Your request to the firefox-dev mailing list

      Posting of your message titled "Cookies in Firefox 44"

      has been rejected by the list moderator. The moderator gave the
      following reason for rejecting your request:

      "Bugzilla is for tracking technical work, it's not a debate forum.
      Firefox-dev is the proper place to discuss such things, but as your
      message isn't adding substantive to the discussion I'm rejecting it."

      Any questions or comments should be directed to the list administrator
      at:

      firefox-dev-owner@mozilla.org

      Bye, Mozilla.

    • What will you use then, Google Spyware that lacks key privacy-related extensions?

  • WaterFox's latest build seems to still have the granularity. For those not familiar, Waterfox is a high performance browser based on the Mozilla platform. Made specifically for 64-Bit systems. It is speedy and all your FF extensions should work. In fact, in upgrading to WF, all of my FF prefs, extensions and addons were in place and working right on first boot. https://www.waterfoxproject.or... [waterfoxproject.org]
    • WaterFox doesn't make changes aside from being a 64-bit build, as far as I know. It's basically a 64-bit build using the Intel C compiler with the optimizations flag turned up to 11.
      It will eventually get this "update".

      I'm currently evaluating http://www.palemoon.org/ [palemoon.org] as my personal Firefox replacement. The workstations I'm responsible for will get Chrome by default, and not Firefox. (Along with IE/Edge/Safari.)

      I'm 100% done with Mozilla, and I expect the organization to go under by the end of 2018.

  • Cookie storms (Score:4, Interesting)

    by Maow ( 620678 ) on Thursday February 04, 2016 @06:34PM (#51442555) Journal

    I fucking hate sites that cause cookie storms.

    I got hit by one today, at Chandra Observatory, of all places.

    Set your cookies to request always and prepare for > 30 of them: http://chandra.si.edu/photo/20... [si.edu]

    However, it doesn't seem like this solution of Mozilla's is a great one if one were to take the new default into consideration.

    But it's why I'm still on v39.0 - can't keep up to all the changes

    • by ewhac ( 5844 )

      Set your cookies to request always and prepare for > 30 of them: [ ... ]

      A mere thirty? Lucky you. That's easily manageable; just lean on the ESC key for a few seconds. I've visited sites that tried assaulting me with nearly a thousand for a single page.

  • Firefox records and submits telemetry, by default, without gaining consent. If you're going to abuse your user, why can't the user at least benefit? They have telemetry, so they at least know which users have this feature enabled ("I use this feature"). If their telemetry is thorough, they know which users enabled it, then disabled it and left it off ("I tried this feature. I then stopped using it"). Now you know how popular it is, rather than just using a supposition as one of your major reasons [mozilla.org], you have

  • It's cookie option is to delete any new cookies received when shutting down.

  • This is where I get off the bus. I've used Firefox for years, Netscape before that - gladly so. But the Firefox people have gone from great developers making a useful product, to pretty good but a little squirrelly, to UX weenies and marketing assholes, to evil sellouts actively trying to screw me over. Fuck 'em.

    On a completely unrelated note, if you use Linux, chattr +i is your friend. Works on directories as well as files too. Just sayin'.

  • I have been using Firefox since the early days. Sure there were some releases with problems but 44 for me is the worst ever in my opinion. I have completely wiped it from APPDATA and Programs, reinstalled, yet frequent crashes. Crashes immediately if loading from the taskbar in Windows 7. If I use any plugins like Ad Block Plus or Noscript I get high CPU utilization and it sucks up allot of memory. Occasionally it just disappears in the middle of doing something.

    Now with the cookie thing which I use freq

  • I hope we still have the option for chunky chocolate chips!

  • This report is about removing optional user control over which cookies get created. Firefox 44 still allows users to delete individual cookies. Open up Preferences, go to the Privacy tab, click on "remove individual cookies" (a hyperlink) and you will see a list of all your cookies [cluemail.com], grouped by domain name. Click on the ">" before a domain name to see the cookies for that domain. Select and delete as desired.

    Personally, I prefer to use NoScript but allow websites to create cookies. That way I can whitelist domains in NoScript until a website works, without having to worry about which cookies to allow. Once I've finished with a website, I can always delete all the relevant cookies until next visit. This works well for me; YMMV.

  • by TheRealHocusLocus ( 2319802 ) on Friday February 05, 2016 @07:17AM (#51445117)

    Some where back in the dim recent past, Firefox's ESCape key no longer meant abort everything and return control completely to the user. No matter if the base html is incomplete, no matter if some goofy-gumdrop JSON cloud-abortion is in progress, or a 302 redirect is in progress. No matter if you'll have to settle for a blank page because CSS cannot decide what color the text will be. Just ABORT. Now the ESC key means hardly anything.

    Now in the face of incomplete loads, packet loss, severely delayed DNS lookups, javascript tumors that are busy metastasizing to grow the page from seeds using repeated lookups to unresponsive and overworked database servers --- all of this results in pages that won't stop loading, tabs that will not close immediately, or even pages with visible readable content that will not respond to scrolling requests or link clicks... until... exactly what I never found out.

    The purported reason was to save the poor deep data content providers from aborted transactions caused by unwashed masses hitting reload and ESC. I say, if they're overloaded or vulnerable in any way to aborts or identical re-submits they are vulnerable to script kiddies too and someone has not done their job properly or provisioned their servers adequately. I never considered the ability to abort a web load as anything but an intrinsic RIGHT --- until it was taken away. It was,like, what are they thinking?

    I've had to force-close Firefox to regain control. And no we're not talking about Flash or embed delays either, I run NoScript. This is Firefox's native process refusing to abort everything under all conditions.

    If content providers bite into some apple of complexity (for example) embedding advertising and load sharing schemes that do little tricks (such as) using gobblegook DNS names with low or zero TTL, they deserve to be sandbagged for their effort by the masses until they re-think their decision and (god forbid) roll back in the general direction of 'static' content.

    Unfortunately this is something a third-party addon cannot really fix. If ever I was temped to fork a whole project and create a new subculture to fix one aggravating feature=bug this is it.

Let's organize this thing and take all the fun out of it.

Working...