Firefox 44 Deletes Fine-Grained Cookie Management

ewhac writes: Among its other desirable features, Firefox included a feature allowing very fine-grained cookie management. When enabled, every time a Web site asked to set a cookie, Firefox would raise a dialog containing information about the cookie requested, which you could then approve or deny. An "exception" list also allowed you to mark selected domains as "Always allow" or "Always deny", so that the dialog would not appear for frequently-visited sites. It was an excellent way to maintain close, custom control over which sites could set cookies, and which specific cookies they could set. It also helped easily identify poorly-coded sites that unnecessarily requested cookies for every single asset, or which would hit the browser with a "cookie storm" — hundreds of concurrent cookie requests.

Mozilla quietly deleted this feature from Firefox 44, with no functional equivalent put in its place. Further, users who had enabled the "Ask before accept" feature have had that preference silently changed to, "Accept normally." The proffered excuse for the removal was that the feature was unmaintained, and that its users were, "probably crashing multiple times a day as a result" (although no evidence was presented to support this assertion). Mozilla's apparent position is that users wishing fine-grained cookie control should be using a third-party add-on instead, and that an "Ask before accept" option was, "not really nice to use on today's Web."

Deny ALL Cookies

[zenlessyank]

Seems to be as fine grained as I need.

Re: Deny ALL Cookies

And I don't want to hear you whine when people stop visiting your site because of your fucking annoying popups.

Re:Deny ALL Cookies

[AmiMoJo]

Says the guy logged in to Slashdot.

Re:Deny ALL Cookies

[LordKronos]

Session variables. If people would use those and not just cookies. It'd be better.

And how exactly do you think session variables work? How do you link a browser to the session? Cookies!!!

Yes, I know you can put a god damn session id in the URL query string, but that's annoying, unreliable, and insecure. IF someone navigates your website for a bit, puts some stuff in the shopping cart, then just goes back to your homepage by stripping everything but the domain name off the URL...TADA!!! You've lost their session!!! Or if they jump to a different part of your website via a bookmark from a previous session...TADA!!!! You've lost their session. Or if they copy their URL and pass it to someone else/post it on a forum...TADA!!!! Someone else is now using their session (yes, you can "solve" that issue by linking the session by a secondary authentication variable like IP, but then you run the risk of having your website broken for anyone that moves between IP addresses).

In short, I've never seen a good, clean, reliable way to link a user to a session that doesn't involve cookies. If you've got the magic solution to that, please...I'm all ears.

Now if you mean websites should only use session cookies instead of persistent cookies, and the "deny all cookies" option only denied persistent cookies (does it do that already? I have no idea), then yes...that is a workable solution for most cases. Off the top of my head, I think the only thing you lose there is the ability to persist your login between browser sessions. But then again, if someone doesn't mind session cookie but dislikes persistent cookies, they could already set their browser to clear all cookies on exit or use a private browsing mode, and then all current websites would work perfectly fine.

The gun is pointing at the foot

[phoenix0783]

They seem to be really trying to shoot themselves in the foot lately.

Fuck Mozilla

[sexconker]

I built a new Windows image for our workstation PXE deployments, this time without Firefox.
If you're going to be just another trash browser you're no longer getting installed on the systems I'm responsible for.

In true Mozilla fashion, the discussion on the bug tracker has been censored, so people can't even effectively complain about it.

Re:Fuck Mozilla

[sexconker]

And in true Mozilla fashion, my post to the mailing list, where Mozilla told people to discuss the issue, was rejected by the moderator:

To: firefox-dev@mozilla.org
Subject: Cookies in Firefox 44

The recent change to how cookies were handled in Firefox 44 should be reverted.
Stifling discussion on the bug tracker is also bad form.

Your request to the firefox-dev mailing list

Posting of your message titled "Cookies in Firefox 44"

has been rejected by the list moderator. The moderator gave the
following reason for rejecting your request:

"Bugzilla is for tracking technical work, it's not a debate forum.
Firefox-dev is the proper place to discuss such things, but as your
message isn't adding substantive to the discussion I'm rejecting it."

Any questions or comments should be directed to the list administrator
at:

firefox-dev-owner@mozilla.org

Bye, Mozilla.

Re:No options for you

No, its the "FUCK YOU! we know how to use our browser better than you" philosophy.

NOT EVEN CLOSE TO THE SAME!!!

[dltaylor]

Yes, I "shouted". Obviously to OP has no clue.

Denying the creation of a cookie in the first place has nothing to do with deleting them when Firefox is closed (whoever closes ALL of their FF windows anyway?).

I hope Pale Moon keeps the feature, but, IMO, FF44 is now nearly useless.

Re:Add-ons?

[sumdumass]

Sure we can be satisfied. All they have to do is give control to the user instead of making inane changes because they know better for us.

If no one was maintaining this feature, the proper thing to do would be disable on new installs, check settings on upgrades, and put a job posting out for someone to volunteer to maintain it. While they are at it, notify the users of the problem and stop pretending their shit don't stink.

In fewer words, show the users some respect.