Firefox 44 Deletes Fine-Grained Cookie Management

ewhac writes: Among its other desirable features, Firefox included a feature allowing very fine-grained cookie management. When enabled, every time a Web site asked to set a cookie, Firefox would raise a dialog containing information about the cookie requested, which you could then approve or deny. An "exception" list also allowed you to mark selected domains as "Always allow" or "Always deny", so that the dialog would not appear for frequently-visited sites. It was an excellent way to maintain close, custom control over which sites could set cookies, and which specific cookies they could set. It also helped easily identify poorly-coded sites that unnecessarily requested cookies for every single asset, or which would hit the browser with a "cookie storm" — hundreds of concurrent cookie requests.

Mozilla quietly deleted this feature from Firefox 44, with no functional equivalent put in its place. Further, users who had enabled the "Ask before accept" feature have had that preference silently changed to, "Accept normally." The proffered excuse for the removal was that the feature was unmaintained, and that its users were, "probably crashing multiple times a day as a result" (although no evidence was presented to support this assertion). Mozilla's apparent position is that users wishing fine-grained cookie control should be using a third-party add-on instead, and that an "Ask before accept" option was, "not really nice to use on today's Web."

Deny ALL Cookies

[zenlessyank]

Seems to be as fine grained as I need.

Re: Deny ALL Cookies

And I don't want to hear you whine when people stop visiting your site because of your fucking annoying popups.

Re:Deny ALL Cookies

[AmiMoJo]

Says the guy logged in to Slashdot.

Re:Deny ALL Cookies

Friendly suggestion: Switch to uBlock Origin. Much faster engine than adblock. Per-element blocking is also built-in and just a context menu away. As an extra bonus it's not sponsored by the very businesses we are trying to block.

Re:Deny ALL Cookies

[LordKronos]

Session variables. If people would use those and not just cookies. It'd be better.

And how exactly do you think session variables work? How do you link a browser to the session? Cookies!!!

Yes, I know you can put a god damn session id in the URL query string, but that's annoying, unreliable, and insecure. IF someone navigates your website for a bit, puts some stuff in the shopping cart, then just goes back to your homepage by stripping everything but the domain name off the URL...TADA!!! You've lost their session!!! Or if they jump to a different part of your website via a bookmark from a previous session...TADA!!!! You've lost their session. Or if they copy their URL and pass it to someone else/post it on a forum...TADA!!!! Someone else is now using their session (yes, you can "solve" that issue by linking the session by a secondary authentication variable like IP, but then you run the risk of having your website broken for anyone that moves between IP addresses).

In short, I've never seen a good, clean, reliable way to link a user to a session that doesn't involve cookies. If you've got the magic solution to that, please...I'm all ears.

Now if you mean websites should only use session cookies instead of persistent cookies, and the "deny all cookies" option only denied persistent cookies (does it do that already? I have no idea), then yes...that is a workable solution for most cases. Off the top of my head, I think the only thing you lose there is the ability to persist your login between browser sessions. But then again, if someone doesn't mind session cookie but dislikes persistent cookies, they could already set their browser to clear all cookies on exit or use a private browsing mode, and then all current websites would work perfectly fine.

No options for you

Ah, I see they are following the Gnome school of user interface design.

Re:No options for you

No, its the "FUCK YOU! we know how to use our browser better than you" philosophy.

The gun is pointing at the foot

[phoenix0783]

They seem to be really trying to shoot themselves in the foot lately.

Re:The gun is pointing at the foot

[elrous0]

It all makes a lot more sense if you consider that almost all of Mozilla's income comes from Google and Yahoo.

Re:The gun is pointing at the foot

[Artem+S.+Tashkinov]

You might have missed Pale Moon - the people behind it forked Firefox just before Mozilla decided to foist universally hated Australis on its users.

Re:The gun is pointing at the foot

Browser market share stats prove you are totally wrong.

In August 2013 Firefox held over 16% of the browser market.

Australis was included in Firefox 29, which was released on April 29, 2014.

By August 2014 Firefox only held about 11% of the browser market.

By August 2015 Firefox was down to about 8% of the browser market.

As of January 2016 Firefox is down to around 7% of the browser market.

Australis has helped drive away over half of Firefox's users.

Re:The gun is pointing at the foot

[slaker]

I'm overwhelmingly a user of Palemoon rather than Firefox. I am extremely satisfied with Palemoon, particularly given the stewardship Mozilla has provided of late.

I hate what Firefox has become. At this point, It's a marketing company with a technology product, not a technology company. I don't like third party applications being inflicted on me. I don't like the state of flux in the UI that has existed since Firefox 26, the change or removal of features I've been using for years. I don't like arbitrary, zero-notice changes to features I'm using. These are all bad things.

But I'm going to stick with a Mozilla-derived browser for as long as humanly possible because all the alternatives seem worse. I like leaving tabs open. Browsers that use One Process-per-tab will annihilate my available RAM. Chrome (-ium), Opera and Safari all lack privacy and security-related addons that I won't surf without. Edge, with no addon support at all and forthcoming "We're gonna try to use Chrome's!", is a complete non-starter. I need Java in a browser for IT operations tasks. Anecdotally, I see as many issues with fake/bad addons in Chrome's Extensions as I did with BHOs in IE6's heyday.

Chrome has gone from the simple, lightweight option to a bloated mess that duplicates a lot of OS functions. I don't even want to load on a low-spec machines any more. I know it's the web's new favorite, but I'd rather take the ham-fisted marketing driven Mozilla mismanagement any day than live in an ecosystem where Noscript and RequestPolicy aren't really available.

Re:The gun is pointing at the foot

[arth1]

They seem to be really trying to shoot themselves in the foot lately.

No worries, the feet will be removed in v45.0
You will still have plugins for right foot, left foot, and foot extensions, someone just need to write them. And sign them for every new version.

In 46.0, the rendering engine will be removed, but no worries, you can use a plugin.
in 47.0, the plugin loader will be removed, but no worries, you can load an extension for loading plugins.

Re:The gun is pointing at the foot

[nmb3000]

And all 12 people that used the feature will be missed.

When your market share has shrunk to little more than the people who only continue to use your product because it has features that differentiate it from the alternatives, removing those very features is a damned stupid move.

I'm just waiting for them to finish the work currently underway to dump XUL and the current addon API, utterly destroying the current addon ecosystem and fully alienating all remaining users. That will be final stroke in Firefox's Chromification, and its death.

There's an add-on for that..

[kheldan]

I have an add-on that keeps only the cookies I explicitly select, the rest get deleted whenever I close Firefox, or when I manually delete cache and cookies with shift-control-delete. Just get that and have all the 'fine-grained' control you want.

Re:There's an add-on for that..

[kheldan]

Please identify WHICH add-on.

'selectivecookiedelete' v4.1.1
Just checked it, it's still doing it's job, keeping the whitelisted cookies, deleting everything else.

Re:There's an add-on for that..

[ShaunC]

I use Self-Destructing Cookies, which accepts cookies long enough to make a session work and then deletes them automatically when you close the related tab. There's a whitelist feature.

Of course as per usual with a Firefox update, I now have no clue whether or not that extension will continue working, or whether I need to tweak some arcane setting to keep it working, or whether said arcane setting has been removed from the browser entirely... So I'll just stick with my current version for awhile. Other people can be the guinea pigs and I'll look for their reports. The trouble with that approach is that with each release, there are fewer other users out there. Mozilla seems determined to run Firefox into the ground and it's just a sad thing to watch.

Proud to have self-destructing cookies installed

I leave a site, its cookies explode.

Because Reasons

[ewhac]

It occurred to me after submitting the article that the per-cookie approval feature has been part of Firefox since it was called Netscape, so it's been around for a very long time.

Moreover, the allegation that enabling the feature destabilized the browser is pharmaceutically pure bullshit. I've been using the feature since its inception, and have Firefox windows open and running for days at a time without ill effect.

Contrariwise, I just went to check my cookie store, and found a bunch of new, unapproved, unwelcome, provably unnecessary cookies have appeared in just the week since I moved from v43 to v44. Deleting them after the fact is not a solution. Once set, tracking can take place immediately. The damage has already been done.

The proffered reasons for the change are easily shown to be false, so I do not hold out any hope that Mozilla management will have a change of heart on this matter and reinstate the long-standing feature.

Would anyone care to recommend a cookie management add-on?

Re:Because Reasons

> Would anyone care to recommend a cookie management add-on?

Self-Destructing Cookies

Cookies are automatically deleted when you navigate away from the web page that placed them. You can designate some to persist, although it isn't the most convenient UI.

Fuck Mozilla

[sexconker]

I built a new Windows image for our workstation PXE deployments, this time without Firefox.
If you're going to be just another trash browser you're no longer getting installed on the systems I'm responsible for.

In true Mozilla fashion, the discussion on the bug tracker has been censored, so people can't even effectively complain about it.

Re:Fuck Mozilla

[sexconker]

And in true Mozilla fashion, my post to the mailing list, where Mozilla told people to discuss the issue, was rejected by the moderator:

To: firefox-dev@mozilla.org
Subject: Cookies in Firefox 44

The recent change to how cookies were handled in Firefox 44 should be reverted.
Stifling discussion on the bug tracker is also bad form.

Your request to the firefox-dev mailing list

Posting of your message titled "Cookies in Firefox 44"

has been rejected by the list moderator. The moderator gave the
following reason for rejecting your request:

"Bugzilla is for tracking technical work, it's not a debate forum.
Firefox-dev is the proper place to discuss such things, but as your
message isn't adding substantive to the discussion I'm rejecting it."

Any questions or comments should be directed to the list administrator
at:

firefox-dev-owner@mozilla.org

Bye, Mozilla.

Re:Fuck Mozilla

[sexconker]

Currently I'm evaluating PaleMoon.

Cookie storms

[Maow]

I fucking hate sites that cause cookie storms.

I got hit by one today, at Chandra Observatory, of all places.

Set your cookies to request always and prepare for > 30 of them: http://chandra.si.edu/photo/20...

However, it doesn't seem like this solution of Mozilla's is a great one if one were to take the new default into consideration.

But it's why I'm still on v39.0 - can't keep up to all the changes

Re:Add-ons?

You are mostly right. Although it is unclear how many other extensions won't be adaptable to the new model. They are working with NoScript because NoScript is the 3rd most popular add-on for firefox. But what about those odd-ball add-ons that only have a couple of hundred users?

Meanwhile one thing that is legitimately and inarguably stupid is this add-on signing requirement they keep pushing back every couple of releases. They want to force you to submit your add-on source code to them for signing. At first they were doing automated code inspection and rejected add-ons that didn't pass, even for stylistic reasons. It took a couple of months of bitching before they finally backed off that level of scrutiny, doh!

But it is still a problem for people who have internally developed extensions - forcing them to choose between running an unsupported version of firefox or exposing their source code to mozilla who can not guarantee that it won't be pilfered away via corporate espionage.

All they need to do to fix it is make mozilla check for a list of exceptions to the signature requirements in an admin-only writable location (like /usr/lib/mozilla/ on linux or an admin-only part of the registry on windows). The code to do that is already 99% written because they already pull config data out of those locations, just need to verify it is admin-only writable.

But they keep resisting the obvious, instead insisting that anyone who wants to run an unsigned add-on must run a completely separate installation of firefox and thus forgo all the security benefits of getting auto-updates straight from them. The end result is much reduced security for those people - no crypto signatures for any add-ons and they must do manual compiles each time there is a new firefox release - and really, only the most hard-core of users is ever going to do that in a timely fashion. Just because you have an odd-ball add-on doesn't mean you are that hard-core.

I'm not that hard-core, but I still run the defunct "redirect cleaner" because none of the replacement add-ons quite match the original's functionality in corner cases. If I had enough time to compile every new release of firefox, I would have enough time to fix one of the replacement redirect-cleaner extensions to handle the corner-cases too.

NOT EVEN CLOSE TO THE SAME!!!

[dltaylor]

Yes, I "shouted". Obviously to OP has no clue.

Denying the creation of a cookie in the first place has nothing to do with deleting them when Firefox is closed (whoever closes ALL of their FF windows anyway?).

I hope Pale Moon keeps the feature, but, IMO, FF44 is now nearly useless.

Re:Add-ons?

[sumdumass]

Sure we can be satisfied. All they have to do is give control to the user instead of making inane changes because they know better for us.

If no one was maintaining this feature, the proper thing to do would be disable on new installs, check settings on upgrades, and put a job posting out for someone to volunteer to maintain it. While they are at it, notify the users of the problem and stop pretending their shit don't stink.

In fewer words, show the users some respect.

ABORT on goddammed ESC key

[TheRealHocusLocus]

Some where back in the dim recent past, Firefox's ESCape key no longer meant abort everything and return control completely to the user. No matter if the base html is incomplete, no matter if some goofy-gumdrop JSON cloud-abortion is in progress, or a 302 redirect is in progress. No matter if you'll have to settle for a blank page because CSS cannot decide what color the text will be. Just ABORT. Now the ESC key means hardly anything.

Now in the face of incomplete loads, packet loss, severely delayed DNS lookups, javascript tumors that are busy metastasizing to grow the page from seeds using repeated lookups to unresponsive and overworked database servers --- all of this results in pages that won't stop loading, tabs that will not close immediately, or even pages with visible readable content that will not respond to scrolling requests or link clicks... until... exactly what I never found out.

The purported reason was to save the poor deep data content providers from aborted transactions caused by unwashed masses hitting reload and ESC. I say, if they're overloaded or vulnerable in any way to aborts or identical re-submits they are vulnerable to script kiddies too and someone has not done their job properly or provisioned their servers adequately. I never considered the ability to abort a web load as anything but an intrinsic RIGHT --- until it was taken away. It was,like, what are they thinking?

I've had to force-close Firefox to regain control. And no we're not talking about Flash or embed delays either, I run NoScript. This is Firefox's native process refusing to abort everything under all conditions.

If content providers bite into some apple of complexity (for example) embedding advertising and load sharing schemes that do little tricks (such as) using gobblegook DNS names with low or zero TTL, they deserve to be sandbagged for their effort by the masses until they re-think their decision and (god forbid) roll back in the general direction of 'static' content.

Unfortunately this is something a third-party addon cannot really fix. If ever I was temped to fork a whole project and create a new subculture to fix one aggravating feature=bug this is it.