Block cookie banners on Firefox
support.mozilla.orgFunny, I use the "I still don't care about cookies" extension (https://github.com/OhMyGuus/I-Still-Dont-Care-About-Cookies) right now to automatically accept the cookie banners. They're literally one of the most annoying things that has happened in the web's history
I always get downvoted for saying this but I think the cookie banners broke taboos about intrusive and annoying pop-ups in web sites. There was a time the tech and design oriented people could fight against it for the users but once it was required or maybe “socially positive” it got much harder to fight against all the others so you find the blogs now that will interrupt you three times to give your email and such.
Cookie banners were the “broken window” that led to the whole car being demolished.
We’ve had far more annoying pop ups and banners since the 90s. One of Opera’s primary selling points at one time was its popup blocking capabilities and that was in the 90s or latest in the 2001/2002 timeframe from what I can remember.
He's not saying that cookie banners were the first pop up. He's saying that you can delineate a before time and an after time that is delineated by the cookie banners. Before: pop ups were bad and browsers would advertise about how they defeated pop ups. After: pop ups are acceptable and you're bad if you want to defeat them.
I remember the popup (e.g. new browser window) crisis circa 2000. Those were easy to stop because the behavior is easy for a browser to identify so browsers can't open popups if the action wasn't initiated by a user event handler and can open only so many in that condition.
Banners, modal dialogs and other kinds of "new popups" in general are a bit tougher. Usually there is some element you could remove from the DOM tree or display: none but the trouble is knowing which element!
The annoying thing is: it is not required by GDPR.
You can provide whatever the user wants to do. Recommendations? Sure. If you want them. The required data collection is then just.... Required. It is tied to this purpose though and can't be used e.g. for ads.
But it is not OK to collect everything about the user so you can charge more for ads or to sell ("exchange") that information. Which is in 99% of cases the reason for these banners.
How are you able to recommend content to a user without having previously asked for consent?
Either you have no data and so no information to tune your recommendations or you have data in which case you needed to request for consent
Or you can recommend content related to what's on the page. Same way TV & other traditional ads tend to work, since they can't track users.
Same way Spotify does it on startup: ask about a few things.
IANAL, but worked through implementations that can work without banner consent.
I don't want to imply that it is easy or anything. It's pretty annoying, especially as the purpose of that data needs to be tightly tracked. But it is totally doable.
Why didn't they just ask some human factors people about it and come to some solution like: "if you don't respect Do Not Track you go to jail"?
There's been an overall progression toward intrusiveness for as long as commerce has been on the internet. We had "sign up for our newsletter" and other pop-ups way before GDPR.
I think popup blockers turned back the tide for a while, but businesses eventually learned how to leverage dialogs for some of the same purposes. And, over time, that's been rolled up into WordPress plugins and other easy to implement solutions for one-off site owners, which makes them even more common.
Yeah. If there MUST be banners then, hey, why not cover half the #%^*ing screen with a “give us your email” banner.
Or give us feedback. When I'm on the site for the first time...
I can also recommend getting Consent-o-matic[0]. It automatically completes consent forms on most sites and denies all by default, although this is configurable. It is developed and maintained by the University of Aarhus in Denmark and is my opinion a better alternative to I don't care about cookies and similar extensions. It is also open source!
It's funny we (EU, CCPA?) regulate cookies and hit use cases of companies trying to better themselves via analytics or maintain user presence, but we haven't done much in the way of stopping MAGMA from owning the means of communication and commerce outright.
The Apple/Google duopoly on smartphones is insane.
- Companies face 30% tax, can't deploy, can't do native (Apple) or get scare walls (Google), can't form a customer relationship, get ads sold against their brands, forced to use Apple/Google tech and adopt their upgrade cycles, no VMs/runtimes/plugins, etc.
- Customers also have it bad: they're faced with planned obsolescence, no upgrades, encrypted parts ecosystem, green text FOMO. Apple/Google are owning all of payments, navigation, date/sex life, work calendars, emails, etc. etc. And they're not collecting data on us throughout all these activities?
Or what about Google practically owning web discoverability by paying everyone off?
Why don't we regulate smartphone vendors? This seems fair:
- Web is first class. Users can download apps off of it without scare walls.
- Apps can have native code, WASM, self-update, pack runtimes, etc.
- Apps can use their own auth rails, payments rails, etc.
- No limit on the types of apps. You can deploy non-Safari browsers and app stores of your own.
- Search engine providers can't buy access to every single pane of glass.
I'd argue that we should also regulate them on the basis of the power of their defaults, but we're in such a bind that I'd be fine with just the above.
The EU is either cracking down on or actively investigating how to crack down on all of the things you mentioned. Cookies were just their warm-up phase.
Actually, I'm sugarcoating things! The EU was cracking down on Android years before even the cookies. US techies genuinely thought EU antitrust was a shakedown to get money out of Google and have conveniently forgotten things since.
Well, the Digital Markets Act basically regulates the things you're asking for. It's specifically designed to tackle "gatekeepers", such as the Google/Apply duopoly on smartphones, Metas hold on chat (especially in Europe, where WhatsApp is very popular), Amazons hold on the online marketplace, etc.
It's a very new regulation, so we've yet to really see the effects.
SMS doesn’t work. It’s not just an issue of “green bubbles”.
Texts don’t get sent. Group messages don’t work. Images can’t be sent. Videos can’t be sent. You can’t send on WiFi.
It sucks.
I've used this extension for a long time, but there are actually websites like CNN that don't work with it now, because according to their lawyers they have to show that banner to everyone from the EU.
Do you have JavaScript enabled on that domain (CNN)? I use the NoScript extension as well as I Still Don't Care About Cookies, most JavaScripts are disabled (besides cnn.com and cnn.io), and I can read the articles just fine.
There was a period back in December that this happened to me. I use a combination of ublock origin, no script, privacy badger, and Ghostery — along with PiHole and NextDNS.
Yes, I know that’s probably a recipe for conflicting disaster, but like a lot of these temporary breakages, after about a week the problems with CNN disappeared. And I don’t think I did anything. But, I am US based too.
Or they could just not track people... ;-)
I just enable all of uBlock's cosmetic and "annoyances" lists. It seems to block them all.
> to automatically accept the cookie banners
Do you mean it agrees to all the tracking or declines it?
uBlock Origin has a few lists for cookie banners that I always keep on [0][1]
[0] https://github.com/easylist/easylist/tree/master/easylist_co...
[1] https://github.com/AdguardTeam/AdguardFilters/tree/master/An...
I upvoted but wanted to say Thank You. This is very useful for me personally, and materially improves my life.
You're very welcome! The list maintainers and uBlock Origin folks really are amazing people.
Submitted title was "Firefox private mode now automatically blocks cookie banners for German users".
Submitters: If you want to say what you think is important about an article, that's fine, but do it by adding a comment to the thread. Then your view will be on a level playing field with everyone else's: https://hn.algolia.com/?dateRange=all&page=0&prefix=false&so...
This is in the site guidelines: "Please use the original title, unless it is misleading or linkbait; don't editorialize." - https://news.ycombinator.com/newsguidelines.html
Given browser headers have existed for a long time, does anyone know why there isn't some protocol of your browser saying "give me all the cookies", "give me only essential cookies" or "give me all cookies except trackibgbones" etc? Instead if tedious and manual banners on every website?
I get why companies might not want this (less cookie acceptance) but they didn't want cookies to require consent either and the EU enforced that. How come no move to require support for a protocol like this?
See https://en.wikipedia.org/wiki/Do_Not_Track, though this wasn't part of any regulations.
The successor to Do Not Track is the Global Privacy Control, which companies are required to respect in several states, including California and Colorado. Support for GPC is already built into Firefox and Brave, but must be enabled in the privacy settings. Users of other browsers can get the benefits of the GPC opt-out using third party extensions like EFF's Privacy Badger.
Furthermore, despite Do Not Track being an obvious and strong indication of user intent, website owners want to hassle you anyway on the off chance you fallaciously "consent" from fatigue/accident/coercion/etc. It's like those business bros that just keep pushing after you say no (respecting boundaries is for suckers, amirite), but since it's in the automated digital world think of it as yet another "dark pattern" if you must. Every cookie banner is essentially the site giving a giant middle finger to the user, but the surveillance industry has been adept at getting users to uncritically attribute them to the existence of privacy regulation rather than their own shitty behaviors. Part of which is this continued myopic focus on "cookies" when modern privacy regulation functions independent of the specific tracking mechanisms.
Keep in mind that these aren't really "cookie banners", they are data processing consent forms. They ask for your consent for way more than just cookies - things like browser fingerprinting, IP address tracking, etc.
Browsers auto-deleting (or rather not storing) cookies doesn't do anything to address the other stuff.
You can't keep companies from spying on you by asking them to "pretty please stop". DNT had the same problem.
The banners aren't even the real problem here, it's the surveillance of users.
We either create strong regulations with teeth and enforcement that make it prohibitively costly for companies to spy on people, or we're left with a technological game of cat and mouse where users have to protect themselves as well as they can by not trusting adversarial companies to play nice and limiting what data they make available in the first place. I'd prefer a mix of both.
Because the banners were not necessary (companies could just, you know, not set all those tracking cookies!)
They were a petulant response to EU legislation, like a little child told to clean his room who goes around stomping their feet, sighting very loudly, slamming drawers, and doing the bare minimum they think will satisfy what they were told to do (ie everything just gets shoved into closet shelves and drawers) etc.
The point of the banners are to annoy the shit out of everyone in hopes that we'll pressure elected officials to pass some legislation they write up that undoes the privacy protections.
"See? See what that legislation your silly elected officials made us do? Isn't it annoying? We told you...but we wrote up some new legislation, you should tell them to pass it."
The nice side benefit is that they're extra annoying to people who have cookies blocked entirely, or dumping cookies after each browser quit, etc.
The point of the banners are to annoy the shit out of everyone in hopes that we'll pressure elected officials to pass some legislation they write up that undoes the privacy protections.
So it's a calculated response, not a tantrum.
Now, what about our beloved leaders? They enact legislation that can't be enforced. I was able to refuse cookies or auto-delete all the cookies when closing a session, so I didn't give a fuck. Now I'm forced to deal with this nonsense. So this law is worse than useless for me, it's actively damaging.
You're not judged on your intentions, but on your results. And the worst thing is they're not going to relent.
This protocol is not needed. The browser can discard third party cookies, I configured it to do so for years (but more recently switched back to an ad-blocker instead, blacklist also works fine in practice). Most things will work just like you expect, a few website sign-in flows will break ... honestly a better outcome than obnoxious cookie banners and popups on every website though.
Cats of the the bag, unfortunately. Can websites detect that setting to avoid popping a redundant cookie banner?
It is unlikely that anyone wants to implement these if it reduces tracking overall, as you said. It needs regulation and I would like it.
You don’t need consent for cookies if the company collects only data it is allowed to. The banners are visible notification that they want to collect more than they need to.
For the most part even that isn't even required. If a server sends your browser a cookie it's under no obligation to pass it back in the next request. I suppose you could argue that's a bit all or nothing and separating out essential vs everything else is potentially useful.
Gonna arguably talk out of my ass here, but as far as I understand the law, it doesn't dictate implementation details. You have to get consent to keep any sort of persistent session state on your users that can be used to track their browsing behavior. It doesn't say you need to do this by offering a popup that itself stores a cookie saying you do or don't want other cookies, but you're largely guaranteed browsers will support displaying a popup banner. You're not guaranteed browsers will send a non-standard header. Doing this is in the scope of browser developers and the IETF, whereas GPDR is in the scope of lawmakers. One of those groups decided to act and the other did not.
There are was a standard called P3P that would allow you to specify this kind of thing. However unsurprisingly for an industry driven by surveillance economics making this kind of thing doesn’t get that much traction unless you do things like GDPR. If think I heard somewhere that there is an amendment on the way to address this kind of thing.
P3P died when Google started intentionally breaking it.
> P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&a... for more info."
https://tech.slashdot.org/story/12/02/20/2127250/microsoft-a...
https://web.archive.org/web/20120220235443/http://blogs.msdn...
Highly recommend the Consent-O-Matic extension to automatically handle cookie prompts, too: https://github.com/cavi-au/Consent-O-Matic. One of my favourite extensions.
Seconded this, and on Firefox, the extension is also available on Firefox Android now https://addons.mozilla.org/en-US/firefox/addon/consent-o-mat...
To show the setting to enable this feature outside of Germany, go to about:config and flip cookiebanners.ui.desktop.enabled. Then a "Cookie Banner Blocker" section should appear in the Firefox settings.
It seems like cookiebanners.service.mode=1 might enable it outside of private browsing.
> For example, they might make the Accept All Cookies button prominent, colorful and appealing, while burying the Customize Settings option in small text or a less noticeable location. This design choice can be misleading, effectively nudging users towards accepting all cookies without considering the consequences.
Kind of burying the lede there that this isn't just annoying, it's illegal.
I recently went to a webpage that on landing it opened the cookie modal full page with a big "We Respect Your Privacy!" and all the cookies were listed and opted out. Which was really nice, then you scroll down to reveal the buttons and the big prominent button was "Accept All Cookies" and the other smaller button was the "Save Settings" button. They were all colors that blended so if you were going too fast you just wouldn't see the words against the background.
I was really just impressed by the lengths they went to to steal consent.
The general trend of Not-A-Button Buttons in GUIs can die in a fucking fire.
We have screens capable of rendering 8K in literally billions of colors and the silicon to drive them and yet we can't spare a few pixels for some borders and shading?
It's not that they can't, it's that they don't want to specifically to be annoying.
However, the various DPAs have been completely useless at actually enforcing its regulation, as if there wasn't actually any will to enforce it due to vested interests.
It’s such a convenient outcome that the banners annoy people in to giving /explicit/ consent (every non techie user I’ve observed just click “accept”, oath of least resistance), when before it was a quite a grey area, as I understand it, that you have to wonder if it’s more than just a happy coincidence.
How do they make it work across all websites, since it seems there’s many ad hoc implementations?
They haven’t.
> “The cookie banner blocker works by using a careful selection of websites that we've put together.”
Injects fake cookies that tells websites you previously declined to accept cookies, or do a JS-auto-click on the button.
Now, how about letting plugins rewrite HTML while it downloads, so we can regex-out EVERYTHING except actual page content?
Any quick patches to apply to the source to enable this in all modes everywhere?:)
Disable JavaScript works to block most problems or reader mode.
along with most of functionality, yeah, no
Unfortunately, modern website functionality is totally inseparable from all the things which make modern websites terrible. Losing functionality is the best solution here, as it trains you not to rely on unnecessarily complicate web apps.
Well I use the necessarily complicated ones haha
I find that most useful websites work well without JS, and the exceptions can be whitelisted.
I don't know for how long this will remain true, given the number of web developers whose talks are how to optimise fifty bajillion layers of abstraction so that they can load the JS needed for a form button click before anything else… instead of just using what's built directly into the pre-JS HTML standard.
*old man shakes fist as The Cloud*
Most content websites work completely fine with JS disabled. There’s a certain sort of startup landing page that’s very commonly broken, but on general content pages it’s definitely uncommon. Though blank pages still aren’t as rare as they should be.
Source: I’ve disabled JS by default for I think three years now, and hold that it generally improves the web.
My technique is to disable JS via uMatrix, but don’t enable that extension in Private Browsing windows, and so just open briefly in Private Browsing if a page that I want to see is broken. I find this a pretty decent balance for ease of use.
It does not improve anything. The web is apps now, denying that is silly.
I don't want to reload the page with each search or action in gmail. Neither do I want to download telegram or whatsapp if they can be used as a browser tab.
I clearly spoke of content websites. I’m not suggesting disabling JS for web apps. You can easily enable or disable for specific sites with extensions like uMatrix and NoScript.
That's a cool opinion, but I disagree. It's not all going to JavaScript only. Even Amazon works without JavaScript. You asked for blocking cookies on content. It works.
honestly I browse without JS enabled most of the time and most websites not only work just fine (to the extent that they show the content I requested), but they also load faster, look cleaner, and the overall experience is a huge improvement. Considering that in the rare cases where it doesn't work it's just a couple of clicks to selectively allow JS (which can be remembered so I only need to do this one time) or to re-enable JS globally it's really not a problem.
It'll depend somewhat on what you use the internet for I guess, but it doesn't make the internet broken by any means. Because of the work I do I've got a ton of other things disabled too which can make it harder than it would be for most people and it still usually isn't an issue. I also keep a non-hardened browser around for cases where it really is a problem, but I rarely need it.
This is awesome! Maybe 2024 will be the year of Firefox
This has been working in the DDG browser for me for awhile, nice to see Firefox catch up.
The EU forcing this garbage is one of the worst things to happen to the web.
The EU didn't actually force cookie banners; they're not the only route to GDPR compliance. The other routes - like only using necessary cookies - were just unacceptable to ad/tracking companies.
"The EU didn't force cookie banners, they just made it so that companies have to choose between the banners and their revenue, conversion tracking, and business metrics."
Whoever's bright idea that forcing an annoying banner on users was going to make any company currently employing tracking think even for a microsecond about not tracking needs to have their head examined.
Because you employ tracking you're legally obligated to make someone else's life more annoying is a brilliant piece of legislation.
> "The EU didn't force cookie banners, they just made it so that companies have to choose between the banners and their revenue, conversion tracking, and business metrics."
You don't have to choose between those.
Revenue tracking is clearly necessary; `SUM(total) FROM orders` hardly violates the GDPR. Conversion tracking can be done in an anonymized fashion, or via things like coupon codes. Plenty of business metrics left to go on.
The EU correctly decided the balance of things was too far in the corporate direction versus the consumer direction.
EU is law is so bad that Wikipedia has a cookie banner. It literally bans all non functional cookies unless the users consents like preference cookies, performance monitoring cookies etc. I am sure all their government sites violate their own rules because i see preference cookies getting dropped without my consent and if I block the cookie, site still works.
What does this wikipedia cookie banner look like? I tried to get it to pop up for the last ten minutes and got nothing.
Even changed browsers, deleted all cookies, and disabled my adblocker. Might it be a regional thing? My IP address is geolocated in the EU.
I don't think it exists. The only banners I've ever gotten on wikipedia are donation related.
> preference cookies
This would count as a functional cookie.
> performance monitoring cookies
Your web server doesn't need a cookie to tell you how long it took to process my request.
To be fair, the EU does bear the fault in that its regulation is not enforced enough. The GDPR actually forbids annoying users into consent (it doesn't count if you force or trick users into consenting) but enforcement of this has been so lacking that entire businesses like TrustArc have been built on providing non-GDPR-compliant consent flows.
Cookie consent banners and GDPR are different things though - it just happens that GDPR also classifies cookies as identifiers.
> they're not the only route to GDPR compliance.
But if it was the easiest and cheapest. Their lack of basic foresight is painful and has made the web worse.
You cannot blame the EU on having many websites making poor product decision and customers being content with crappy websites. Just stop visiting websites that have those banners and write angrily about it too their support. If enough people do the same, the law will work as intended.
> You cannot blame the EU on having many websites making poor product decision and customers being content with crappy websites.
I absolutely can blame the EU, prior to these regulations these cookie banners didn't plague the web. Virtually no one's privacy has increased because these regulations but almost everyone's web experience has been made worse because of these regulations.
> If enough people do the same, the law will work as intended.
How many more years do we have to wait for this happen? This HN post exist because FireFox is having to create a brand new feature to handle this garbage on its own.
Murica not catching up with the game not regulating anything and literally letting crooked billionaires do whatever they like is one of the worst things happen to the web :(
> literally letting crooked billionaires do whatever they like
How exactly have these banners prevented that?
I honestly don't like this idea.
I hate cookie banners just like anyone else, and use addons to remove them.
But I don't think it's browsers' job to modify web content based on their discretion, even with good intentions. I especially hate it when a manually crafted list is involved (as said in the article).
I think it should be done of 3rd-party addons/rules, not the browser vendor.
I had the same thought until I remembered that i use the pop up blocker from the same browser. It's really not different. Pop ups are valid html/js that we depend on the browser disrespecting, so are third party cookies.
How can this work "for German users"? Why is this not a "for a Firefox user"? I am German - how do I know this is enabled for me? I do not live in Germany.
From the article:
> Firefox version 120 introduces the cookie banner blocker.
> Enable: By default, it's on in private windows for users in Germany.
That doesn't say how they determine "users in Germany". Dial IP into some service and look at geo location? Sort of pointless if VPN is used?
Oh, I get your point now :-)
It clearly means "up-to-date Firefox instances located in Germany", your nationality doesn't really matter.
Germany was probably chosen because Firefox's market share is fairly high there
The article itself doesn't say that.
> The cookie banner blocker is available starting from Firefox version 120, and it's automatically enabled for users in Germany browsing in Private Browsing Mode.
> ...
> Enable: By default, it's on in private windows for users in Germany.
> ...
> Why Germany and private browsing mode?
> Our initial launch in Germany and private browsing mode has specific reasons:
> - Private browsing mode displays cookie banners repeatedly, making this feature especially useful. Germany, as a part of the European Union, is a prominent market where cookie banners are noticeable due to GDPR.
> - We plan to gather insights from this launch before potentially expanding the feature to a broader audience.
Firefox periodically dials home and reconfigures itself based on the arbitrary whims of Mozilla. It's really kind of disgusting.
For those interested, the mothership is: incoming.telemetry.mozilla.org
I'm fairly certain the telemetry can be disabled, but it is enabled by default and it's among the top 10 most blocked addresses in my Pi-Hole.
Frankly, I'm weighing the benefits to cost ratio of just blacklisting all Mozilla domains if this gets worse.
Telemetry and "studies" are both checkboxes in the privacy section of firefox's preferences.
I usually turn both off right after changing the default search engine and disabling search suggestions, when I setup a new install.
Turns out this only turns off some of the telemetry. Turning it off completely is not entirely trivial.
https://github.com/K3V1991/Disable-Firefox-Telemetry-and-Dat...
Mozilla claiming to be the champions of privacy (among other virtues) makes this arguably worse than Google, Microsoft, et al. because they're at least upfront about their telemetry.
And the other browsers don't?
I've had my share of weird issues in Chrome because they enabled an "experiment" of some kind.
Yes, they are all doing it, and it's all bad. Though Firefox is especially culpable since most of their marketing is about privacy. It's apparently only bad when other people are spying on their users.
It would be interesting to know the rough amount of cumulative wasted joules on both the computer side and humans doing the extra clicks this cookie banner nonsense adds up to. Unintended consequences of laws.