What if browsers made it so when you turned off cookies, instead of not allowing anything to be written, they instead gave each page you visited its own fresh cookie jar that was cleared when you navigated away?
This is loosely what Firefox's temporary containers [0] extension does. Each tab (with options to control whether a tab spawned from a parent tab should inherit the cookie-jar context of the parent) gets its own temporary context. I don't recall whether it clears the jar on navigating away, but you can have that jar cleared when the tab is closed, and you can configure new jars when opening a new tab to a new site origin (i.e. domain).
I use and love this extension. The main complication that would prevent it from being a mainstream solution to cookie clearing is automating the decision of when to create a new container vs continue to use the existing one when links are clicked. Going by domain name (using Public Suffix List) breaks a lot of SSO implementations, and the occasional payment processor/verification flow, and other situations that redirect to another site, but pass information (or save state to have on return) via cookies.
It is designed to work with and supplement the Multi-Account Containers add-on. There a few things that are annoying and could use better integration. First, all the temporary containers show up in the list of containers you have created. Most of the time you can ignore that list, so it isn't a big deal, but if you need to configure a permanent container (and you have 100s of tabs open) the clutter makes them harder to find in the long list.
When you tell Multi-Account Containers to always open a domain in a specific container, Temporary Containers knows about this, but for some reason it prompts you for additional confirmation. And sometimes this prompt breaks sites the first time through, adding an additional iteration when trying to configure a container to work with a site that uses multiple domains. Other than that they work together fine.
I would also recommend the Cookie Quick Manager extension, which lets you manage cookies on a per-container basis. If you have been using Multi-Account Containers by it self, then any links you open from a page will open in the same container (say reading news sites from HN), and you likely have a bunch of cross-site cookies stored there. This extension will let you clear out any undesired third-party cookies that have gathered in the container. The UI is a bit unclear at first (which of these three trashcan icons scattered across the page delete the subset of cookies I want), so read the tooltips before clicking an icon.
That's effectively what Incognito does, except not at that granularity to make it simpler for users to understand.
It probably can't be every site being separate since that breaks a number of things sites do (like opening 3p windows to complete transactions), but it could probably be done in some kind of logical group manner. Maybe by using different window colors to signify the partitions.
Similar to suggestions that Android offer the option to provide fake location data to apps that require it without good reason: It's a fantastic idea and seems easy to implement, but might make it less painful for users to opt out of all the tracking that makes the internet so friendly to advertisers and other groups who would like to surveil your activity.
The solution to "software authors routinely collecting more info than they should" is not "accept the behavior as irredeemable, and just normalize it".
The answer is "make ot way more visible to users when it is done, snd make it harder for software authors to do/maintain." Anything else is just a tacit acknowledgement and grant of legitimacy to the behavior in question.
Just the opposite. What this would normalize is app developers no longer be able to depend on location data being accurate, which would destroy the location data sales market by turning it into a market for lemons.
What you propose, simply yelling at developers to stop requesting unneeded permissions, would have no useful effect. They won't change. And most customers won't care and will blindly click accept no matter what if they think they have to to access their game.
Never let the perfect be the enemy of the good. Assume that other actors in the world will respond the way they usually do, not the way you think they should. That is the way to get things done.
No it wouldn't, and it'd be nigh impossible for the handset to make that judgement call. That's not a computable problem except by the User reading the code, understanding it, and toggling the fake data switch on.
Besides which, I don't care if you feed me garbo GPS GLONASS if I've war driven and reverse indexed local wireless nodes to GIS coords. There's more than one way to get at coordinates, and enough hands in the jar in terms of being honest with location data by default that it'd be an uphill battle to fight teach users just how many ways a mobile handset can potentially leak location data.
The problem is that the data is retained at all. Until that data is considered toxic/a liability, there will be no respite from it.
Not sure what your point is or what your interpretation of my comment was. So just to clarify, I think the location data sales market is a bad thing and that is why I advocate a solution that would destroy that market and give us back location privacy. It has zero benefit to users and a lot of scary downside.
(For those who are unaware, a lot of free apps pay for themselves by secretly recording location history and then selling it. This is why companies and even government agencies can buy mass location data when they want and query it to find out who was where when. This has been going on for years and is well known and documented and in no way secret. Just for anyone who missed it somehow.)
Firefox Focus on Android basically does that by default.
If you set it as default browser then all links you click will be openend there. Hit the back button when you're done and everything is deleted.
Another use case is if you quickly want to open some website to look something up: open the website, maybe click a few links, and when you're done everything is wiped.
You can keep a regular Firefox (or Chrome or whatever) for surfing to those websites where you want to keep some state.
Yes. And instead of requiring sites to ask "accept cookies", let it be a browser option when the site attempts to store cookies, like "OK for 10 minutes".
Exactly. The great thing about cookies is that they are a tool, completely in the hand of the user. The site gives you a piece of text and says "show this to me next time if you want me to remember you". And then the browser can choose to continue to use them or not.
Such a weird choice to put the onus on the websites to ask whether to give the cookies, rather than the browser to ask whether to save them. I'm a big supporter of privacy legislation like the GDPR, but this is asinine, as it needs me to trust every website I visit to actually honor my choice.
Really, the original sin of cookies is that were designed to be transparent to user. That was a mistake that promptly needs to be rectified.
Cookies might be in the hands of the user but tracking as a whole is not. If cookies become less reliable then there are many other ways, which is why the GDPR requires consent for any tracking not just cookies.
A combination of Firefox Enhanced Tracking Protection and Cookie Autodelete works quite well here. Along with I Don't Care About Cookies to hide the inevitable slew of consent banners.
I do use Multi-Account Containers and Temporary Containers too, but typically when I want multiple simultaneous sessions, rather than wanting my current session to be cleaned up.
This is the exact use case for sessionStorage or a cookie with expires=0. But correct usage depends on the knowledge & goodwill of website authors.
For privacy purposes, Incognito mode achieves the same effect without any of the hassle. Maybe turning off cookies should not even be an option anymore?
What if legislators had targeted the ~3 browsers instead of the countless websites to enforce their policy? Things would actually work on a technical level, and we wouldn't be bombarded with dozens of useless cookie warnings. Would have been nice.
Assuming the website wants to do something on the first user's visit, it would start doing it on every page load. Letting the website know that the user has disabled cookies can help avoid it and improve user experience.
You cannot realisticly prevent the website from knowing that you are using a privacy-conscious browser, which is why e.g. TOR Browser and Firefox's enhanced tracking prevention don't attempt to do that but instead only try to make all their users look the same. Trying to emultate the growing number of cookieNG technologies whithout adding more privacy leaks is a waste of time.
