[Svip]

> browsers gain the ability to deny excessively intrusive requests when they occur

But Set-Cookie kind of proves what happen to that kind of feature. If at first sites gets used to be able to request it and get it, then the browsers that deny anything will simply be ignored. And then those browsers will start providing everything, because they don't want to be left out in the cold.

That's what happened to User-Agent, that's what happened to Set-Cookie, and I can't see why it won't happen to Sec-CH-UA-*. Which the post hints at several times. Set-Cookie was supposed to have the browser ask the user to confirm whether they wanted to set a cookie. Not many clients doing that today.

To be honest, I feel the proposal is a bit naïve if it thinks that websites and all browsers will suddenly be on their best behaviour.

[thaumasiotes]

> Set-Cookie was supposed to have the browser ask the user to confirm whether they wanted to set a cookie. Not many clients doing that today.

No worries, that's why we have laws to make the website do in the content what the browser no longer wants to do in the viewer. ;D

[notriddle]

Having the browser explicitly prompt for cookies is neither necessary nor sufficient to do what strong, consistently-enforced privacy laws can do, because the browser can't tell a tracking cookie (which needs a prompt) apart from a settings cookie (which does not).

[dathinab]

And the law also only requires you to ask the user if they want to be spied on.

It's not tightly bound to cookies in any way.

And vastly misunderstood.

There was a predecessor which was somehow tied to cookies but even then you didn't need to ask for setting purely functional cookies.

But somehow everyone ended up interpreting it as such.

Maybe because most sites don't have many purely functional cookies or fingerprinting, as they always track you for other purposes, too.

[notriddle]

I’m convinced that a lot of the really annoying cookie prompts are the result of two things:

* paranoia, from small websites that are understandably worried about massive fines that could actually put their one-man-show into the poor house

* retaliation, from large websites that intentionally want to turn public sentiment against privacy laws

[shadowgovt]

We were naive if we ever thought the end result would be otherwise.

[ajsnigrutin]

But browsers could disable third party cookies, and autodelete first party cookies on page/tab close by default.

There would be a "keep cookies for this site" button somewhere near the address bar, and at each login, the browser would also ask you if you want to save your password and/or save cookies for that domain.

99% of websites don't require persistant storage, and those who do, 99% of them are sites you're logged into and already prompt the user, asking if they want to save the password.

[ipaddr]

That's private browsing currently. Why not use a private window?

[ajsnigrutin]

Because i might want cookies on this page, gmail and reddit, and nowhere else. This would mean me starting a private window, googling something, finding a link on reddit, opening it, either logging in again, or copying the link to a non-private window, commenting, closing that window, and back to search results.

[ipaddr]

Firefox has containers tabs that does this exactly from a new tab.

[benibela]

I often do that, but now I have to click on cookie confirmation banners all the time. It is very annoying. Might just take seconds, but it sums, eventually I have been clicking on these banners for hours

Sometimes these banners do not even work because of my NoScript

[ajsnigrutin]

https://addons.mozilla.org/en-US/firefox/addon/i-dont-care-a...

:)

[marcosdumay]

Because software is supposed to make our lives easier, not to insist we keep making the same choices again and again, and undo everything as soon as we make a mistake.

[lupire]

That would be an extension or fork of Set-Cookie.

[notriddle]

Of course a web server could report which cookies are for tracking, and which are for authentication or configuration, instead of doing it within the content.

But so what? The browser has no way to tell if it’s lying.

[kijin]

Yes, this looks like DNT all over again. Just another header that quickly becomes meaningless, wasting terabytes of bandwidth all over the world for no good reason.

[wolverine876]

DNT does nothing technically, but it has political power and that's where privacy happens to a great degree. When 70% of users say 'do not track me', it is hard to claim that they don't care about privacy.

[m45t3r]

Unless a big vendor (coff Microsoft coff) decides to enable it by default, them it becomes meaningless.

[Analemma_]

It was meaningless from the beginning: DNT was always nothing but an Evil Bit. You’re getting mad at Microsoft for pointing out that the emperor had no clothes.

[lupire]

It was an Evil Bit becaut it didn't have the force of law behind it. Now we have cookie laws.

[M2Ys4U]

We had "cookie laws" when DNT was created, too.

[Dylan16807]

There were people promising to implement it. That's a lot better than nothing.

[WorldMaker]

Is it? The whole point to this thread is that none of the big players stood by their "promises" for longer than a few months. Especially Google's hypocrisy of promoting DNT in Chrome and knowing full well their adtech teams would ignore it as soon as they had an excuse. (Microsoft and Mozilla enabling it by default sure was a "good" excuse, despite that obviously being the best interest of the users.)

[wolverine876]

Yes, but it's not hard to ignore DNT on Microsoft user agents, which are a small part of the population.

[fomine3]

which were a large part of the population at the time.