On 2/4/16 12:54 PM, Hugues de Lassus Saint-Geniès wrote:
> The option was somewhat bogus (see bug #365772) and it had a pretty bad
> UI, plus it was apparently unmaintained.

On 04/02/2016 17:54, Hugues de Lassus Saint-Geniès wrote:
> Dear Firefox developers,
>
> Since the patch for bug #606655 "Remove "Ask me everytime" cookies
> option" was merged into Firefox 44 release, many comments have been made
> on Bugzilla about the problems caused by the loss of such a functionality.
>
> I will try to summarize a bit some of what has been said on the tracker:
>
> The option was somewhat bogus (see bug #365772)

>   and it had a pretty bad
> UI, plus it was apparently unmaintained.

> Those inconveniences were outweighed by the fine-grained cookie control
> it gave the users.
>
> The functionality was useful for many, plus it was instructive as it
> would show which cookies were set by which domain.

> It was one of the few differentiating factors between Firefox and other
> browsers. Someone even said that many everyday users - not powerusers -
> liked the feature and switched to Firefox thanks to it.

> Now the bare options are very limited, and the default setting for those
> who were using the "Ask every time" option has become "Accept" instead
> of "Reject", which would have been the safest option for privacy matters.
> Many websites are broken when one selects the "Reject" option,

> Extensions such as Privacy Badger or Cookie Controller are presented as
> an alternative, but they either make use of public white-lists or have a
> rather old UI.

> Firefox communicates a lot on protecting its users privacy, but this
> update seems to head in the opposite direction, giving less control to
> its users.

On 2016-02-04 12:54 PM, Hugues de Lassus Saint-Geniès wrote:
> Dear Firefox developers,
>
> Since the patch for bug #606655 "Remove "Ask me everytime" cookies
> option" was merged into Firefox 44 release, many comments have been made
> on Bugzilla about the problems caused by the loss of such a functionality.

> It was one of the few differentiating factors between Firefox and other
> browsers. Someone even said that many everyday users - not powerusers -
> liked the feature and switched to Firefox thanks to it.

Le 04/02/2016 19:56, Gijs Kruitbosch a écrit :
> You can still see which domains set which cookies through various means
> (page info, the preferences, the network inspector in devtools, 'cookie
> list' in GCLI (shift-f2), add-ons...). That functionality has not gone
> away.

>> It was one of the few differentiating factors between Firefox and other
>> browsers. Someone even said that many everyday users - not powerusers -
>> liked the feature and switched to Firefox thanks to it.
> Is there data about this and how many people were involved? Do you also
> have data about how many people stopped using Firefox because they
> changed the setting without really understanding it, then found there
> browser unusable and gave up in despair? (see also
> http://limi.net/checkboxes-that-kill/ )

>
> "Differentiating" is really just a fancy-ification of "different", with
> an implication of "better". I disagree that there were or are "few" such
> factors - that is, I think there are quite a number! - but not everybody
> benefits from each of them. Clearly, you benefited from this one and
> presumably not from some of the other ones.

>> Many websites are broken when one selects the "Reject" option,
> ... which is presumably why people were migrated to 'accept', rather
> than 'reject', because effectively breaking their internet access and
> then leaving them to dig through the options to figure out how to fix it
> would have been a pretty bad idea.

> Note also that we still give you separate control over third-party
> cookies, and so "accept" and "reject" aren't actually the only options.

> Sorry, but the 'ask me every time' cookie dialog UI hadn't been updated
> for at least 5 years, maybe closer to a decade. "old UI" doesn't sound
> like a great reason not to use something if that was what you were using
> before.

> The underlying assumption here is that it is possible for a user to
> assess whether you should accept a cookie based on the modal dialog.
> That is fundamentally not the case because you cannot know a-priori
> whether that cookie is used "just" for tracking or for login
> functionality. Yes, cookie names give you some clues, but only if the
> programmers were kind to you and not misleading (which is an
> unreasonable assumption if you also want to use this functionality to
> stop 'malicious' use of cookies). The only way you can really know is if
> you look where it is sent/used, which you don't know at the point when
> it's set, which is when you were interrupted by a modal dialog asking
> you what to do.

> The old model also involves everyone making these decisions manually all
> the time, when those decisions could be shared out meaning people can
> spend more time doing what they want to do instead of trying to decide
> what to do about cookies. The shared keeping of lists for things like
> this as a model has proved thousands of times more successful if you
> look at add-on usage of things like Ghostery, Disconnect.me or Adblock
> Plus and its block lists. Very very very few people have the time and
> energy to spend hours or days of their time over the course of a year
> just to micromanage their cookies, especially when they are such a small
> part of what tracks you on the web today.

> In a certain sense, this boils down to a very basic principle: Firefox
> should not burden the user with extra/complex choices when we can reduce
> those choices to simpler ones. Blocking images, JS or cookies
> specifically are all really proxies for higher-level user intentions,
> whether it's avoiding tracking, reducing bandwidth consumption, or
> testing website behaviour as developers. We should make (and are
> making!) tools and options that cater to those high-level intentions and
> take care of the mechanics "as if by magic", instead of forcing users to
> learn about the machinery of the web just to get Firefox to "do what
> they mean".

Le 04/02/2016 19:38, Boris Zbarsky a écrit :
> Plus it violated Gecko invariants and thus led to lots of crashes, yes?

Le 04/02/2016 20:06, Mike Hoye a écrit :
> If you go to take a look at addons.mozilla.org and search for "cookies",
> there a couple of great addons that let you manage or manipulate cookies
> in various ways - "Self Destructing Cookies" is a personal favorite, but
> there are a couple of good choices there, and I think that a few of them
> have whitelist/blacklist/ask options built in.
>
> https://addons.mozilla.org/en-US/firefox/search/?q=cookies

> Something in there might have what you're looking for, or better!
>> It was one of the few differentiating factors between Firefox and other
>> browsers. Someone even said that many everyday users - not powerusers -
>> liked the feature and switched to Firefox thanks to it.
>
> I think we're going to have to agree to disagree about that.

On Fri, Feb 5, 2016 at 12:34 AM, Hugues de Lassus Saint-Geniès <hugues....@univ-perp.fr> wrote:

Take this silly example: imagine if we removed RSS support because many
average users do not use them, and say that those who want to have to
install the extensions they want between the 177 extensions relevant
with the keyword "RSS". I think we would make a big step back (when I
used Sage as an RSS reader ^_^) if the functionalities used by a
minority were removed just "because they can break the average user's
Internet".

On Friday 2016-02-05 21:40 +0100, Marco Bonardo wrote:
> Also, add-ons are not an enemy nor an evil thing, we should stop saying
> things like "requiring a user to install 20 add-ons is wrong...". Nothing
> wrong with that, it's customization.

AM, Hugues de Lassus Saint-Geniès

        This philosophy is cast into doubt when Firefox deprecates the existing
extension mechanism, casting hundreds or thousands of existing, working
customizations into limbo.  If the way for people to customize Firefox
is with extensions, then making sure upgrades never break extensions
becomes as important as making sure upgrades don't remove functionality
from core Firefox.

-- Brendan Barnwell
"Do not follow where the path may lead.  Go, instead, where there is no
path, and leave a trail."
    --author unknown

_______________________________________________
firefox-dev mailing list
firef...@mozilla.org
https://mail.mozilla.org/listinfo/firefox-dev

That is one of the reasons for deprecating the existing extension
mechanism, because we can never be sure that updates won't break
extensions using that mechanism.

_______________________________________________
firefox-dev mailing list
firef...@mozilla.org
https://mail.mozilla.org/listinfo/firefox-dev

On 2/4/16 6:34 PM, Hugues de Lassus Saint-Geniès wrote:
> Le 04/02/2016 19:38, Boris Zbarsky a écrit :
>> Plus it violated Gecko invariants and thus led to lots of crashes, yes?
>
> During the six or seven months I used this option I did not experience
> any noticeable crash, whether it be on Windows or Linux.

--
Brendan Barnwell
"Do not follow where the path may lead.  Go, instead, where there is no
path, and leave a trail."
    --author unknown

On Fri, Feb 5, 2016 at 12:49 PM, Brendan Barnwell <bren...@brenbarn.net> wrote:
> On 2016-02-05 12:47, Dave Townsend wrote:
>>
>> On Fri, Feb 5, 2016 at 12:45 PM, Brendan Barnwell <bren...@brenbarn.net>
>> wrote:
>>>
>>>         This philosophy is cast into doubt when Firefox deprecates the
>>> existing extension mechanism, casting hundreds or thousands of existing,
>>> working customizations into limbo.  If the way for people to customize
>>> Firefox is with extensions, then making sure upgrades never break
>>> extensions
>>> becomes as important as making sure upgrades don't remove functionality
>>> from
>>> core Firefox.
>>
>>
>> That is one of the reasons for deprecating the existing extension
>> mechanism, because we can never be sure that updates won't break
>> extensions using that mechanism.
>
>
>         That is interesting.  Are you saying that, once the new extension
> mechanism is in place, you will guarantee that upgrades will never again
> break extensions?

On 05/02/16 20:47, Boris Zbarsky wrote:
> On 2/4/16 6:34 PM, Hugues de Lassus Saint-Geniès wrote:
>> Le 04/02/2016 19:38, Boris Zbarsky a écrit :
>>> Plus it violated Gecko invariants and thus led to lots of crashes, yes?
>>
>> During the six or seven months I used this option I did not experience
>> any noticeable crash, whether it be on Windows or Linux.
>
> It's possible you got lucky.  It really depends on what scripts on the
> page end up running while the dialog is up, and hence on what pages
> you visit.  But it was pretty simple to create pages that would crash
> every time.  With a bit more work, I expect those pages could exploit
> the browser via this codepath to run arbitrary code...

I've been using this feature since netscape 4.x and I've never seen it
crash; mind you I've only run it on Linux.

Matt

_______________________________________________
firefox-dev mailing list
firef...@mozilla.org
https://mail.mozilla.org/listinfo/firefox-dev

On 2/5/16 1:53 PM, Brunoais wrote:
> I concur. I didn't have any issues yet with the popup asking what do I
> want to do with certain cookies.
>
> How do I do now to select the cookies I accept to have and the ones I
> do not accept to have? What are the real viable alternatives? I don't
> want to be tracked by ads, for example.
>

On 2016-02-06 11:46 AM, Brunoais wrote:

For most non-recurring websites, I actually, usually, visit them while denying all cookies from everywhere and denying javascript. My experience may be diminished but it is a choice I made. It may requite more work and more clicks to get things done but it is a choice I made.
Then, for websites that require cookies and are in the same "kind", I usually decide to set to deleting the related cookies when I finish my browsing session. They may recognize me when I'm back but it has to be in the same browsing session.

How do I make such decision with with so much ease using a different UI? Is there an addon capable of it, also?

On 2016-02-05 4:48 PM, Marco Bonardo wrote:
> It's not about any feature, just things we can't guarantee sufficient
> quality.

On 10/02/16 09:01 AM, Hugues de Lassus Saint-Geniès wrote:
> Is the "Keep until" preference referring to ALL cookies or just
> third-party? I find this quite unclear in the UI. Would it reduce the
> "Always accept 3rd-party cookies" to "just" a session-storage storage
> issue instead of a global-storage problem?

On 08-02-2016 14:57, Mike Hoye wrote:
> On 2016-02-05 4:48 PM, Marco Bonardo wrote:
>> It's not about any feature, just things we can't guarantee sufficient
>> quality.
> I think the admission that we can't make a feature great, either

> because it doesn't have a large enough audience or we don't have
> sufficient resources, isn't the same as saying that feature can't be
> made great by somebody.
>
> We've got a rapidly-growing design community now, and as the addons
> situation shakes out we're going to spend more time connecting addon
> creators with aspiring designers.
>
> We're going to have a lot more discussions like this as more features
> lose the great-or-dead coin toss, so I'm pretty confident the Right
> Thing for us is to do the up-front work of helping people who rely on
> some soon-dead feature find a migration path towards a decent
> replacement addon or set of addons, and help their developers ship
> something great.
>
>
> - mhoye
>
>

Le 09/03/2016 05:40, Robin Laing a écrit :
> On 12/02/16 17:19, Francois Marier wrote:
>> On 10/02/16 09:01 AM, Hugues de Lassus Saint-Geniès wrote:
>>> Is the "Keep until" preference referring to ALL cookies or just
>>> third-party? I find this quite unclear in the UI. Would it reduce the
>>> "Always accept 3rd-party cookies" to "just" a session-storage storage
>>> issue instead of a global-storage problem?
>>
>> "Keep until" is for all cookies. So it you change it to "until I close
>> Firefox" then both first-party and third-party cookies will become
>> session cookies (which are removed when the browser exits).
>>
>> There is a preference in about:config to turn only third-party cookies
>> into session cookies:
>>
>>    network.cookie.thirdparty.sessionOnly = true
>>
>> With that on, first-party cookies will stick around, but third-party
>> cookies will be cleared when you close Firefox.

>> I blogged about our cookie options recently. You might find this useful:
>>
>>
>> https://feeding.cloud.geek.nz/posts/tweaking-cookies-for-privacy-in-firefox/

> I have tried to use different add-ons but none have restored the feature
> and convenience.   I have had so many broken web sites now that I don't
> allow any cookies unless I really need too.

--
Hugues de Lassus Saint-Geniès

On 2016-03-08 11:40 PM, Robin Laing wrote:
>
> I have tried to use different add-ons but none have restored the
> feature and convenience.   I have had so many broken web sites now
> that I don't allow any cookies unless I really need too.

On 09/03/16 09:59, Mike Hoye wrote:
> On 2016-03-08 11:40 PM, Robin Laing wrote:
>>
>> I have tried to use different add-ons but none have restored the
>> feature and convenience.   I have had so many broken web sites now
>> that I don't allow any cookies unless I really need too.
>
> Cookie Whitelist With Buttons, here:
>
> https://addons.mozilla.org/en-US/firefox/addon/cookie-whitelist-with-buttons/?src=search
>
>
> has the block-all-and-whitelist feature.
>
>
>
> - mhoye

On Mon, 14 Mar 2016 21:21:09 -0600
Robin Laing wrote:

> On 09/03/16 09:59, Mike Hoye wrote:
> > On 2016-03-08 11:40 PM, Robin Laing wrote:  
> >>
> >> I have tried to use different add-ons but none have restored the
> >> feature and convenience.   I have had so many broken web sites now
> >> that I don't allow any cookies unless I really need too.  
> >
> > Cookie Whitelist With Buttons, here:
> >
> > https://addons.mozilla.org/en-US/firefox/addon/cookie-whitelist-with-buttons/?src=search
> >
> >
> > has the block-all-and-whitelist feature.
>

> It is an option but still doesn't help when you have a site that
> wants to setup cookies for tracking sites under their domain.  Such as
>                 bad-tracker.good-domain.com
>
> You allow for a domain but don't want THAT cookie.  Now you don't
> know if it is there or not.

> As a side note, in the comments for some other issue, I read that the
> reason some people think options are not being used is because of no
> usage details being sent to Firefox.  I for one, due to privacy,
> refuse to send this data.

> I have no idea what is in the data and thus don't trust it, as I
> don't trust MS data gathering.