Ignoring the privacy bit - 125 cookies is quite a bit of per request overhead, especially in http/1.1 where they are not compressed. I would say its poor website design.
An incredible amount of the web just breaks. Twitter, Reuters, Imgur. Like it's one thing if, when I attempt to log in, your log in fails (and usually, logins fail to handle the error & will just loop back to the start, that's at least a start) but a lot of the web will have a flash-of-text and then nothing, & JS has crashed.
They are things that your browser happily rebroadcasts back to the server with no real UI for it outside of the shitty devtool bar made for devs, even after all this outcry about cookies.
It reminds me of the meme of the guy riding a bicycle, throwing a branch into the spokes (rebroadcasting cookies), and then roaring in pain on the ground about how evil websites/advertisers are tracking him with cookies.
That said, what a lame HN thread on a post about Haskell.
I have come to accept it and just ignore it. Many times there would be a long thread having to do absolutely nothing about the topic at hand. Not a tangent but like completely unrelated, why are we even discussing this here kind of thing.
I wish there was a good way to visually differentiate when a new top comment starts except by squinting and figuring out the whitespace from the left of the mobile screen, more painful than necessary I presume.
I couldn't help myself. Always desperate to find an opportunity to shove my 2 cents into the world. So imagine my glee when you provided me with another one!
Yeah, I think both (A) defaulting to auto-expanded threads and (B) making them annoying to collapse make HN worse than it could be.
You tend to read the top-level thread because it's already there. And then it ends up being longer than you expected, or you're trapped in a subtree that just won't end, or you just want to see what other people are saying. And there's no good way to move past it.
Would be nice to click the indentation to collapse the thread anywhere inside the tree.
Use HackerWeb. Top-level comments are highlighted, and it automatically collapses threads to show only top-level comments when there are a lot of comments.
Blaming the website for your own agent doing something you don't want it to is learned helplessness.
Every marketing cookie generates revenue for the website in some way or another. The website wants revenue, so it asks the user agent to maintain those cookies. The user agent agrees. Then the operator of the user agent gets upset that the website asked their agent to store the cookies? Get upset that your agent agreed, not that a request was made.
Or better yet, don't get upset at all and just solve the darned problem yourself. Is this Hacker News or Complier News?
Blaming the user-agent for accepting an abusive amount of cookies set by the website is outright bad faith.
The only entity with any real power to decide which cookies the website uses is the website itself.
Asking the user or the user agent to comb through cookies and decide, one by one, which ones seem marketing-related and which ones are technically required, and then block, is way too much to ask from a regular internet user.
I have tried, but fail to see good faith in your reply.
The browser is the one who stores and sends cookies. It would be trivial to make that action explicit and only at the users request. That wouldn't even be a new feature, that used to be how things worked 20 years ago. Lynx is however the only browser left that I know that still asks you before storing cookies.
You don't even have to shift through cookies for this to work, you can just reject all by default until the user explicitly request them to be stored (or use a whitelist or wait until the users tried to login that would necessitate a cookie, etc.) Lots of possibilities.
> is way too much to ask from a regular internet user.
That's kind of the point. By making it all transparent and seamless browser makers played into the hand of marketing companies. If cookies had a cost and would degrade the user experience, they might be thinking twice before putting hundreds of them on a site.
Marketing companies are just making use of the tools they are given. And browser manufacturers gave them a lot of tools, while taking control away from the user.
There are many different yet legitimate uses for cookies. It's impractical to expect the user to sift through to find the ones that are necessary and the ones that aren't. Even if the browser requests them beforehand, how is the user supposed to know if the request is for a marketing cookie or functional cookie.
> That's kind of the point. By making it all transparent and seamless browser makers played into the hand of marketing companies. If cookies had a cost and would degrade the user experience, they might be thinking twice before putting hundreds of them on a site.
Cookies do have a cost, namely the bad PR from people complaining about the unnecessary tracking cookies. If you think that's not enough, then you are free to reject cookies as well to degrade your own experience. But they aren't mutually exclusive. Complaints and bad PR can also drive users away from the site and enact change.
For cookies to have a cost they would need to be visible first. Brave does that right, by not only blocking lots of them out of the box, but also by showing you how many it blocked straight in the address bar, without any extra clicks. Firefox in contrast doesn't do that. It doesn't even give an easy way to inspect the cookies, it just has a "Clear cookies and site data" button that doesn't even tell you what it has stored or what it is going to delete.
Simply put, browser could to a lot better job at preventing this.
As for legitimate use, I don't really see much. Login handling is the obvious one, but I'd argue that login handling itself is in dire need of a rework and should be handled by a proper Web standard, not site specific hacks and "Save password" guesswork.
> The browser is the one who stores and sends cookies.
The website is the one who decides which cookies to send in the first place. The browser never invents a cookie out of thin air.
> you can just reject all by default until the user explicitly request them to be stored
Which cookies should the user "request to be stored" and which cookies can the user safely ignore? How does the user tell them apart? Why should the user have to bother?
> If cookies had a cost and would degrade the user experience
Cookies are already degrading my user experience; you may have noticed the cookie consent popups on many sites. Those popups exist because cookies were being abused (ie. non-consensually) for purposes that are not essential to the functioning of the website. Such uses are now banned in the EU.
> And browser manufacturers gave them [marketing companies] a lot of tools
Browser manufacturers did not build those tools for the sake of marketing companies.
> The website is the one who decides which cookies to send in the first place.
I can't fault websites for making use of functions the browser offers them.
> Which cookies should the user "request to be stored"
Have a simple toggle button for "Save state for this website" and discard everything when that button isn't pressed. Most website I visit I don't care about and have no need to keep any state. The few that I need to log into, I can just press that button. Knit that together with the "Save Passwords" function and it might be pretty much automatic most of the time.
> Those popups exist because cookies were being abused
Those popups exist because browsers failed to do their job. If the users wants warning for cookies, that's something the browsers can do just fine by itself, yet few do (e.g. Lynx).
> Browser manufacturers did not build those tools for the sake of marketing companies.
I'd disagree on that. Google makes their money with ads, so of course they'll optimize both Chrome and Search for maximum ad friendliness. Meanwhile Firefox is also run on Google ad money, so they can't step to far out of line either. There aren't many browsers that are build for the user first. The "you are the product" quote applies to browsers just as much as it does to Facebook.
> The only entity with any real power to decide which cookies the website uses is the website itself.
I have JS locked down and third-party cookies disabled. This site only managed to set one cookie for me because of my power to decide. Despite that, all content was readable.
Cookies as a mechanism are useful and required for a solid modern web experience. However, tracking cookies are arguably the opposite of that. A typical modern website with marketing comes with, I don't know, 100s of cookies. Are you really arguing that the user should be required to vet each individual cookie whenever following a link with unvetted cookies?
Or how do you solve this problem? Personally, the most I can be arsed to do is install some Adblock Plugin. I did that only a few months ago and I'm not even sure that it improved my experience by a lot.
Absence of cookies don't make things unstable (non-solid?), and fuck knows what 'modern' is supposed to mean, or why it's good.
> Or how do you solve this problem?
Block all cookies except for rare moments like posting on HN, which then immediately get deleted. And no JS, which means CPU is trivial (so no burn-a-core-for-every-open-tab which is so common with page-sized pointless animations). Many problems can be solved if you want them to be.
But you realize you're the oddball that considers the problem solved like that? I'm not sure that being a "hacker" means to straight out refuse things. You're missing out on a lot of fun and inspiring information (and yes, many many hours wasted to irrelevant content).
You make your choices and I make mine. Should a person make the informed choice to immerse themselves in the web as-is with all its problems & risks, ok, but most people just pick the easy path then bitch after. I'm not one of them, and straight out refusal is in fact a viable option for me.
If I do need anything more, there's VMs. BTW what 'fun and inspiring information' do you refer to? Shadertoy is a loss I grant, but what else?
If you miss Shadertoy it won't be hard to imagine other similar things, of which there are plenty. Anything that requires interactivity beyond the one provided by HTML & CSS will obviously require Javascript. Any personalized experience (not only suggestions which yes are evil, but also personal storage) will obviously require cookies to function.
Deleting Cookies on exit (and/or at regular intervals) will probably not help much in terms of avoiding tracking, especially if you log back in using your reinitialized cookies.
> it won't be hard to imagine other similar things, of which there are plenty
which again you don't give.
> Anything that requires interactivity ... obviously require Javascript
jeez, no shit, I get it.
> (some defeatist blah about cookies)
Whatever.
You just persistently don't get it. These are my choices. I made them carefully. They suit me. They may not suit you. We could even compromise if you made an effort to see what I'm after but you won't/can't. Now please try to understand I'm not you, and just back off!
How exactly will sites remember that you are logged in? And how would be have any web apps that aren't horrendous without JS?
Also, where is this burn-a-core-for-every-open-tab stuff? Many websites are highly optimized and do not use much CPU. Not enough to be noticed without actually looking at the numbers anyway.
> How exactly will sites remember that you are logged in?
I don't want them to. I log back in if necessary (browser remembers id/pswd). For those few I need to stay logged in, I use a VM and save the state - I'm more concerned about controlling JS than cookies in such cases.
> And how would be have any web apps that aren't horrendous without JS?
I don't use web apps. My tradeoff.
> Also, where is this burn-a-core-for-every-open-tab stuff? Many websites are highly optimized and do not use much CPU.
Oddly, it seems to be corporate bullshit sites that are the worse offenders. Can't find one but you're right, it's not all by any means. I retract.
You might be right on corporate bullshit sites, there are a few that can burn CPU(Usually without any actual content worth viewing....). I guess they are meant to be shown at a meeting on a high end business laptop?
But I think the vast majority of people would be upset if sites didn't keep you logged in and there were no web apps.
It's even worse if you prefer FOSS and use web apps, since Chromium no longer has password sync, Brave and FF block advanced features, and if you use BitWarden it takes a few extra clicks.
> Usually without any actual content worth viewing
Yeah. The less info the more clipart/general crap you'll get. Weird innit.
As to your other points, I can't argue. I accept a higher level of inconvenience for a higher level of security, that's just my choice. I won't inflict it on others who make different tradeoffs.
Those people should be able to avoid the profiling, but any solution should be aimed at protecting those people, without impacting the 95% who don't care enough to give up convenience or pay for private services too much.
Almost everyone I know is on Facebook and Gmail, most seem to use Chrome, etc.
It seems to vary a lot with subculture. Programmers always seem to be more willing to sacrifice convenience, and people who watch porn seem to be more interested in privacy than most.
I suspect there's a pretty large segment that only cares in theory, at most, and only then just on principle because of the other people who have more interesting data.
Maybe not 95% but probably 90% of certain subsets at least.
Blaming others for making legitimate complaints about pervasive bad practices is learned assholishness.
We should all complain loudly and far more than we do about the creeping tendency of many companies to do so many obviously shitty things, instead of merely shrugging our shoulders.
There is no setting anywhere, in any web browser, to "retain cookies that are technically necessary and reject marketing cookies" which is the desirable behaviour.
Define marketing cookie for me - do you mean 3rd party?
(Some possible control via Tools|Preferences|Exceptions... button allows you to customise by website, although I've never used it. Or just disallow all, which is what I do)
---
Edit: answer the question please, there may be an easy solution to what you want.
Edit2: No reply because god forbid there's an actual way you could take control, that would simply ruin everything (in a parallel universe, man complains the streets are rife with face stabbing but when presented with proof they're not, stabs self in face to prove otherwise).
Biggest problem with learned helplessness is that they like it that way. Gives them something to be angrily resentful about.
Easy, enable only cookies for the things you want (maintain your session with 1st website, plus core functionality like payments). Everything else are marketing cookies.
I used umatrix for years but gave up. The guessing what to enable to get a site to work got tiresome, and IIRC there was also problem with browser support.
If you don't specify I can't help. If marketing = 3rd party then you can block these using the hosts file at the domain level, which I do. This blocks >95% of crap cookies. A clear question gets a clear answer.
You're right of course but 3rd party seem to be the great majority, so blocking them is a big easy win. Also, only 3rd party cookies can track between domains/sites, so that stops that, or so I believe.
