> By the way, before anyone runs off and yells "Switch to Safari" or something like that, keep in mind that Safari is actually in a worse state and doesn't have detailed cookie and site information at all.
It does, but it's split between two places. You can see a list of all sites that have stored data in Preferences > Privacy > Manage Website Data... (no option to view here, just delete).
You can also navigate to the site in the browser and then view the detailed data:
- Check "Show Develop menu in menu bar" in Preferences > Advanced
- Develop > Show Web Inspector
- Navigate to the Storage tab
On the left you'll see options for Cookies, Local Storage & Session Storage.
> You can also navigate to the site in the browser and then view the detailed data
The author addresses this point (or has now addressed it) in the addendum to point out an "observer effect" shortcoming:
This information can be seen with the web inspector in both Chrome and Safari.
Yes, but the crucial difference is that you have to navigate to an individual site in a browser window in order to see the site data in the web inspector. Whereas in the Preferences, you can get to the site data, for every website, without having to load the sites. And remember, the very act of loading a site can make the site data change, so there's an "observer effect" if you try to examine or delete it in the web inspector.
Not that I think this has actually been applied by anyone in the wild, but it'd be fun to make a site that take advantage of this
You can detect developer tools being open in Chrome pretty reliably, so detect dev tools have been open then "clean up your act" before there's a chance to view anything of note
This has absolutely been used "in the wild". One particularly nasty strain of ad-block-evasion scripts would detect the developer tools being opened, and would reload the page and disable most of its features to prevent them from being analyzed.
Way back when, we thought about this for Firebug. One thing that came out of it was browsers started adding the console object (also because devs forgot to remove the calls on it).
Even so, we added CSS and stuff to highlight elements and that was easily found.
1. That could also be triggered by browser sidebar windows opening though. All of my browsers open dev-tools in a separate window so this is far from foolproof.
Well… you can on a lot of things. We never did .toString() on a whole lot. However, I was big on .displayName (as an override on .name which is found on functions)
My memory is fuzzy, but I also had a different function I would call if frameworks added it so instead of “Object {}” it was “Backbone.Model {id=1}”.
I put these in and used them in firebug extensions I wrote for frameworks.
Later I asked chrome to add something, which is why there is a “enable custom formatters” option for the console. Really needs to work in the debugger though.
Do you not understand that it's not your code and that their code wants toString to be called?
Someone else is writing code that they want to have react to the console opening.
So they will intentionally force the call as soon as the console is open, as a result toString is called regardless of if you yourself have made a call to it.
The ad-block thing is where I first saw it, that and DRM for less-than-legal sites to prevent downloading (stops streaming if the dev console is open)
I mean more specifically taking advantage of the awkward UI to cover up your tracks on local storage, it's something that's just devious enough that if you get caught (which is not difficult) it'll be hard to explain what you were doing, and you'll be trying to explain it to technical people
When discord loads, it copies it out of localstorage into a js var and deletes the localstorage. So if you examine localstorage it will be empty. On page unload it copies it back into localstorage. So if you want to see the value, you have to make sure no discord tabs are open in your browser.
I believe one reason for this is to prevent self-xss. It's hard for a malicious person to write a snippet of js to steal the login cookie now that it's no longer in localstorage. Another reason might be to prevent bots. It's hard for someone to automate a discord account if there's no way to get the account's login cookie.
Could you see the original cookie by inspecting the headers of the network request? This would presumably be the value before the page loads and gives access to document.cookie or a change triggered by a server-side header.
Consider using something like https://mitmproxy.org/ to deal with a site so devious as to detect browser-level tools being used to inspect headers/cookies/etc.
Not trying to defend anyone here, but I wonder if there's a non-nefarious reason for this.
Specifically, there have been a lot of changes to cookies lately because malicious actors (malware/adware) figured out how to access the cookie store and infer/determine cookie information from other sites.
I suspect that maybe this cookie store is kept in a more secure part of the application and only the cookies relevant to the site you visit get pulled out of it. It may even be a risk to have the information for all domains even loaded into memory for the application.
With all that said, there should be some way to manage/introspect that cookie store from outside of the browser imho.
Let's remain serious. It is entirely within the capability of modern computers to admit a dialogue which would let the user view their cookies without magically exposing them to websites. There is no non-nefarious reason for this.
There’s usually a “good reason” — however that “good reason” is subjective to the people maintaining the application and might not align with the preferences of its users.
Reasons don’t really matter to users though. It’s pointless arguing if we should assume innocence or guilt because irrespective of the developers motives, if a particular feature is a show stopper for you then you switch to a platform that supports said feature. Anything else added to colour the discussion is irrelevant.
I agree with what you pointed out about subjectivity. I think it’s still worth discussing though to serve as a warning to others who act with their own best intentions only to have them get bitten. Without calling this out it just always leans on the malicious side which doesn’t trend with reality in my experience.
In terms of end users driving decisions ultimately, I agree. That said, this is a discussion forum so I figured it was open for discussion and assumed that folks would be deciding on their own how to react to the change.
I guess this all depends on what we think we’re having a discussion about!
The problem is any such discussion is going to be entirely speculative. Sure, you can discuss what you presume the developers motives might have been but it reveals more about the opinions and personalities of the people holding the discussion than it does about the developers since all you’re doing is projecting your own story to fill in some pretty sizeable blanks.
But what many others in this thread have done is just as speculative, assuming malice, and to be clear, I think it could very much be the case, but I’m sharing another perspective based on a lot of experiences I’ve had where external parties assumed malice when internally it was far from it. Take it or leave it. This is the internet and I’m typing into a box.
I agree, but I suspect this was also what was believed when they originally did it and adversaries found very clever ways to find that cookie store - that part at least is true, which is why I bother mentioning it, given the complexity of browsers it is likely very daunting to redesign this kind of thing around the existing features. Anyways, I'm glad I'm not working on browsers, it seems like an ever-losing cat and mouse.
Chrome already has functionality to put different sites in different processes and sandbox the processes, so that if there's a renderer bug, the attack is stuck in the sandbox of a single site and can only access that site's data. This also helps with CPU speculative execution bugs.
I recently had to develop a feature that would have been much easier to develop and debug had I been able to view the contents of Local Storage and Session Storage before loading the site.
A particular feature of a web application (shopping cart) had different behaviour depending if the page was loaded as "an initial pageview on revisit", e.g. the user coming from [search engine|other link|bookmark|url bar] or from normal site browsing. By storing data in both Local Storage and Session Storage, and comparing the two on page load, I could determine if the user, who had been to the site in the past, had just come back. This all had to be developed in the dark as the major browsers have no method of viewing Local Storage and Session Storage for websites not loaded.
If the browser is designed properly (this does not apply to Safari), the UI can and should have totally different permissions from the site executor/renderer.
By default it doesnt, and although I'd certainly advise going over all Brave's settings once, then you have the safest (as in not outdated like some other privacy forks) and privacy respecting Chrome based browser around.
brave's default settings are almost certainly exactly what a privacy-oriented person would choose. it does not mine crypto, and it only pays you in crypto to view notification ads if you opt-in. i even gave the ads a shot but decided it wasn't worth the $2 a month or whatever, so now i just have a maintained, de-googled chrome, which is basically a description of the optimal browser in 2021. does firefox ask you if you want to install pocket yet?
They also run the only decent, independent search engine that has _its own_, _uncensored_ index. DDG was perceptibly worse than Google, but Brave Search is about on par, and the latency seems to be better as well. I maybe have to go to Google once or twice a month now instead of several times a day DDG would require. I know a bit about Google search, and frankly I'm stunned by what Brave was able to pull off here.
I'm actually not against Firefox either, but they refuse to implement a profile switcher, and I need one to be able to fully and unambiguously isolate my work and personal accounts. What's particularly grating is that they already have profile support. Just not the UX to switch the profiles without pain.
I've just tried brave search and it does seem to be a good product actually - my only concern with all these providers is what is the monetisation strategy will be (Brave has called out ads, but it's not in their product at the moment). Looking at Brave's monetisation strategy for their browser it seems pretty shady (effectively steal the revenue from site owners for referral links and replace the websites ads with their own ads). They haven't tried monetising search yet so - Brave if you are reading this - please please please choose a different monetisation strategy and use the opportunity to be different to Google!
I would love a company like DuckDuckGo or Brave to offer a paid tier where I can just subscribe to an ad-free search engine (I would love Google to offer a 'Google Premium' with this, but let's be real that's not happening!).
i.e. If you are competing with Google by releasing a free search engine with Ads, you have to provide better search results with Ads mixed in than Google which will be tough. If you found a monetisation strategy that didn't involve Ads, theoretically it should be easier to offer a better quality search result and better quality product than Google (because you are actually focussing on delivering the best quality results rather than the right mix of good-results and Ads to optimise revenue).
Why do you post false stuff like "replace the website ads with their own ads"? We never did that and would not unless website were partnered and getting 70% of the gross.
The affiliate link autocomplete for finance.{us, com} was a bug and fixed immediately.
Browsers other than Brave have a hard time surviving without being captured by a search or other big-tech power. We're the only user-first, private browser with opt-in revenue sharing.
These seem pretty cut-and-dry, but if they are false they should definitely retract.
> We're the only user-first, private browser with opt-in revenue sharing.
I personally don't want revenue sharing - I just want the first browser that is user-first and private. The issue with me being advertised to isnt that I want a cut of the revenue, it's that I don't want to be advertised to. That's the whole point of my post - if you need revenue just charge me for it. Why can't we just have a search company that will just let me pay them money in a straightforward 1950's-style transaction.
All I'm saying is - Please don't try to beat Google Search at being Google Search with the same ads-in-search model - you have such a great opportunity, and clearly the experience, to do something different! I personally hope you choose a different path that allows you to have a better ad-free product. Maybe you will succeed going down the ad-route, but I personally want a different option to having my results stuffed with ads, rather than just a new (either better or worse) Google.
As soon as you do a paid version of search I'll be a subscriber, as long as there is a guarantee that it is privacy-preserving, will never have ads, is a sensible price and isn't linked to some weird crypto stuff.
For companies - It doesn't sound too hard to implement and seems like it would be a good source of revenue. Plus paying subscribers will be more 'loyal' in terms of moving their searches across.
For users - you get more of a guarantee that the companies statements about privacy and impartiality are true, because there is less incentive for them to break that.
The founder of Brave was canceled by the left for his religious opposition to calling gay unions "marriage". FWIW, I voted to call it that in my state, but I have no problem with someone holding a different opinion. That's sorta how democracy works. People get to have different opinions and then duke it out by voting. The authoritarian left can't have that, you must prostrate yourself before the one true dogma completely.
> The founder of Brave was canceled by the left for his religious opposition to calling gay unions “marriage”.
Insofar as he was opposed by “the Left”, it was for his political actions in opposition to equal rights. The religious basis of that action was probably important to Eich, but it was immaterial to the opposition.
> FWIW, I voted to call it that in my state, but I have no problem with someone holding a different opinion.
Good for you.
> That’s sorta how democracy works.
In a liberal (in the classical, Enlightment-derived sense, not either of the narrower senses it is used for factional positions within the US political system) democracy, you are absolutely permitted to have a problem with, and (peacably) take action based on such a problem, with unwelcome political actions, including actual or threatened refusal to participate in economic exchanges with the perpetrator.
This kind of thinking can go quite far if taken to its logical conclusion. The question therefore is, do _you_ want to live in a world where everyone is fighting everyone else over the most irrelevant of actions or even wrongthink? I know I don't.
I much prefer to be persuaded to vote for or against something than have to state my opinions under the barrel of a proverbial gun. After a free and fair election, I accept the results and move on, even if things do not go my way. Seems more civilized and less painful than all known alternatives.
> This kind of thinking can go quite far if taken to its logical conclusion
The logical conclusion of it being permitted is...that it will be done when the utility of the impact it is perceived as likely to have outweighs the perceived disutility of the protest action, including any beneficial exchange foregone. Which is, all in all, not very much, which matches pretty well with observed behavior.
> After a free and fair election, I accept the results and move on, even if things do not go my way
Well, when there is a free and fair election to strip you of fundamental liberties, and you lose, try to keep that attitude in mind.
Bet it looks like that if your "protest action" is confined to Twitter and TikTok. From where I sit, your "protest action" over the past year achieved NEGATIVE results. Murders and crime are UP. Segregation is UP. Racial strife is UP. I fail to see the "impact" other than several billions in damage, rising crime, and a senile octogenarian in the White House, who is the direct cause of incarceration of hundreds of thousands of African Americans due to his own misguided "legislation" from the 80s. Wonderful, wonderful "impact".
Yes. With the extension, you can launch any other profile and a new window under that profile will be opened. There is no limit to the number of profiles that can be simultaneously active. The extension menu also lets you add, remove, and edit profiles.
Not just "today". In late 00s folks at Microsoft Bing noticed that every time they'd release relevance improvements, Google within a couple of days would boost its search relevance just enough to stay a pace ahead. The running theory at MS was that they had a lot of gas in the tank relevance-wise, but artificially hobbled it, so that it's just above Bing's. Why? Because fewer people will click on the ads if the results are _too_ relevant. They'll click on the links instead.
I dont know much about Brave but thinking of moving to Brave on Mobile for ad blocking. Is Brave trustworthy for saving my Google credentials and credit card in the Browser?
imo the adblocker isn't as good as ublock, which you can install anyway, so there's no major advantage there. the good part about brave is that you get the benefits of an up-to-date chromium browser without google recording your activity. you can take or leave the rest of the stuff, but there are a couple of neat extras like tor support for incognito and auto-detecting 404s and linking to archive.org.
Sure, but a lot of features in Vivaldi run separately from Chromium (like sideloading extensions). I don't see how they would be accepting this change into their fork.
In those network analysis comparisons they didn't score well. And, they're sorta half open source, which is a bit weird. I can't say the facts bear their credentials out.
Apple doesn’t make money from ads (yet), so there is no harm and a lot of marketing benefit in pushing privacy from ad trackers. Google is an ad company, so good privacy controls in Chrome hurts them.
Safari privacy is a joke until I can install UBlock Origin on MacOS and iOS Safari. Until they support proper browser extensions outside of their App Store, Safari will remain a privacy leaking toy compared to chromium and gecko browsers.
Also the amount of bugs and missing features I face in Safari as a web developer is a nightmare.
I’d argue that Apple’s incentives are mostly aligned for privacy on Safari, but the incentives for it to spend its resources on Safari in general are not aligned. Apple has long had a native-app only outlook which has hampered its work on browsers for a long time.
Apple doesn’t make money from web ads (yet). Although even that is changing as Apple now offer personalised Ads in Apps, they might one day offer that on the web as well.
I'm into watching telemetry data using tools like Pihole, Wireshark, DNSLookupView. Firefox is the only browser which does not invoke spontaneous connections and gives the user the Freedom to inspect and clear the cookie data. Google notoriously creates VPN tunnels to hide what it is sending and receiving. Your browser preference might determine many people's privacy if the narrative is limited to not so important things to me like speed and ease of use.
No comments I can see there seem to address VPNs; one notes that if you DNS block one of their domains, they connect via IP. But there's no discussion of VPN tunnels. I made sure to view all comments. Do you think you could forward a link that makes that claim?
Unless you just mean that sending data over plain HTTP to these servers is in some sense a VPN tunnel because the resulting servers could forward it elsewhere?
Most HN comments about these topics are plain FUD, and despite mentioning a bunch of intricate networking tools, the commenter still fails to address reality.
The article is quite clear. The question is, why did they go backwards on functionality. They took a simple user interface and removed a single useful feature from it, and what remains is a much more tedious way to do the same thing. Why? What was the benefit? The author speculates that it's to make user cookie control more difficult.
The reason was probably that no one ever needs to delete just a subset of cookies from a site. I certainly never have, and I'm a pretty technically-minded user. (Other than for development, in which case I'm using dev tools anyway.)
Counterpoint: I've many times had to fix presentation of or access to a site by purging just specific cookies. Two sites that have previously had these problems are RingCentral's web interface and AutoTask. Maybe a dozen or more others, but admittedly not many…however, when I've needed it, the problem has been persistent, requiring multiple fixes per day, over a few consecutive days or or even a couple weeks.
Is it? I feel like most of my atrocious cookie hand fix cases end up being broken redirects where you get redirected to some new url that errors, so loading the page doesn't help to get rid of the offending cookie.
That would be an atrocious bit of engineering from the developer. But I suspect that even in that case, holding Escape as you load the page would kill the redirect.
Not who you were responding to, but I've had that happen on Microsoft flows.
Manually interrupting most flows is practically impossible. Too fast, and can chain across a half dozen (sub)domains near instantly. The web hasn't been that slow or simple in a long time.
It does, but it's split between two places. You can see a list of all sites that have stored data in Preferences > Privacy > Manage Website Data... (no option to view here, just delete).
You can also navigate to the site in the browser and then view the detailed data:
- Check "Show Develop menu in menu bar" in Preferences > Advanced
- Develop > Show Web Inspector
- Navigate to the Storage tab
On the left you'll see options for Cookies, Local Storage & Session Storage.