This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Notification when sites ask to set a cookie

  • 4 replies
  • 2 have this problem
  • 4 views
  • Last reply by rparkins

more options

I have frequently seen website privacy notices which tell me that I can ask my browser to tell me when they try to set a cookie. I have never seen any browser that actually does this, and I have never found any way to get Firefox to do it. Quite a few sites don't work correctly if I set strong cookie protection. I don't want to disable this, but I would like to allow a cookie to be set if I think that particular cookie is acceptable to me. In particular one bank that I use has it web site spread across multiple domains and as a result its "remember me" login option doesn't work with third party cookies disabled: I presume that this is because it tries to set a cookie on a domain which is also owned by that bank but is different from the domain of the login page.

Allowing third party cookies per-site would not be enough because many sites use third party scripts which try to set their own cookies to track users across different sites. IMHO this breaches the GDPR, but the regulators aren't willing to do anything about it.

I can see what cookies have been set using the Cookie Quick Manager extension, but that only tells me after the event, and then only if I look. It isn't practical to look after every interaction.

Can we please have an option (preferably per-site or per-container) which allows a user to intercept each attempt to set a cookie and decide whether to allow it.

I have frequently seen website privacy notices which tell me that I can ask my browser to tell me when they try to set a cookie. I have never seen any browser that actually does this, and I have never found any way to get Firefox to do it. Quite a few sites don't work correctly if I set strong cookie protection. I don't want to disable this, but I would like to allow a cookie to be set if I think that particular cookie is acceptable to me. In particular one bank that I use has it web site spread across multiple domains and as a result its "remember me" login option doesn't work with third party cookies disabled: I presume that this is because it tries to set a cookie on a domain which is also owned by that bank but is different from the domain of the login page. Allowing third party cookies per-site would not be enough because many sites use third party scripts which try to set their own cookies to track users across different sites. IMHO this breaches the GDPR, but the regulators aren't willing to do anything about it. I can see what cookies have been set using the Cookie Quick Manager extension, but that only tells me after the event, and then only if I look. It isn't practical to look after every interaction. Can we please have an option (preferably per-site or per-container) which allows a user to intercept each attempt to set a cookie and decide whether to allow it.

All Replies (4)

more options

You can check for issues with Total Cookie Protection.

You can create a cookie allow exception with the proper protocol (https:// or http://).

more options

This doesn't help me. I want to be able to know what cookie(s) a site is trying to set before allowing it to do so. Disabling Total Cookie protection may or may not make the site work: I don't know until I try it. However trying it lets the site set cookies which I don't want. As I said, I think quite clearly, I want an option to notify me each time the site tries to set a cookie and allow me to decide whether I want it to do so.

more options

You can't make an informed decision about what a cookie is used for just by looking at it, especially the bad ones. Cookies aren't harmful if they are separated by site (Total Cookie Protection) and regularly cleared.

more options

The problem is that separating cookies by site, which I already do using containers, makes many sites fail to work. While I may not be able to tell whether a cookie is harmful by just looking at it, I can get useful information about whether I should allow a cross-site cookie by looking at the address of the site on which it's being set. Given my bank example in the original post, if the bank is setting a cookie in another of its own sites, that is almost certainly OK. If it's setting a cookie on a social media site, that is at least a breach of my privacy if not actually harmful. Unfortunately many sites that I use do try to set cookies on social media sites, or on analytics sites which collect information about which sites set cookies on them, and thus perform some privacy-breaking tracking. The analytics sites may say that they don't combine data from different clients, but they can change that policy without notice and I don't believe them anyway.

I'm entitled to run a secure browser to protect my privacy, and it would be much more helpful if responders would try to tell me how what I want can be done, or if it can't be done, why not, rather than trying to persuade me that I don't need it. I've encountered several situations in which I do need it, and I did give an example. Another example which I've found recently is trying to pay a merchant via PayPal. With my standard maximum security settings, it doesn't work. I strongly suspect that this is because the merchant and Paypal are using cross-site cookies to communicate. However I can see that attempts to set cross-site tracking cookies are being blocked, so I'm not willing to allow all cross-site cookies. A per-cookie check would enable me to permit the communication between PayPal and the merchant without allowing tracking cookies.

Of course I can pay the merchant directly, but that increases the number of copies of my card details which exist on other people's servers which can be hacked, or even misused by the merchant. I have experienced a merchant trying to drop an extra charge on me via PayPal, which PayPal refused. If the merchant had my card details it would probably have gone through. There have also been several instances lately of third party services being hacked, and at least one of them resulted in my bank details being compromised. So far I haven't seen any bad consequences, but that doesn't mean that I won't. Privacy isn't just a WIBNI, it's important.