Show HN: A Chrome extension that will auto-reject non-essential cookies

Love the idea. I wish chrome extensions had a more granular permissions structure and/or reminders/security checkups on installed extensions and their permissions.

As it is the content scripts manifest permission for https://*/* for content.js is always so jarring to see. For those that don’t know this allows the extension to run that script on every site you visit after clicking accept ONCE when you install the extension. That means it can see financial info, health info, legal info, your diary, etc…

Now this makes sense from a usability perspective (I never have to see a cookie banner ever again!), but the author could change content.js at any time and the extension would continue to run without prompting the user.

This is not an attack on you Mitch! It sure looks like you’re trying to provide value in this world rather than take it. Rather it’s an attack on Google’s extension security model I’m really shocked google has not taken a more careful and nuanced stance to protecting users from a security standpoint.

I write this as a fellow chrome extensions dev. I wish I had better more granular permissions structures to protect my users and give them more information about what I am requesting and why along with regular reminders so they can make informed decisions about what they want to share.

mitch292 · 8 months ago

Definitely agree, not a fan of the permissions.

The broad permissions were required from a usability standpoint. Granting permission on every site for this extension would just be a 1 to 1 replacement of clicking reject on the banner or pop up for every site.

I would hope that before Chrome approves an extension to be added to the store that they are auditing the content of package.

dhc02 · 8 months ago

Personally, I would still love a site-by-site "reject non-essential cookies" prompt from an extension that's in the same place, with the same UI, on every site. Still a click, but lots better than having to figure out how to accomplish it on each and every site.

groby_b · 8 months ago

https://developer.chrome.com/docs/webstore/review-process

shadowgovt · 8 months ago

One of the reasons Manifest v3 was started is that is impossible for an extension that eval's arbitrary code from the web (or downloads, say, a dynamic list of data and acts on it).

For something like this, it's tractable.

Deleted Comment

ocdtrekkie · 8 months ago

Fundamentally there is no reason anyone in their right mind should install an extension released by an individual with these permissions. It is a post-decryption access to every single thing you do online. It is absolutely insane to trust your web browsing to a random browser extension, even a useful one ("cloud to butt" is my favorite example of people deleting their entire security model for a joke).

Anyone can buy out or compromise this developer and slide complete takeover of your online life into an extension update.

cies · 8 months ago

It's open source.

So it can be audited. The problem is: who audits and how to know a new version is audited.

dsp_person · 8 months ago

Also frustrating that UBO Lite just changed from "permissionless" to requiring broad see everything permissions.

SoftTalker · 8 months ago

Google could change chome at any time to snoop on all your stuff too, yet we trust them more than extension authors?

loeg · 8 months ago

They have a strong track record and more to lose.

uBlock Origin already has this. Enable the "Cookie notices" and "Annoyances" filters in uBlock Origin's settings.

Bonus pro-tip: Firefox for Android supports uBlock Origin, which means you can get rid of these godawful banners on mobile, too. Only iOS users are stuck having to put up with them.

moebrowne · 8 months ago

Hiding the popup is not the same as clicking reject.

It should be but it's not.

coldpie · 8 months ago

You think these websites give a shit about your privacy because you clicked on a div with a "No" in it? Not a chance. It's like asking thieves to promise not to steal from you.

Protecting users is the browser's job:

https://support.mozilla.org/en-US/kb/enhanced-tracking-prote...

https://support.mozilla.org/en-US/kb/introducing-total-cooki...

jsheard · 8 months ago

Yeah I find that list is more trouble than it's worth, because some sites will block interaction until you dismiss the cookie notice, so you get softlocked if the notice is hidden. I assume that's why uBO disables that list by default.

dongkyun · 8 months ago

This is incorrect. The GDPR requires affirmative consent before processing user information, hiding is not "affirmative." Additionally, there's been increasing litigation via wiretapping statutes (most notably in California where there's statutory minimums for damages) that pose additional legal risk for companies using analytic cookies w/o affirmative consent.

queenkjuul · 8 months ago

Legally it is the same

Doesn't mean people implement it correctly though

Deleted Comment

replax · 8 months ago

for iOS users, you can just install eg AdGuard as iOS safari extension/blocker extension and enable the uBlock filter lists :) Fully working ad blocker for mobile safari.

raverbashing · 8 months ago

My ideal solution to this would be: accept all cookies, then delete them after page unload

probably_wrong · 8 months ago

Note that "I agree to tracking" and "I agree to cookies" are two different things. If you agree to tracking then a website can fingerprint you in any way they see fit, including methods that do not depend on cookies.

jorvi · 8 months ago

This is what Brave's "Forgetful Browsing" does. There's even a slight delay, in case you accidentally closed the tab.

You can configure the "Cookie Autodelete" extension to behave in a similar way.

sneak · 8 months ago

This is what the extension Cookie Autodelete does. It even allows you to make an exclusion list of ones you wish to persist.

knowitnone · 8 months ago

this means they track you for your duration. ideal solution is accept all cookies and randomly modify the values so it becomes a jumbled mess to their analytics

gear54rus · 8 months ago

this is called incognito mode

hedora · 8 months ago

Orion for iOS supports Firefox and Chrome extensions.

godelski · 8 months ago

I've been using this and it even blocks YouTube ads. But do note that it often reduces video quality and in shorts there seems to be an off-by-one error where if it's "hide toolbar" then if you click the like it'll click the dislike and if you click dislike it'll click comments.

Worth it IMO but I really wish there was a better way to submit bug reports than creating an account on their site. Fuck that dark pattern

rkagerer · 8 months ago

Could you clarify which options you mean?

https://i.imgur.com/QnedRVZ.png

Also, how's that compare to Consent-O-Matic in terms of effectiveness,safety (i.e. that it doesn't mangle the wrong thing on the site) and performance?

coldpie · 8 months ago

I use the EasyList ones, though I don't have any particular reason for that other than it is also the default "Ads" list chosen upon installation.

> Also, how's that compare to Consent-O-Matic in terms of effectiveness,safety (i.e. that it doesn't mangle the wrong thing on the site) and performance?

Dunno. I've never had any problems with it. All it does is hide the cookie banner DOM elements.

nfriedly · 8 months ago

Not the op, but I just enable all of them.

It is a very rare for me to see a site that's broken by ublock origin.

hammock · 8 months ago

How do I keep chrome from uninstalling ublock these days every time I restart?

coldpie · 8 months ago

Use a better browser: https://www.mozilla.org/en-US/firefox/

lukasgraf · 8 months ago

Install it using an enterprise profile and enable the ExtensionManifestV2Availability flag: https://news.ycombinator.com/item?id=43340358

Still works for me to this day, but this option might get axed come June 2025.

ozcap · 8 months ago

You can still install the extension manually. This is a good video on how to do it https://www.youtube.com/watch?v=jQX2lgePAKk

dddw · 8 months ago

Ublock-lite is there, but better switch to firefox or brave

Mashimo · 8 months ago

Oh neat. I did not know this. Thanks for sharing.

mcoliver · 8 months ago

skeeter2020 · 8 months ago

Cookie banners are a bad/wrong solution to the underlying problem, but it's the dark patterns within that really piss me off. I shouldn't have to invest deep cognitive attention to "only accept mandatory" but if you're not careful many dialogs will trick you into clicking accept all after you go to the trouble to untoggle all the optional shit. The answer is to use isolation containers, aggressively reset them and not to worry about any of this.

ta1243 · 8 months ago

The underlying problem that the cookie banner operators have is there are laws preventing them from abusing the data they collect.

Annoying banners increase pressure on people to contact their representatives to overturn those laws, allowing the operators to abuse the data

I just always click accept all.

Less to think about, and it basically puts the web into the state it was in before we all got bent out of shape about tracking, which was fine.

(Now that I type that... I should have made an extension ages a go that just does "identify cookie banner and click on the left-most button automatically").

nottorp · 8 months ago

> and click on the left-most button automatically

Why do you think the left-most button is always accept all?

Why do you think the accept all button will be in the same position on all reloads of the same site?

ryandrake · 8 months ago

I hate how web sites can weasel their way around consent by simply declaring their cookies as "necessary" or "mandatory." As the Dude would say: Yeah, well, that's just like, your opinion, man. How about we have an easy-to-use "Reject ALL cookies from this site (and deal with whatever breaks)" option?

ximm · 8 months ago

There was the "Do Not Track" header, but I don't think any sites that actually honored it. And it is deprecated now.

On Firefox we still have webRequestBlocking, so it is quite simple to block cookies. See for example https://addons.mozilla.org/en-US/firefox/addon/ximatrix/

rapind · 8 months ago

You're assuming maliciousness. I run a site that uses cookies (encrypted session cookie) so they can add items to a cart, because not doing so would be a horrible UI. There's also a cookie created by the payment processor, but I only load their script on checkout. There's nothing else though. I don't even use tracking / analytics.

There's zero weaseling going on. No dark patterns. I'm just too busy to build a no-cookie version that passes info in the URL or w/e (which also seems less than ideal). Your two options are to use the site or don't use the site. If there was enough pressure from real customers to provide another option then I probably would, but it wouldn't change anything. It's just busy work / checking boxes.

IMO this needs to be built into the browsers rather than being yet another tax on builders due to spammers / scammers / advertisers. If we had meta referencing each cookie where you can disclaim exactly how it will be used and whether it's optional / required, then we would have a standard without dark patterns being possible.

How it’s implemented: Vibe coding is the answer

Sorry, you want me to give browser privileges to code written by AI?

This is 100% a fair point of view and you’re right to be skeptical. With the blog post I was just trying to convey that cursor + auto select model was not great at this task. It gave me a project structure, but besides that everything had to be refactored.

Thanks for clarifying!

Gracana · 8 months ago

You should stick with extensions that have lots of stars, that way you know they're trustworthy and secure.

DaiPlusPlus · 8 months ago

I assume you're being facetious; because popular (and good, trustworthy) extensions written by initially passionate people often end-up being bought-out by dodgy orgs - with very-hard-to-refuse offers - and the Chrome Extension Store has no way of knowing about that.

I had a Chrome extension with about 20,000 users and I received unsolicited buyout offers a few times a year, and some offers were very hard to refuse - but it's not hard to imagine anyone else capitulating.

loloquwowndueo · 8 months ago

While I agree with you 200%, the code is there for you to review. I skimmed it and it didn’t seem difficult to grok, keep in mind I speak almost no JavaScript or typescript.

Imustaskforhelp · 8 months ago

Where is it shown that it was written by vibe coding?

Click the Show HN link and scroll down to the second heading.

Dead Comment

asadm · 8 months ago

AI is mere mirror of human code.

It's a very bad mirror then.

For example the Linux kernel has mirrors where it's source code can be downloaded from.

AI cannot even "mirror" the Linux kernel. Try it! Ask it to deliver a monolithic kernel that works on a bunch of architectures and has drivers for a bunch of hardware. It will yield nothing close to the Linux kernel.

bberenberg · 8 months ago

The common one I use in the space is https://consentomatic.au.dk/ but good on you for making an alternative. More options is great.

agos · 8 months ago

+1 for Consent-O-Matic, it's great

tenthirtyam · 8 months ago

Have you seen consent-o-matic? https://github.com/cavi-au/Consent-O-Matic https://addons.mozilla.org/en-GB/firefox/addon/consent-o-mat...

rendaw · 8 months ago

I tried consent-o-matic. Aside from the name making it sound like it says ok to all forms of tracking, it broke a few websites for me and failed to get rid of the banners on many others, and I quickly had to turn it off. TBH I'm not sure how it could be expected to work either, unless all websites use the same consent banner solution.

jmholla · 8 months ago

It by default only accepts essential cookies. I too thought the same thing based on the name of the extension.

smartbit · 8 months ago

Om FF works fine for me for many years in combination with ublock origin.

cj · 8 months ago

I noticed you deleted the privacy policy in Github, and link to this one instead https://privacy.reject-cookies.bymitch.com/

The one you link to doesn't really make sense:

> Data is collected on specific sites that the product is not working on. This data is sent explicitly by users and when it is collected we do not collect any information that could be tied to a specific user. Only the name of the site is collected and any additional information you include in the text of the report.

The original one that was deleted from the Github repo [0] is much simpler and to the point.

[0] https://github.com/mitch292/reject-cookies/commit/18a87b2bee...

Agree! Unfortunately, that one was rejected by chrome.

GavCo · 8 months ago

Interesting. Did they explain why?

Xunjin · 8 months ago

Could you provide more details?

mrweasel · 8 months ago

Consent-O-Matic can easily be configured to reject cookies.

I suppose that technically you could also just remove the pop-ups, that means that you never agreed to anything and the site have no permission to place cookies on your computer.

shmoogy · 8 months ago

This is only true in Europe - it is not required by the US privacy laws and the default most companies deal with will be set to implicit allow

I sort of assumed that companies wouldn't even show the cookie/tracking consent in areas where they are not legally required, but that's a good point.

Was an interesting experience travelling to Italy and suddenly starting to get cookie banners on sites I visit daily that normally don't have