"Legitimate interest" cookie / website blocker?

[Herby]

Just that really. Disable cookies whenever possible but legitimate interest is also a pain in the ass.  Anyone know a way to block automatically?

[Harley]

I read they aren't meant to do anything until you have responded to the cookie message.  NoScript can often block that (cookielaw, etc scripts) and sometimes I just leave it unanswered if I can still read the site.  Failing that and faced with a long list of "agreed to" legitimate companies I just close and move on.

[spunko]

On 29/05/2021 at 16:03, Herby said:

Just that really. Disable cookies whenever possible but legitimate interest is also a pain in the ass.  Anyone know a way to block automatically?

Do you mean block all cookies by default? You can do that in your browser already under Settings. 

Or do you mean the cookie warnings?

[DTMark]

Blocking all cookies just breaks any useful websites. It's better to use a browser like Firefox which has built-in privacy controls, for example it prevents Facebook tracking. I think Apple were to do the same with Safari.

[Herby]

39 minutes ago, spunko said:

Do you mean block all cookies by default? You can do that in your browser already under Settings. 

Or do you mean the cookie warnings?

It's the options on websites. Cookies are fairly quick to disable but the ones for "legitimate interest" seem to have a list of about 400 suppliers... To be honest not quite sure in what context they are used but I like to turn off everything optional I can! (Secret squirrel occupational history 😎😎)

[DTMark]

The main issue here is something that should have been tackled ages ago and that is cross-site data gathering.

If you access a site with one particular domain name, say, this one, then your browser should only load content from that domain.

However over time it has become commonplace for websites to insert commands to make the browser fetch bits of the page from other domains. Examples might be images or scripts. One common script is the Google tracking script. So each page access to the site also makes a request to Google who log that. The website owner can then retrieve data about the number of website visitors by accessing their Google account.

This should have been stopped immediately because the user is not aware of what is happening. It is this technique that Facebook and others can use to follow people around the internet. If the Facebook script is on a page that you visit, Facebook will find out that you've been there.

In such cases Firefox shows a "Facebook blocked" icon in the address bar and silently prevents that script from executing. However it doesn't do it for everything, only for sites which are known to gather user data to exploit it. It's being done on an exception basis - Facebook is one blocked site.

Ideally, every domain other than the one showing in your address bar should be blocked when you load a page in that domain, however because of the lax security implemented by browsers in the past this would break a multitude of things across many websites.

[Harley]

 

14 minutes ago, DTMark said:

The main issue here is something that should have been tackled ages ago and that is cross-site data gathering.

If you access a site with one particular domain name, say, this one, then your browser should only load content from that domain.

However over time it has become commonplace for websites to insert commands to make the browser fetch bits of the page from other domains. Examples might be images or scripts. One common script is the Google tracking script. So each page access to the site also makes a request to Google who log that. The website owner can then retrieve data about the number of website visitors by accessing their Google account.

This should have been stopped immediately because the user is not aware of what is happening. It is this technique that Facebook and others can use to follow people around the internet. If the Facebook script is on a page that you visit, Facebook will find out that you've been there.

In such cases Firefox shows a "Facebook blocked" icon in the address bar and silently prevents that script from executing. However it doesn't do it for everything, only for sites which are known to gather user data to exploit it. It's being done on an exception basis - Facebook is one blocked site.

Ideally, every domain other than the one showing in your address bar should be blocked when you load a page in that domain, however because of the lax security implemented by browsers in the past this would break a multitude of things across many websites.

Is that what NoScript means when it blocks cross site scripts?  Alas only on my PC.

[DTMark]

8 minutes ago, Harley said:

 

Is that what NoScript means when it blocks cross site scripts?  Alas only on my PC.

Yes. It's specifically cross-site scripts which are the problem. If all scripts were blocked then among other things, this text editor box into which I'm typing now wouldn't work and yet there is nothing to fear from it.

[spunko]

It's overkill IMO to block all JS or all cookies. I just use Firefox + Ghostery + uBlock Origin (with custom filters include Prebakw) + Canvas Blocker.

It stops the majority of trackers and neverdowells. There's no such thing as 100% privacy on the internet.

[Harley]

44 minutes ago, DTMark said:

One common script is the Google tracking script

Do you know the script host?  Is it buried in one of the generic ones called for common functions (cdns?).   I ask because I block virtually all Google, etc scripts on my pc but not all.

[Harley]

12 minutes ago, spunko said:

It's overkill IMO to block all JS or all cookies. I just use Firefox + Ghostery + uBlock Origin (with custom filters include Prebakw) + Canvas Blocker.

It stops the majority of trackers and neverdowells. There's no such thing as 100% privacy on the internet.

Could you know my Google account name?  I use Noscript, etc on my pc but mobile seems problematic.  But then android is essentially spyware!

[spunko]

1 minute ago, Harley said:

Could you know my Google account name?  I use Noscript, etc on my pc but mobile seems problematic.  But then android is essentially spyware!

No. The only information I can see is your IP address and email you use to login. The only way I would be able to see your Google account name is if I integrated Single Sign On (SSO) i.e. login to your Google account here.

Suffice to say I never will add SSO... it's a terrible thing.

[nirvana]

32 minutes ago, spunko said:

I just use Firefox + Ghostery + uBlock Origin

ditto I use this stuff on chromium.....plus I have an addon called 'cookie remover' that I just removed 8 cookies from dosbods......dunno what spunko is doing with these cookies lol

[DTMark]

29 minutes ago, Harley said:

Do you know the script host?  Is it buried in one of the generic ones called for common functions (cdns?).   I ask because I block virtually all Google, etc scripts on my pc but not all.

www.google-analytics.com

[Harley]

2 hours ago, spunko said:

No. The only information I can see is your IP address and email you use to login. The only way I would be able to see your Google account name is if I integrated Single Sign On (SSO) i.e. login to your Google account here.

Suffice to say I never will add SSO... it's a terrible thing.

Ta.  I was more wondering generically as a site owner/web admin, given what was said.  I was wondering if a site can look up the Google account when an Android mobile visits their site.

2 hours ago, DTMark said:

www.google-analytics.com

I defo block that one - a total give-away that one! 

Edited June 1, 2021 by Harley

[BoSon]

I keep it simple by telling Firefox to delete all cookies and data when the browser is closed, then have a whitelist of sites allowed where I want to stay logged in across sessions or I use the site often enough that I don't want to have to keep dealing with the cookie pop-up each time.

I don't log into facebook or google with this browser so all that additional tracking is bypassed. I use a different browser for stuff like that including online banking and anything I want to remain isolated from my general browsing activity. Presumably browsers can't access each others data so using different browsers keeps things isolated.