I have frequently seen website privacy notices which tell me that I can ask my browser to tell me when they try to set a cookie. I have never seen any browser that actually does this, and I have never found any way to get Firefox to do it. Quite a few sites don't work correctly if I set strong cookie protection. I don't want to disable this, but I would like to allow a cookie to be set if I think that particular cookie is acceptable to me.
In particular one bank that I use has its web site spread across multiple domains and as a result its "remember me" login option doesn't work with cross-site cookies disabled: I presume that this is because it tries to set a cookie on a domain which is also owned by that bank but is different from the domain of the login page. Allowing cookies to be set on the target domain isn't enough because I first of all have to find where it sets its cookie, and currently I can't do that without allowing it to set all cookies first. Permitting insecure activity in order to find out what a site actually does isn't a good security model.
What I would like here is an option for Firefox to tell me if a site tries to set a cookie which Firefox is currently configured to block, and allows me to decide whether to allow the site to set just that cookie on just that occasion. Of course you can't generally tell by looking at a cookie what it's doing, but that would solve the problem of the cross-site "remember me" cookie, since I can see that the cookie is being set in to a domain which I know (or can look up and check) belongs to the same organisation.
Allowing cookies to be set in the target domain isn't enough, because that would allow anyone to set any cookie in that domain. I'm not sure what test Firefox's current cookie exception list applies. Is it the domain of the site setting the cookie, or the domain into which the cookie is set?
I also don't know how a site finds out that it couldn't set its cookie. If it gets some sort of error response, I could let it set its its cookie and then immediately delete the cookie using Cookie Quick Manager, which I have installed. If it asks if the cookie has been set, I could wait until it has done that and then delete the cookie.
At least with such a facility I could experiment to find which cookies a site actually needs to set in order to work.
Getting Firefox to remember which cookies I'm willing to allow for each site (each container would do) is presumably a lot more complicated to implement since it requires a new database. It would, however, save user time permitting individual cookies each time the user visits a site.
There are similar issues relating to fingerprinting and cross-site scripting, but I don't want to dilute this request by making it too broad. However IMHO Firefox isn't very helpful in enabling users to decide why a site doesn't work with strong security settings. As far as I can see, the only option currently offered is to disable security settings one by one until the site works. This seems to be locking the stable door after the horse has bolted.
... View more