Can we have this without forcing it? Ideally browsers would be extensible enough for you to build these things. I miss the document days of yore where implementing a browser would be a reasonable endeavor. And that the limited size of the choices is now seen as a benefit to enforce change is scary. Sure, some see it as a good thing, I mean look at all these features and all the places they've steered the web (e.g. HTTPS). I see it as too much bad with the good and I'm becoming wary of the non-neutrality of my browser. I'm at the point where I want them all to stand still or work backwards fixing bugs and improving what exists. When you get what you want by browsers leveraging their user share to make sites change their practices, you just have to know you fostered the environment for them to do that in places you might not want.
> like removing JS access to cookies and/or making cookies opt-in only for sites storing login info
To this point specifically, making a simple AJAX call to have my web server set and/or send me back the cookies from the HTTP headers is trivial. A browser is not going to be able to tell the purpose of the cookie, and opt-in is user hostile to the point that never-ask-me-again will become the norm.
> Ideally browsers would be extensible enough for you to build these things.
The generality of the environments available in browsers is exactly the problem: we can't tell what they're doing because opaque programs are manipulating opaque data. Making the problem tractable means restricting the ability to communicate via well-defined channels with well-defined data, possibly with specific purposes.
> opt-in is user hostile to the point that never-ask-me-again will become the norm.
You're assuming a lot. Opt-in is not blanket user hostile, it depends on the frequency and circumstances the user encounters it.
My first thought is that opt-in dialogs would be triggered only for forms with password inputs, just like it works now in browsers where users can save their passwords. The cookie is tied to that form submission only so we know its origin and uses, and all other cookies are forbidden. It doesn't strike me as user-hostile at all to then ask the user if they want to permit the site to store a persistent authentication token.
> like removing JS access to cookies and/or making cookies opt-in only for sites storing login info
To this point specifically, making a simple AJAX call to have my web server set and/or send me back the cookies from the HTTP headers is trivial. A browser is not going to be able to tell the purpose of the cookie, and opt-in is user hostile to the point that never-ask-me-again will become the norm.