You can disable these annoying prompts by going to https://myaccount.google.com/permissions and disabling "Google Account sign-in prompts". Ideally it should have been user opt in but Google followed dark pattern here.
This implies that Google already knows that it's you when it shows the sign-in prompt on some 3rd party website and they are already tracking you there even though you are not signed in. Lovely. Not that you'd expected anything else from Google.
Yes, the pop-up is for signing into the site with your already-signed-in Google account. If you're not logged in then you use the site's default login mechanism.
Of course they do. It uses an IFrame request to the Google.com domain (so that the "host" website doesn't see any details before you login). Google can however see who you are because your auth cookies and what-not will be sent along with that Iframe request on whatever host website decides to use this pattern. See: Medium
A further issue with this is that Google knows you're on that website because the referrer and request headers will have that on the IFrame request.
Just to be totally clear, this is how tracking cookies work everywhere. The site you visit includes an iframe with an ID "X" that identifies itself, the iframe loads `trackingsite.com?id=X`, the request includes your cookies for that domain (or at least the ones that are allowed for an iframe request), now `trackingsite.com` logs a visit to Site X from the user holding Cookie Y.
There's a fundamental conflict between privacy and convenience, because I have to either allow no third-party cookies, which means no one can embed any authenticated content from a third-party context (think Disqus comments on a blog), or I have to allow third-party tracking. The middle ground -- allowing some third-party cookies but not others -- is a UX nightmare. Just trying to explain the situation to an average user, at all, is nearly impossible, much less interrupting every visit to every site with "Can I use cookies from {site 2} here? How about {site 3,4,5...112}?".
I've been fiddling with ublock on how to disable this. would've never guessed about the settings in google account. this should've been disabled by default or an option on the pop-up to permanently disable it.
I mean, the simple answer is because they're trying to spread the use of Google login, make it ubiquitous, so they can own all authentication mechanisms too as if owning everything else isn't enough.
