This filter might break functionality on some sites, so it's better to use more specified version:
||accounts.google.com/gsi/*$xhr,3p
Explanation of the relevant syntax:
`[no prefix]`: Blocks resources that have this text string anywhere in its URL.
`||`: Blocks resources that have a specific domain or subdomain.
`$3p`: Ensures that resources from a domain are only blocked if you're not visiting the domain itself.
`$xhr`: Prevents such resources from being downloaded through the titular JavaScript APIs.
I wonder how anyone can think 'you know what, my website, that you don't even need to sign in to for 99% of the use cases, needs a big popup from google!'
Aside from the security/privacy considerations, why the fuck would you do that to a website? SSO from a login page? sure, whatever. a f'ing popup on every page for a SINGLE provider? That is just brain-rot. Do they pay you to do this?
Usually it's because users will login or miss click on it. This will give their email address and personal information so that they can be sold or spammed. On another note, it boosts new accounts/sign-in metrics.
I don't sites get payed (with money) but it probably improves the ranking in the search results (or at least some SEO guide claims that, so everybody does it)
I worked in some companies that had this popup, and the most common goal was to harvest email addresses for newsletters.
Setting this up has become an automatic request from marketing people, almost as common as asking us to setup Google Analytics and such.
This is almost the equivalent to them to "have a CI/CD" for us devs: not having such things for them is strange, almost wrong. Of course the end goal is totally different.
> I worked in some companies that had this popup, and the most common goal was to harvest email addresses for newsletters.
Ooh, I've never looked into it, but I would have thought that with this feature the website explicitly does NOT get my email address. Silly me, still believing some features are meant for the user.
For fairness, I just disabled my Ad Blocker to check, and the popup seems to have changed, but the previous popups were quite explicit about sharing your email with the website:
While I don't consider myself an apple fanboy by any means they really did do a good job with their apple sign in, I don't know the full process but they seem to use an email from a pool of apple IDs for emails that prevent the app/service ever getting your real email.
It would be easy to assume that other oath providers are doing the same but absolutely not.
Yep, it uses an auto-generated @icloud.com for "Hide my Email" (useable in any website, or even if you want to give to someone in person) and @privaterelay.appleid.com when you use "Sign In With Apple".
This is quite visible in User Accounts where I work... while they do cause some issues from time to time (when the user disables the relay address for an active account), it guarantees privacy.
But I don't know if other popular single-sign-on provider do this.
It's an easy way to increase the user count and claim growth. Since the link is to StackExchange, it may be relevant that they are now dealing with a huge spike in users who do not actively participate and probably unintentionally created an account.
I think we’ll see more of this to stop bots and llm scraping. It will likely not show up for chrome users eventually, further cementing Google’s dominance
Apart from Google sponsoring this in some way or the other (by boosting up SEO ranking in sites that display this) I believe that this is a consequence of the third party cookiegeddon and I guess that once your users allow this login their activity is tracked as first party in your website, which would simplify things a lot for, well, tracking user behaviour. Of course Google benefits more.
I'm pretty sure 95% of business types and developers visit their own websites with a load of cookies already set, so they never actually see the first-time-customer experience.
If someone has searched for gloves on Google, and clicked through to my glove selling website, they're clearly ready to buy some gloves. Why the hell would I put a full screen cookie consent popover in their way? Or a join-our-mailing-list popover? Or require them to complete a captcha to create an account before they can check out? This person wants to give me money, why would I put barriers up in their way?
And yet quite a few sites do precisely those sort of things.
But if everyone dogfooding the site arrives with cookies that hide the popovers, and an account already created - I could believe they just don't realise how bad their website is.
More likely that many (most?) employees don’t care about directly harming the company they work for if they can score points for themselves or their departments in the corporate version of game of thrones.
Similar to how in a two party system, politicians will often prefer to lose elections to the other party, rather than lose control inside their own party.
It only looks self-destructive from the outside.. inside a sufficiently large bureaucracy me/us/them all get muddled
Just go into ublock origin settings -> Filter lists -> enable "Social widges" and "Annoyances" (you can experiment with only some of them, but I enabled everything years ago and never had major problems).
It takes care of a lot of this stuff, including cookie banners and all sorts of popups. Buy a beer for list maintainers (some of them accept donations) since Raymond doesn't, and their work is equally valuable.
It's a dark pattern to trick users into handing over their email.
Accidentally clicked on one these instead of the close button and then started immediately receiving incessant marketing spam from that website. Of course I wasn't able to unsubscribe from the mailing list without first creating an account with them and accepting their terms so ended up resorting to blocking their email.
The new “Hide Distracting Items” feature in iOS18 Safari has been a godsend for me. Just tap on the offending overlay/prompt and watch it disappear into the digital ether.
Even with ad blockers, these sign in prompts are becoming increasingly common and annoying.
Blocking Google and Reddit sign in popups especially have restored some of my sanity.
My uneducated assumption based on their docs is that it drops DOM elements or something, rather than network requests. The UI seems to be that you select things you want to be rid of, and the browser makes it so. They state that frequently-changing parts of the page, including ads, don’t get filtered, presumably because whatever they filter on is statically defined structure.
It allowed me to block the initial cookie overlay, which then allowed me to read the 'article'. Scrolling down the page triggered a popup which I could then block. Works pretty well!
1990s Google would then have used "distracting item" stats to adjust website ranks downwards had they done the same thing in Chrome (and had Chrome existed). Ironically, this article describes Google as now being the source of such a distracting item.
> There are several tutorials on the Internet on how to avoid this, for example, this one on How-To Geek, which suggest disabling an option in the Google account. However, this doesn't work, since mine is not enabled and never was:
I don't have google account (or better yet - I'm not logged in to it in any reasonable manner) yet the promp shows constantly :|
That suggestion for a fix never made sense because you get it on every device and browser. How would that work if you aren’t signed into Google in the first place?
> Note that the "disabling an option in the Google account" is not a possibility if you use firstparty-isolate or any other privacy features that prevent embeds like this from seeing your Google session cookie. This is another motivation to want a way to block it browser-side.
I literally can't remember all sort of site isolation, cross site request or whatnot privacy feature and exceptions.
If we can throw away all backward compatibility, can we have something simpler? Or is this just unsolvable because how complex the problem is?
> How is this "feature" not a privacy/security issue?
Like every third party script this feature has been a privacy issue from day-1. Same as the "like / share on whatever social networks" buttons. Same as the google analytics scripts you use, the Google Tag Manager scripts.
"Webmasters" decided that selling their users data for free service was worth it. For more than 2 decades it's been business as usual. A whole generation and now even less people will bat an eye about doing it, they'll even defend it because "there is no other way to keep the lights on".
Maybe the lights should be off on most of the websites depending on this kind of practices.
Well, guess what, there is a simple fix to this that we could've implemented when Eternal September began.
Don't use any free web services. Don't access anything for free on the Internet. Especially don't patronize an ad-supported company. Don't sign up for free email accounts. Don't visit websites that display ads. I mean, don't try to block the ads, just never go there in the first place! For God's sake, stop stealing audio and video streams, scholarly papers, and other objects of piracy. You're a net drain on the economy... literally.
Stop using free (as in beer) software, or at least make donations for it. Stop complaining that you only get a license and not ownership. Rent your software and give the developers their due.
All of you, especially those who cheat and block ads, you're all freeloaders who are responsible for the growth of ad-supported services on the Internet, and long before the Internet was a thing, you watched TV, you listened to the radio, you read newspapers and magazines, you've built expectations to get something for nothing, and ultimately you were influenced and manipulated by those ads enough to make them profitable.
We've nobody to blame but ourselves for this proliferation of Google, Facebook and the rest. We are the ones who could've stopped it, but we built this Internet the way it is.
Google, Facebook, and Twitter certainly wanted to (1) be the central source of identity and (2) hook into many/most 3rd party site logins.
But SSO/OAuth in general has far more tradeoffs. It outsources the difficult task of managing passwords (including hashing and storing), 2FA, password resets, etc. SSo allows the end-user to trust a few mega companies that have comparative advantage around security, and also benefit from having to maintain fewer credentials.
The "central source of identity" idea is not inherently bad, and for the majority of non-techie people, might actually be a net plus. I also trust google more to not have an SQL injection vulnerability on the login page than some random little shop.
I just wish it didn't come bundled with tracking.
And then there's the risk that if google's algorithms thinks you did something naughty, you get locked out of everything.
I wholeheartedly agree with your last paragraph. The consequences of being banned/blocked by your IDP and the inability to contact customer service are both severe. Also, it seems like you have to choose wisely as it’s not clear that most websites support you changing your IDP.
The fact this prompt seems to block the first click of input on the actual site usually is indefensible. Not including an easy to find and easy to understand option in Chrome to just disable it outright with a 100% success rate just adds to the evidence that giving Google any power on the internet was a mistake.
You understand that this isn't a browser feature, right?
Chrome isn't creating the login prompts and doesn't have any kind of special support for them. It's just rendering the HTML / running the JavaScript on the page.
This filter might break functionality on some sites, so it's better to use more specified version:
Explanation of the relevant syntax: More Ad-filtering syntax explained: https://github.com/DandelionSprout/adfilt/blob/master/Wiki/S...