2016-02-18
Two models of dealing with cookies in Firefox with addons
Recently on Twitter, Dan McDonald was looking for a Firefox cookie handling addon. I had some opinions on this but Twitter being Twitter and me being me I wasn't entirely articulate about them at the time. So here is my attempt to do it better.
There are at least two fundamental models for dealing with cookies (in Firefox and probably elsewhere). The first model is to not allow cookies into your browser session at all. You default-deny all cookies (even first party ones) and whitelist only selected sites; some of them you may accept permanent cookies from, others you may force nominally permanent cookies to become session cookies or short duration ones instead. This is the model I use in my set of extensions, enforced partly via a filtering proxy and partly via a succession of extensions over the years (first CookieSafe, currently CS Lite Mod, and apparently I'm going to need to switch to CookieShield at some point). I believe this is the dominant model of other addons, such as Cookie Monster.
The problem with this strict and narrow approach to cookie management is that there are a steadily increasing number of websites that absolutely require you to accept their cookies in order to use them (one prominent offender is Google's Blogspot). I personally don't mind this for various and sundry reasons, but I suspect that a lot of people do eventually get tired of living this way. So the second model of dealing with cookies is to accept most of them into your browser in a casual and relaxed way, but then delete them again the moment that you don't need them. All of those places that demand the ability to place cookies into your browser before they'll let you see anything get pacified (and you get to see their content), but you get rid of those extremely temporary cookies the moment you're done looking at the site. This is the model of Self-Destructing Cookies.
So the first thing you need to do when looking at Firefox cookie handling and cookie addons is to decide which model sounds more attractive to you. Do you want the low friction model where sites get to temporarily drop cookies while you look at their content, but then those cookies get unceremoniously ejected? Or do you want the strict model where you don't take the risk of any 'bad' cookies managing to get into your browser? To be clear about this, I don't think there's any general right answer; people will have different preferences and tolerances.
(And there are likely other models and intermediate steps between these two. These are just the ones I have direct exposure to.)
(Although I'm currently in the 'strict' camp and have been for a long time, I may someday switch, perhaps just to see what it's like. I admit that the idea of having my browser accept all those cookies makes me nervous, even if they're theoretically only very temporary. But that's an irrational feeling.)