Show HN: A Chrome extension that will auto-reject non-essential cookies
275 mitch292 162 4/29/2025, 11:49:55 AM blog.bymitch.com ↗
A FOSS chrome extension that attempts to remove the annoyance of cookie pop ups and banners.
There are some extensions out there that auto-accept cookies, but I didn't find one that auto rejected cookies without either chaining some extensions together or setting up custom rules in tools like uBlock origin. So with this extension, you just need to add it for non-essential cookies to be rejected.
Github: https://github.com/mitch292/reject-cookies Extension Link: https://chromewebstore.google.com/detail/bnbodofigkfjljnopfg...
It's still very early days for the extension. I want it to keep improving and working on more and more sites. Feedback welcome. Thanks!
As it is the content scripts manifest permission for https://*/* for content.js is always so jarring to see. For those that don’t know this allows the extension to run that script on every site you visit after clicking accept ONCE when you install the extension. That means it can see financial info, health info, legal info, your diary, etc…
Now this makes sense from a usability perspective (I never have to see a cookie banner ever again!), but the author could change content.js at any time and the extension would continue to run without prompting the user.
This is not an attack on you Mitch! It sure looks like you’re trying to provide value in this world rather than take it. Rather it’s an attack on Google’s extension security model I’m really shocked google has not taken a more careful and nuanced stance to protecting users from a security standpoint.
I write this as a fellow chrome extensions dev. I wish I had better more granular permissions structures to protect my users and give them more information about what I am requesting and why along with regular reminders so they can make informed decisions about what they want to share.
The broad permissions were required from a usability standpoint. Granting permission on every site for this extension would just be a 1 to 1 replacement of clicking reject on the banner or pop up for every site.
I would hope that before Chrome approves an extension to be added to the store that they are auditing the content of package.
Much better UX than figuring out per site which button to click.
For something like this, it's tractable.
Anyone can buy out or compromise this developer and slide complete takeover of your online life into an extension update.
So it can be audited. The problem is: who audits and how to know a new version is audited.
All your video games could be (and probably are if they include "anticheat") spying on you.
Bonus pro-tip: Firefox for Android supports uBlock Origin, which means you can get rid of these godawful banners on mobile, too. Only iOS users are stuck having to put up with them.
It should be but it's not.
Protecting users is the browser's job:
https://support.mozilla.org/en-US/kb/enhanced-tracking-prote...
https://support.mozilla.org/en-US/kb/introducing-total-cooki...
We do not materially benefit from this in any way, nor do we market it. I am not a spokesperson for my company nor do I want to be publicly identified with it. I'm advocating here because you said "not a chance" but there is a chance.
It's not just that we are worried about some sort of regulatory enforcement, either, although existence of such regulations does help convince the less scrupulous people from pursuing a bad path.
The free internet is built on ads. I still believe in the free internet. I still think we can make it work. I welcome regulation and regulatory enforcement even though it's hard for a small outfit like us, because it reduces the chances that our ad tech has to compete with less scrupulous people. I think we've survived as a small outfit since roughly the dotcom era because we've tried to be good stewards. People wouldn't need uBlock if there was better regulation/enforcement, and companies like mine, who are trying to do the right thing (even as we operate in the loathed ad space), would benefit.
I'm worried about AI on this front because it means in the future your ads will be served up to you out of a black box instead of out in the open where we can all inspect who is trying to get what from us (and block bad parties via eg uBlock), and, to a degree, who is trying to shove what down our throats.
Check your internet bill, it might not be free after all.
I'd very much rather get back to the internet being about connectivity and nothing else. The internet would survive just fine by providing a means to contact authorities, companies and each other, without any of the "content" for which we supposedly need ads to produce
The internet I remember had free content because mostly individuals wanted to share something. Commercial offers were rare. I would be very happy to go back to that network, with 90% content gone and the remaining 10% provided without an ads driven model. In fact, if it was for me, one could widely ban most advertising also off-net. It is manipulative cancer. At least ban any sort of user tracking and analysis. Yes, this will kill a wide spectrum of offers. I am totally fine with that trade-off. We don’t need it for a well-functioning society. And yeah, look around, we do all sorts of interference with so-called free markets, because history has shown time and time again how horrible it gets when you allow capitalism to roam freely.
And ads don't require pervasive and invasive tracking. The industry made us all believe they do.
Where you used italics I think you meant finger quotes and a wink.
Yes. For a subset of "these websites". Because this is enforced and EU has fined billions already. The fines for doing what you say they do, are steep and a severe risk for many "these websites".
So for websites that are not in that subset, they will still track you regardless of what you click on, so you still need browser-level protections for those websites, and those browser-level protections will also work on the websites that are in that subset, so you still gain nothing by clicking the No.
Edit: what I'm trying to say is: this "technical" problem has a real and working "solution" that's not technical at all: law and enforcement. Now, that won't work for all and everything, it never does. There will always be malicious, scammy, malware, criminal and illegal webservices around. But it makes it very hard for malicious actors to do so and make money.
> Now, that won't work for all and everything, it never does. There will always be malicious, scammy, malware, criminal and illegal webservices around.
Yeah, exactly. So if I have to protect myself from those websites anyway, I may as well apply the same protections to all websites. Clicking the "No" does nothing for me.
And what is the protection?
(privacy law and how it relates to customer user experience is a component of my work in finance)
> if it turns out orgs are not respecting the action, it'll end up in a class action or other legal event eventually
Not a chance.
No comments yet
Doesn't mean people implement it correctly though
Worth it IMO but I really wish there was a better way to submit bug reports than creating an account on their site. Fuck that dark pattern
https://i.imgur.com/QnedRVZ.png
Also, how's that compare to Consent-O-Matic in terms of effectiveness,safety (i.e. that it doesn't mangle the wrong thing on the site) and performance?
> Also, how's that compare to Consent-O-Matic in terms of effectiveness,safety (i.e. that it doesn't mangle the wrong thing on the site) and performance?
Dunno. I've never had any problems with it. All it does is hide the cookie banner DOM elements.
It is a very rare for me to see a site that's broken by ublock origin.
I've been using it on my Mac M1 and I only notice the memory footprint when I have > 30 - 40 tabs open.
Still works for me to this day, but this option might get axed come June 2025.
You can configure the "Cookie Autodelete" extension to behave in a similar way.
Annoying banners increase pressure on people to contact their representatives to overturn those laws, allowing the operators to abuse the data
On Firefox we still have webRequestBlocking, so it is quite simple to block cookies. See for example https://addons.mozilla.org/en-US/firefox/addon/ximatrix/
Sites used that header to fingerprint and track users.
I think I remember a larger article about this, but can't find it now
There's zero weaseling going on. No dark patterns. I'm just too busy to build a no-cookie version that passes info in the URL or w/e (which also seems less than ideal). Your two options are to use the site or don't use the site. If there was enough pressure from real customers to provide another option then I probably would, but it wouldn't change anything. It's just busy work / checking boxes.
IMO this needs to be built into the browsers rather than being yet another tax on builders due to spammers / scammers / advertisers. If we had meta referencing each cookie where you can disclaim exactly how it will be used and whether it's optional / required, then we would have a standard without dark patterns being possible.
I did start looking into it out of curiosity, but TBH it wasn’t obvious what I needed to do, if anything.
I doubt most Europeans know much about Canada’s data protection laws either, and it would be insane for me to expect them to.
Every website showing a consent screen is either willfully ignorant (rarer these days) or they want your data while saying hypocritical things like «We value your privacy»
Less to think about, and it basically puts the web into the state it was in before we all got bent out of shape about tracking, which was fine.
(Now that I type that... I should have made an extension ages a go that just does "identify cookie banner and click on the left-most button automatically").
Why do you think the left-most button is always accept all?
Why do you think the accept all button will be in the same position on all reloads of the same site?
Maybe it'd be better to randomize which button is selected so if the plugin becomes popular site admins can't reliably guess where to put the button.
Sorry, you want me to give browser privileges to code written by AI?
I had a Chrome extension with about 20,000 users and I received unsolicited buyout offers a few times a year, and some offers were very hard to refuse - but it's not hard to imagine anyone else capitulating.
No comments yet
For example the Linux kernel has mirrors where it's source code can be downloaded from.
AI cannot even "mirror" the Linux kernel. Try it! Ask it to deliver a monolithic kernel that works on a bunch of architectures and has drivers for a bunch of hardware. It will yield nothing close to the Linux kernel.
The one you link to doesn't really make sense:
> Data is collected on specific sites that the product is not working on. This data is sent explicitly by users and when it is collected we do not collect any information that could be tied to a specific user. Only the name of the site is collected and any additional information you include in the text of the report.
The original one that was deleted from the Github repo [0] is much simpler and to the point.
[0] https://github.com/mitch292/reject-cookies/commit/18a87b2bee...
> How to rectify: Ensure your privacy policy contains details about user data collection, handling, storage and sharing. Omission of any section is not allowed.
So I added a section for each. I could make the "Information We Collect" section less verbose for sure.
I suppose that technically you could also just remove the pop-ups, that means that you never agreed to anything and the site have no permission to place cookies on your computer.
Not because we're required, but because that's how the off the shelf cookie banner thing we use works, and better safe than sorry should a European access our US marketing site, i suppose.
I always figured most of the popups would reject cookies if hidden, if for no other reason that everyone is too lazy to modify the default behavior (and the default behavior is designed for EU regulations)
https://en.wikipedia.org/wiki/Global_Privacy_Control
You aren't really giving preferences related to cookies with these "cookie banners".
The laws in the EU require companies to get user permission for certain types of data processing.
Cookies may be involved in that, but they may not be.
Browser features like local storage or session storage would also be covered, and a lot of processing done server-side without the use of cookies requires permission too.
A single indicator like the DNT header or the newer GPC header can't cover all of this, so it isn't suitable for complying with the ePrivacy Directive or GDPR.
There’s clearly no way to indicate what sort of knife based assault is acceptable using a single indicator.
It relied on the goodwill of those who run these services to i) invest some effort and money to detect the DNT headers and then ii) not collect/store the data of these requests.
Back, when only a tiny portion of web-users would send these headers along, the industry was fine to implement it. If only for marketing purpose. But, as soon as they saw that it actually worked, the industry saw a threat to their revenues and stopped.
I believe a DNT2.0 that's more granular could've been a basis for GDPR, but the GDPR refrained -rightfully so, IMO- from any implementation details. For one, the GDPR never once requires some "popup", it merely states that if you are an a*hole and collect data that you shouldn't and/or send that to other parties, you should at least ask concent to do so - the idea being that web-owners would then massively ditch these services so that they don't have to nag their users.
And because the GDPR refrained from implementation details, the Ad- and surveilance industry adopted a "dark pattern" that annoys people to no end (the popups) so as to paint the GDPR in a bad light. This industry could've easily said "If we see a DNT header with level:x and domainmask:*, we'll assume NO to every tracking cookie and won't collect them". And the browser makers then could add some UI to allow users per-domain or global, or wildcard or whatever settings "set-and-forget". But alas, this industry is malicious at best and will annoy users to no end for their own agenda.
¹ edit: source: https://pc-tablet.com/firefox-ditches-do-not-track-the-end-o...
I would disagree with this. If you're going to force bad actors to take actions that they don't want to, and you give them wide latitude to decide how to comply, then of course they're going to try to find ways to satisfy the letter of the law while avoiding the law's underlying goal.
surveilance industry adopted a "dark pattern" that annoys people to no end (the popups) so as to paint the GDPR in a bad light
We should in fact blame lawmakers when they fail to anticipate the obvious consequences of their laws.
This industry could've easily said "If we see a DNT header with level:x and domainmask:*, we'll assume NO to every tracking cookie and won't collect them".
If they were the type of people to do that, then they wouldn't have been doing the invasive tracking in the first place.
The GDPR would be far better if it simply banned individualized tracking. It would be somewhat better if it explicitly specified that sites must honor browser headers and specified the exact UI to use when requesting permissions.
It's not a dark pattern, but actually is similar to terms of conditions and privacy policies that sites show. Requiring users to go through legal agreements sucks, but companies can't just ignore the law in order to make a better user experience.
Say what?
Tracking to discover latency, errors, weird behaviour, malicious actors and so on.
Tracking to see what content does well and what not.
Tracking to see what rough demographics (mobile, desktop, country, region, time-of-day etc) visit your premises.
E.g. plausible-analytics or even Matomo do a good job at i) keeping the data rough and broad and without any PII, and ii) storing the data on-premise rather than at commercial aggregators who will either re-sell or use it for own services.
And still, we get consent banners. Wasn’t I clear when i said don’t track?
You need someone powerful like Google to say they will lower Page Rank for sites that don't comply with the Do Not Track flag.
[0] https://github.com/OhMyGuus/I-Still-Dont-Care-About-Cookies
On a macro sense, I also feel like there's a virtue to making it clear to sites that no I don't want their unnecessary cookies. Exercising my right to opt out (actually I'm American I have no such rights in my state) is a clear & direct signal, one that I hope someday perhaps the majority of the world might exercise. At which point there's little value in keeping up this user-hostile practice. Just deleting my cookies does reduce their usefulness, but it's not as clear a sign; it could just as well be someone who doesn't have a secure personal device they can rely on. I'd rather make it clear that no, I'm explicitly rejecting the premise of your cookies.
Browsers mostly block third part cookies by default or have an option to let you do so, so its only site's own cookies that need to be deleted.
> On a macro sense, I also feel like there's a virtue to making it clear to sites that no I don't want their unnecessary cookies.
That gives them an incentive to find ways to track you, such as fingerprinting. Limited data might convince them that tracking data is of low value.
I know that is says "should" but how common that practice is followed by the websites? And in that case, wouldn't blocking the entire popups like ublock origin does becomes better option than installing a new plugin?
Ublock does actually have an option to enable just hiding the popups.
In theory though, there's nothing requiring websites to actually treat a hidden pop-up as a rejection in the US, so i guess it doesn't hurt to explicitly reject instead.
https://github.com/cavi-au/Consent-O-Matic
1. The Do Not Track header set by browsers was used by sites to fingerprint and track users.
2. World's largest tracking and advertising company is also making the world's most popular browser.
and
3. GDPR was adopted 9 years ago
So the answer to your question is: no, they never will.
Exhibit A: Google assumes Chrome is just another service to track you: https://x.com/dmitriid/status/1908951546869498085
Exhibit B: Chrome's "more private web" sells your browsing data and behaviour by default: https://x.com/dmitriid/status/1664682689591377923
I don't know why more people don't use Brave - you can turn all the annoying crypto/ad stuff off and it never bothers you about it again.
These days, I apply the same filter to anything written with "vibe coding". If the nominal author didn't bother to write the code, I'm certainly not going to bother running it.
I encourage my rivals and enemies (if any exist) to screech about how I will surely fall behind the zeitgeist and immediately fire all their devs in favor of six MBAs and a team of coops to be exploited ruthlessly.
I’ve been running UBlock Origin and Privacy Badger. Planning to add a cookie consent denier after I type this.
Imagine instead, if they legislated that a browser can merely be an html client, and not a spy tool for advertising companies.
Because I already use Cookie Auto-Delete and I'm just sick of the question popping up. Stop nagging and give me all the cookies so I can delete them 5s after I close your tab.
Note that most tracking is possible without cookies these days, so deleting the cookies on exit (or even always running in a private tab) doesn’t do as much as it used to.