Show HN: A Chrome extension that will auto-reject non-essential cookies
blog.bymitch.comA FOSS chrome extension that attempts to remove the annoyance of cookie pop ups and banners.
There are some extensions out there that auto-accept cookies, but I didn't find one that auto rejected cookies without either chaining some extensions together or setting up custom rules in tools like uBlock origin. So with this extension, you just need to add it for non-essential cookies to be rejected.
Github: https://github.com/mitch292/reject-cookies Extension Link: https://chromewebstore.google.com/detail/bnbodofigkfjljnopfg...
It's still very early days for the extension. I want it to keep improving and working on more and more sites. Feedback welcome. Thanks!
Love the idea. I wish chrome extensions had a more granular permissions structure and/or reminders/security checkups on installed extensions and their permissions.
As it is the content scripts manifest permission for https://*/* for content.js is always so jarring to see. For those that don’t know this allows the extension to run that script on every site you visit after clicking accept ONCE when you install the extension. That means it can see financial info, health info, legal info, your diary, etc…
Now this makes sense from a usability perspective (I never have to see a cookie banner ever again!), but the author could change content.js at any time and the extension would continue to run without prompting the user.
This is not an attack on you Mitch! It sure looks like you’re trying to provide value in this world rather than take it. Rather it’s an attack on Google’s extension security model I’m really shocked google has not taken a more careful and nuanced stance to protecting users from a security standpoint.
I write this as a fellow chrome extensions dev. I wish I had better more granular permissions structures to protect my users and give them more information about what I am requesting and why along with regular reminders so they can make informed decisions about what they want to share.
Definitely agree, not a fan of the permissions.
The broad permissions were required from a usability standpoint. Granting permission on every site for this extension would just be a 1 to 1 replacement of clicking reject on the banner or pop up for every site.
I would hope that before Chrome approves an extension to be added to the store that they are auditing the content of package.
Personally, I would still love a site-by-site "reject non-essential cookies" prompt from an extension that's in the same place, with the same UI, on every site. Still a click, but lots better than having to figure out how to accomplish it on each and every site.
One of the reasons Manifest v3 was started is that is impossible for an extension that eval's arbitrary code from the web (or downloads, say, a dynamic list of data and acts on it).
For something like this, it's tractable.
Back in the Matt's Script Archive days I would automatically reject anything written in PHP from serious consideration. Whatever it was, would inevitably be full of bugs, security issues, and either unmaintained or poorly maintained.
These days, I apply the same filter to anything written with "vibe coding". If the nominal author didn't bother to write the code, I'm certainly not going to bother running it.
I encourage my rivals and enemies (if any exist) to screech about how I will surely fall behind the zeitgeist and immediately fire all their devs in favor of six MBAs and a team of coops to be exploited ruthlessly.
Cookie banners are a bad/wrong solution to the underlying problem, but it's the dark patterns within that really piss me off. I shouldn't have to invest deep cognitive attention to "only accept mandatory" but if you're not careful many dialogs will trick you into clicking accept all after you go to the trouble to untoggle all the optional shit. The answer is to use isolation containers, aggressively reset them and not to worry about any of this.
I hate how web sites can weasel their way around consent by simply declaring their cookies as "necessary" or "mandatory." As the Dude would say: Yeah, well, that's just like, your opinion, man. How about we have an easy-to-use "Reject ALL cookies from this site (and deal with whatever breaks)" option?
The underlying problem that the cookie banner operators have is there are laws preventing them from abusing the data they collect.
Annoying banners increase pressure on people to contact their representatives to overturn those laws, allowing the operators to abuse the data
I just always click accept all.
Less to think about, and it basically puts the web into the state it was in before we all got bent out of shape about tracking, which was fine.
(Now that I type that... I should have made an extension ages a go that just does "identify cookie banner and click on the left-most button automatically").
uBlock Origin already has this. Enable the "Cookie notices" and "Annoyances" filters in uBlock Origin's settings.
Bonus pro-tip: Firefox for Android supports uBlock Origin, which means you can get rid of these godawful banners on mobile, too. Only iOS users are stuck having to put up with them.
Hiding the popup is not the same as clicking reject.
It should be but it's not.
You think these websites give a shit about your privacy because you clicked on a div with a "No" in it? Not a chance. It's like asking thieves to promise not to steal from you.
Protecting users is the browser's job:
https://support.mozilla.org/en-US/kb/enhanced-tracking-prote...
https://support.mozilla.org/en-US/kb/introducing-total-cooki...
> You think these websites give a shit about your privacy because you clicked on a div with a "No" in it
Yes. For a subset of "these websites". Because this is enforced and EU has fined billions already. The fines for doing what you say they do, are steep and a severe risk for many "these websites".
> For a subset of "these websites".
So for websites that are not in that subset, they will still track you regardless of what you click on, so you still need browser-level protections for those websites, and those browser-level protections will also work on the websites that are in that subset, so you still gain nothing by clicking the No.
Yes. But "these websites" will then be prosecuted, their owners cannot enter the EU ever again without the risk of severe penalties, they cannot do business in the EU and can and often will, lose access to many services that do want to stay on the good side the EU (i.e. will see their google ads blocked, their stripe frozen, their hosting closed etc)
Edit: what I'm trying to say is: this "technical" problem has a real and working "solution" that's not technical at all: law and enforcement. Now, that won't work for all and everything, it never does. There will always be malicious, scammy, malware, criminal and illegal webservices around. But it makes it very hard for malicious actors to do so and make money.
Yeah but the question is how you, as a user, should best protect yourself. I'm saying clicking the "No" provides no advantage over using a browser that just protects you from tracking by default. Then it doesn't matter whether the website is following the law or whether the EU (where I don't live) will enforce the law or change it in the future or whatever.
> Now, that won't work for all and everything, it never does. There will always be malicious, scammy, malware, criminal and illegal webservices around.
Yeah, exactly. So if I have to protect myself from those websites anyway, I may as well apply the same protections to all websites. Clicking the "No" does nothing for me.
> So if I have to protect myself from those websites anyway, I may as well apply the same protections to all websites.
And what is the protection?
I posted links up thread: https://news.ycombinator.com/item?id=43832541
I'm currently at a small ad tech firm and while I can't speak for other outfits, we definitely are extra careful about respecting user consent indicators. Because we are small, it's not easy to do this, because there are many possible ways for users to "reject". This includes situations that merely imply non-consent due to inaction, rather than active non-consent like a reject cookie indicator, or living in a jurisdiction that makes non-consent automatic (as it should be!). Many of the "reject cookies" tools are especially useful because even if a website doesn't respect your choice (and therefore tries to send data to us) your browser can still tell us if you are non-consenting. This means it's easier for us to notice non-consent and drop the data as soon as possible, before any logging or analysis can occur.
We do not materially benefit from this in any way, nor do we market it. I am not a spokesperson for my company nor do I want to be publicly identified with it. I'm advocating here because you said "not a chance" but there is a chance.
It's not just that we are worried about some sort of regulatory enforcement, either, although existence of such regulations does help convince the less scrupulous people from pursuing a bad path.
The free internet is built on ads. I still believe in the free internet. I still think we can make it work. I welcome regulation and regulatory enforcement even though it's hard for a small outfit like us, because it reduces the chances that our ad tech has to compete with less scrupulous people. I think we've survived as a small outfit since roughly the dotcom era because we've tried to be good stewards. People wouldn't need uBlock if there was better regulation/enforcement, and companies like mine, who are trying to do the right thing (even as we operate in the loathed ad space), would benefit.
I'm worried about AI on this front because it means in the future your ads will be served up to you out of a black box instead of out in the open where we can all inspect who is trying to get what from us (and block bad parties via eg uBlock), and, to a degree, who is trying to shove what down our throats.
>> we definitely are extra careful about respecting user consent indicators.
Where you used italics I think you meant finger quotes and a wink.
The act of indicating no is frictionless if automated through an extension, and if it turns out orgs are not respecting the action, it'll end up in a class action or other legal event eventually (assuming statute or other regulatory mechanisms exists on the topic). "Porque no los dos?" Strongly agree the browser should still aggressively act in the user's interest and protect them.
(privacy law and how it relates to customer user experience is a component of my work in finance)
I think that's a distinction without a difference in general, but certainly under the GDPR where any form of consent must be explicit.
I mean sure I guess, do whatever you want. I will always have uBo installed and I prefer to have less software on my machine (fewer things to go wrong), so uBo's list plus Firefox's protections is good enough for me.
> if it turns out orgs are not respecting the action, it'll end up in a class action or other legal event eventually
Not a chance.
Yeah I find that list is more trouble than it's worth, because some sites will block interaction until you dismiss the cookie notice, so you get softlocked if the notice is hidden. I assume that's why uBO disables that list by default.
Agreed. YouTube is a notable example of this, at least in the EU.
Legally it is the same
Doesn't mean people implement it correctly though
This is incorrect. The GDPR requires affirmative consent before processing user information, hiding is not "affirmative." Additionally, there's been increasing litigation via wiretapping statutes (most notably in California where there's statutory minimums for damages) that pose additional legal risk for companies using analytic cookies w/o affirmative consent.
for iOS users, you can just install eg AdGuard as iOS safari extension/blocker extension and enable the uBlock filter lists :) Fully working ad blocker for mobile safari.
Could you clarify which options you mean?
https://i.imgur.com/QnedRVZ.png
Also, how's that compare to Consent-O-Matic in terms of effectiveness,safety (i.e. that it doesn't mangle the wrong thing on the site) and performance?
I use the EasyList ones, though I don't have any particular reason for that other than it is also the default "Ads" list chosen upon installation.
> Also, how's that compare to Consent-O-Matic in terms of effectiveness,safety (i.e. that it doesn't mangle the wrong thing on the site) and performance?
Dunno. I've never had any problems with it. All it does is hide the cookie banner DOM elements.
Not the op, but I just enable all of them.
It is a very rare for me to see a site that's broken by ublock origin.
Orion for iOS supports Firefox and Chrome extensions.
I've been using this and it even blocks YouTube ads. But do note that it often reduces video quality and in shorts there seems to be an off-by-one error where if it's "hide toolbar" then if you click the like it'll click the dislike and if you click dislike it'll click comments.
Worth it IMO but I really wish there was a better way to submit bug reports than creating an account on their site. Fuck that dark pattern
How do I keep chrome from uninstalling ublock these days every time I restart?
Use a better browser: https://www.mozilla.org/en-US/firefox/
I was back on Firefox for a few months, and it's noticeably slower and drains battery (on M2 Air).
Take a look at Zen browser - it's a fork of firefox ESR, with some dramatic UI changes made to look similar to the Arc browsers.
I've been using it on my Mac M1 and I only notice the memory footprint when I have > 30 - 40 tabs open.
If Safari is OK you could move to Orion: https://kagi.com/orion/
I would love to but I can't use the MacOS default password manager :(
Safari supports 3rd-party password managers like 1password no problem.
I tried it briefly but I think it's semi-abandoned? Maybe I should give it another shot. Only non negociables for me are Stylish and Violentmonkey.
Orion is not abandoned, the last beta, version 0.99.133 was released on April 21, 2025. See https://kagi.com/orion/updates/orion-release-notes.html.
Install it using an enterprise profile and enable the ExtensionManifestV2Availability flag: https://news.ycombinator.com/item?id=43340358
Still works for me to this day, but this option might get axed come June 2025.
You can still install the extension manually. This is a good video on how to do it https://www.youtube.com/watch?v=jQX2lgePAKk
Ublock-lite is there, but better switch to firefox or brave
My ideal solution to this would be: accept all cookies, then delete them after page unload
This is what Brave's "Forgetful Browsing" does. There's even a slight delay, in case you accidentally closed the tab.
You can configure the "Cookie Autodelete" extension to behave in a similar way.
Note that "I agree to tracking" and "I agree to cookies" are two different things. If you agree to tracking then a website can fingerprint you in any way they see fit, including methods that do not depend on cookies.
this means they track you for your duration. ideal solution is accept all cookies and randomly modify the values so it becomes a jumbled mess to their analytics
This is what the extension Cookie Autodelete does. It even allows you to make an exclusion list of ones you wish to persist.
this is called incognito mode
Oh neat. I did not know this. Thanks for sharing.
Have you seen consent-o-matic? https://github.com/cavi-au/Consent-O-Matic https://addons.mozilla.org/en-GB/firefox/addon/consent-o-mat...
I tried consent-o-matic. Aside from the name making it sound like it says ok to all forms of tracking, it broke a few websites for me and failed to get rid of the banners on many others, and I quickly had to turn it off. TBH I'm not sure how it could be expected to work either, unless all websites use the same consent banner solution.
It by default only accepts essential cookies. I too thought the same thing based on the name of the extension.
How it’s implemented: Vibe coding is the answer
Sorry, you want me to give browser privileges to code written by AI?
You should stick with extensions that have lots of stars, that way you know they're trustworthy and secure.
I assume you're being facetious; because popular (and good, trustworthy) extensions written by initially passionate people often end-up being bought-out by dodgy orgs - with very-hard-to-refuse offers - and the Chrome Extension Store has no way of knowing about that.
I had a Chrome extension with about 20,000 users and I received unsolicited buyout offers a few times a year, and some offers were very hard to refuse - but it's not hard to imagine anyone else capitulating.
What were the larger offers you received?
They were all below $10,000 USD, but some were very close to that.
This is 100% a fair point of view and you’re right to be skeptical. With the blog post I was just trying to convey that cursor + auto select model was not great at this task. It gave me a project structure, but besides that everything had to be refactored.
While I agree with you 200%, the code is there for you to review. I skimmed it and it didn’t seem difficult to grok, keep in mind I speak almost no JavaScript or typescript.
Where is it shown that it was written by vibe coding?
Click the Show HN link and scroll down to the second heading.
[flagged]
AI is mere mirror of human code.
The common one I use in the space is https://consentomatic.au.dk/ but good on you for making an alternative. More options is great.
+1 for Consent-O-Matic, it's great
I noticed you deleted the privacy policy in Github, and link to this one instead https://privacy.reject-cookies.bymitch.com/
The one you link to doesn't really make sense:
> Data is collected on specific sites that the product is not working on. This data is sent explicitly by users and when it is collected we do not collect any information that could be tied to a specific user. Only the name of the site is collected and any additional information you include in the text of the report.
The original one that was deleted from the Github repo [0] is much simpler and to the point.
[0] https://github.com/mitch292/reject-cookies/commit/18a87b2bee...
Agree! Unfortunately, that one was rejected by chrome.
Interesting. Did they explain why?
They had this in the reply
> How to rectify: Ensure your privacy policy contains details about user data collection, handling, storage and sharing. Omission of any section is not allowed.
So I added a section for each. I could make the "Information We Collect" section less verbose for sure.
Does this kind of privacy policy they demand follow any law, or it's just their "you should do this way"?
I'm honestly not sure.
Could you provide more details?
Added some additional details under another reply in the same thread!
I don’t get it. All browsers have a “do not track” toggle implemented.
And still, we get consent banners. Wasn’t I clear when i said don’t track?
Wilfully ignored because i guess it's not mandated by law.
You need someone powerful like Google to say they will lower Page Rank for sites that don't comply with the Do Not Track flag.
when you say 'dont track', it seems like you could really mean 'dont not track', which would make more sense. since thats the safer option, maybe i should assume that. or maybe bring up a dialog that asks 'do you fail to consent to the lack of not tracking'
yes, that’s what i thought. but then, what would be the point of rejecting anything, except to actively consent to something else?
Consent-O-Matic can easily be configured to reject cookies.
I suppose that technically you could also just remove the pop-ups, that means that you never agreed to anything and the site have no permission to place cookies on your computer.
This is only true in Europe - it is not required by the US privacy laws and the default most companies deal with will be set to implicit allow
Was an interesting experience travelling to Italy and suddenly starting to get cookie banners on sites I visit daily that normally don't have
I sort of assumed that companies wouldn't even show the cookie/tracking consent in areas where they are not legally required, but that's a good point.
My company puts the cookie banner everywhere and follows the "hiding the banner is not consent" pattern.
Not because we're required, but because that's how the off the shelf cookie banner thing we use works, and better safe than sorry should a European access our US marketing site, i suppose.
I always figured most of the popups would reject cookies if hidden, if for no other reason that everyone is too lazy to modify the default behavior (and the default behavior is designed for EU regulations)
I never understood why the HTTP Do Not Track header wasn’t used to signal cookie preferences. It seemed like the perfect solution.
You assume the problem was to determine the user’s preference in the most efficient way possible. The problem, instead, was to fool as many users into consenting as possible; and from that point of view, it is indeed rational to ignore any advisory signals and annoy the user so they want to just make the message go away.
Maybe GPC will do a better job
https://en.wikipedia.org/wiki/Global_Privacy_Control
>I never understood why the HTTP Do Not Track header wasn’t used to signal cookie preferences.
You aren't really giving preferences related to cookies with these "cookie banners".
The laws in the EU require companies to get user permission for certain types of data processing.
Cookies may be involved in that, but they may not be.
Browser features like local storage or session storage would also be covered, and a lot of processing done server-side without the use of cookies requires permission too.
A single indicator like the DNT header or the newer GPC header can't cover all of this, so it isn't suitable for complying with the ePrivacy Directive or GDPR.
It’s broken in the same way as do-not-stab. We tried that in my town, but people started slashing each other. One person got a big knife and kept it sheathed, then clubbed people with the handle.
There’s clearly no way to indicate what sort of knife based assault is acceptable using a single indicator.
The issue is with how browsers implemented it. Instead of implementing it with a per domain granularity it was implemented as a global option. People may enable the option to block tracking from malicous parties, but may unknowingly block tracking from good companies. So now good companies would need to ask the user if they actually want tracking since they may accidently be blocking it.
No, the real problem was that it worked too good from the perspective of ad-tech and data-gatherers.¹
It relied on the goodwill of those who run these services to i) invest some effort and money to detect the DNT headers and then ii) not collect/store the data of these requests.
Back, when only a tiny portion of web-users would send these headers along, the industry was fine to implement it. If only for marketing purpose. But, as soon as they saw that it actually worked, the industry saw a threat to their revenues and stopped.
I believe a DNT2.0 that's more granular could've been a basis for GDPR, but the GDPR refrained -rightfully so, IMO- from any implementation details. For one, the GDPR never once requires some "popup", it merely states that if you are an a*hole and collect data that you shouldn't and/or send that to other parties, you should at least ask concent to do so - the idea being that web-owners would then massively ditch these services so that they don't have to nag their users.
And because the GDPR refrained from implementation details, the Ad- and surveilance industry adopted a "dark pattern" that annoys people to no end (the popups) so as to paint the GDPR in a bad light. This industry could've easily said "If we see a DNT header with level:x and domainmask:*, we'll assume NO to every tracking cookie and won't collect them". And the browser makers then could add some UI to allow users per-domain or global, or wildcard or whatever settings "set-and-forget". But alas, this industry is malicious at best and will annoy users to no end for their own agenda.
¹ edit: source: https://pc-tablet.com/firefox-ditches-do-not-track-the-end-o...
the GDPR refrained -rightfully so, IMO- from any implementation details
I would disagree with this. If you're going to force bad actors to take actions that they don't want to, and you give them wide latitude to decide how to comply, then of course they're going to try to find ways to satisfy the letter of the law while avoiding the law's underlying goal.
surveilance industry adopted a "dark pattern" that annoys people to no end (the popups) so as to paint the GDPR in a bad light
We should in fact blame lawmakers when they fail to anticipate the obvious consequences of their laws.
This industry could've easily said "If we see a DNT header with level:x and domainmask:*, we'll assume NO to every tracking cookie and won't collect them".
If they were the type of people to do that, then they wouldn't have been doing the invasive tracking in the first place.
The GDPR would be far better if it simply banned individualized tracking. It would be somewhat better if it explicitly specified that sites must honor browser headers and specified the exact UI to use when requesting permissions.
>adopted a "dark pattern" that annoys people
It's not a dark pattern, but actually is similar to terms of conditions and privacy policies that sites show. Requiring users to go through legal agreements sucks, but companies can't just ignore the law in order to make a better user experience.
> tracking from good companies
Say what?
There's proper and good tracking possible just fine.
Tracking to discover latency, errors, weird behaviour, malicious actors and so on.
Tracking to see what content does well and what not.
Tracking to see what rough demographics (mobile, desktop, country, region, time-of-day etc) visit your premises.
E.g. plausible-analytics or even Matomo do a good job at i) keeping the data rough and broad and without any PII, and ii) storing the data on-premise rather than at commercial aggregators who will either re-sell or use it for own services.
If it's not tracking the user then I don't understand what the problem is with DNT here
I --still-- don't care about cookies so I use https://chromewebstore.google.com/detail/i-still-dont-care-a....
The whole cookies law in EU is a prime example of government overreach and complete misunderstanding of how technology works.
Imagine instead, if they legislated that a browser can merely be an html client, and not a spy tool for advertising companies.
Brave does this by default and it works flawlessly apart from on fairly obscure websites (a lot of obscure websites don't have cookie notices anyway).
I don't know why more people don't use Brave - you can turn all the annoying crypto/ad stuff off and it never bothers you about it again.
I guess because Firefox doesn't make me turn off annoying crypto and ad stuff in the first place (plus I've been using it for like ten years now)
What's the difference between this and "I still don't care about cookies"[0]?
[0] https://github.com/OhMyGuus/I-Still-Dont-Care-About-Cookies
It rejects cookies & reduces how much you are tracked, rather than accepting all tracking & cookies.
I don't care about cookies plus an extension that deletes frequently plus firefox container tabs will make tracking quite misleading.
My gut feeling is that this would be somewhat useful yes at shielding privacy. But even if you delete cookies every day, at least for me, that's a day of various advertisers tracking my motions across the web. And it also involves the inconvenience of losing the sign in cookies that are greatly convenient for me to have. For my own sake, I'd prefer not accepting unnecessary cookies.
On a macro sense, I also feel like there's a virtue to making it clear to sites that no I don't want their unnecessary cookies. Exercising my right to opt out (actually I'm American I have no such rights in my state) is a clear & direct signal, one that I hope someday perhaps the majority of the world might exercise. At which point there's little value in keeping up this user-hostile practice. Just deleting my cookies does reduce their usefulness, but it's not as clear a sign; it could just as well be someone who doesn't have a secure personal device they can rely on. I'd rather make it clear that no, I'm explicitly rejecting the premise of your cookies.
> So the omission of an acceptance should be on par with an explicit rejection
I know that is says "should" but how common that practice is followed by the websites? And in that case, wouldn't blocking the entire popups like ublock origin does becomes better option than installing a new plugin?
My understanding (as was explained by my compliance department at work) is that per EU law, omission of acceptance is on par with rejection. Many off the shelf cookie consent plugins used by websites will default to this behavior (including the one my work uses, despite being a US company).
Ublock does actually have an option to enable just hiding the popups.
In theory though, there's nothing requiring websites to actually treat a hidden pop-up as a rejection in the US, so i guess it doesn't hurt to explicitly reject instead.
Can you release it for firefox too please?
Are you aware of https://addons.mozilla.org/fr/firefox/addon/consent-o-matic/?
Consent-O-Matic is an extension that works fairly well and is cross browser.
https://github.com/cavi-au/Consent-O-Matic
In todays world, having a performant and robust (that can support extension) browser on widely used Platforms (Ios, Android) seems like a dream. Is it too much too ask for?
Firefox is that browser. Its not on ios but neither is any other browser that matters.
Kagi browser for iOS supports Firefox and Chrome extensions.
I’ve been running UBlock Origin and Privacy Badger. Planning to add a cookie consent denier after I type this.
What works on iOS mobile? That’s the ultimate limitation on customization.
I want a Firefox extension that will auto-accept all cookies.
Because I already use Cookie Auto-Delete and I'm just sick of the question popping up. Stop nagging and give me all the cookies so I can delete them 5s after I close your tab.
that is covered off in the article, for what it's worth
Thank you! I just installed "I still don't care about cookies" in FF and this has improved my browser experience a lot!
You could use ublock origin’s annoyance list for the same effect. Even better, you could use one of the ones that send “deny” listed elsewhere in this thread.
Note that most tracking is possible without cookies these days, so deleting the cookies on exit (or even always running in a private tab) doesn’t do as much as it used to.
nice how do you know where to reject is that a closed list?
A rule based approach alone is insufficient and lacks maturity. The solution must be capable of understanding the context of a given webpage and taking actions based on that understanding.