Does nobody find this intrusive when it appears on sites like pornhub? Of all places where I'd sign in with a Google account... holy heck, I was very surprised they chose to let Google do that nearly-fullscreen popup on their site upon every visit (since you visit in private tab, it's a fresh session every time)
Even on reddit it annoys the heck out of me and I was very surprised they let this third party ruin the experience (when they don't even do it as first party). What if they all start doing it, facebook and github and the lot, you need to click away four banners? But maybe not enough people have privacy extensions installed and reddit can just track them forever and thus store a one-time dismissal. Anyone here in the know whether this doesn't show a measurable drop in returning users?
> Does nobody find this intrusive when it appears on sites like pornhub?
It's extremely intrusive, regardless of which site it shows up. It's a reminder that the likes of Google are collecting all the personal information they can get from you, and building up a personal profile that covers all aspects of your life, not only your online presence.
There's a big upside to Google One Tap. It makes users sign up for your product like crazy.
I recently added it to a SaaS web app I'm working on, and the number of new sign ups went up 8x overnight. You don't necessarily have to create an account to use the minimal functionalty of our app, but after signing up you do get some perks, and we get a way to communicate with the user through email. So I think it can be beneficial for both parties.
You're assuming that the user actually wants to sign up. In reality, it's likely that they're just clicking "Continue" in order to get rid of the dialog and couldn't care less about a signup.
Users want to use the site and don't care whether or not they are signed up. They do care about going through tedious registration forms and email verification codes. That's why sign-ups go up so much - users know they won't have to deal with the registration tedium.
They trade that for the tedium of dealing with being automatically added to email lists for sites they don’t even remember signing up for and only used one time.
All the spam email is why I’m very picky where I choose to register.
They have yet to block the Apple email relay. Granted, I haven't used it or tested it on every site. That said, Apple has one advantage other filters don't have, which is people who own Apple devices tend to be desirable to very desirable customers, which means adding friction to this would drive away higher average spenders.
I also use the fastmail.com masked email address for things, and that has not yet been an issue either.
And if you have an app in the AppStore and you allow third party sign ups through Google, Facebook, etc. You must allow “sign in with Apple”.
There is absolutely no app or service that I would use thst forces me to sign in with Google and doesn’t give me a choice to Sign in with Apple and let me Hide My Email.
Big upside to the provider, not necessarily the consumer.
Perplexity has a "sign in with Google" pop up that loads late, often when I've already started typing in my query, and thus blocks the rest of my typing, negatively affecting the UX of the service. So I looked up how to get the fuck rid of it and added that method to uBlock Origin, and now I'm a happy (freeloading) chappy.
The delayed focus capture is the most annoying part. I'll be in the middle of typing or scrolling with the keyboard when it steals focus. I type pretty fast, so sometimes I've punched in a bunch of text before realising it all vanished into the popups frame.
Since shifting to firefox it's not a big deal as I have more control, vimium can stop focus being stolen and ublock can block the in web versions of the popups. Which if Googlers are reading, I made the swap after a decade of Chrome use because of your continued anti-user, anti-privacy stewardship of the product. Your trajectory is obvious. I hope the products leadership gets the message some day, but I suspect it's financially working out just fine.
Last month I subscribed to DAZN TV through Google in order to watch a FIFA world football semifinal match. I deleted the third party allowance a week later. The final was free globally.
Do they pay for anything? I'm all for reducing login friction. But that popup is like people that accost you in the street trying to enlist you into their cult.
> So I think it can be beneficial for both parties.
No. Because those who don't want to sign up do get bothered by that popup which also reminds them of the fact that Google just tracked that visit and wants you to use Google to sign up on that page.
The chuzpe it takes to do that, from part of the website owner and Google...
Also true if I use my gmail address. I'll confess that for many websites I don't care that much. Depending on a password manager would be better, though.
Semi-related anecdote: I lost my Reddit account to a cryptocurrency spammer due to a weak password and had to create another, so I lost my preferred username. Annoying but not a huge deal. (Reddit did freeze the old account but wouldn't give it back.)
The email is ultimately the second factor that lets you make important changes to the account in many cases. For example, changing your password. It's more important than the password in nearly every security critical account I have.
This is not always the case. Reddit sometimes locks the account until you verify it or reset the password by email. Happened with my email pointed at a .tk domain and I had to call freenom a bunch to get the domain back.
Since the last few years Reddit has basically just become Facebook 2.0 and it's not even worth using at all. They probably got acquired by private equity or something.
And still couldn't sign-in-with-google. On an email linked that way, so no password recovery. Would likely be a new account - with bonus "that address is already in use" problem.
I agree, there may be an additional step necessary if the page doesn't handle this case already, but this way you can still prove (more easily) ownership to the support.
You're both right. If an account on your service is completely meaningless, I'd rather press one button than type my email, choose a password and go through a stupid email confirmation workflow. Also, it's very annoying that you need an account at all.
I would never visit a site like pornhub in a profile that I was logged in to anything other than similar sites.
note: I'm not excusing the feature but come on! Have some common sense before visiting a site like that?
The place I hate the popup the most is mobile. It comes up moments (0.5 to 2 seconds) after the site loads (say tripadvisor) which means it's possible accept it by accident as it appears under your finger. Your info is immediately shared so there is no way to recover. You're effed.
I means sure, I hate it on desktop too, but on mobile it's directly on top of the content and so more likely to be accepted by accident. IIRC you can turn this off in your Google account (or maybe only Google Workspace?)
Note that I hate it for other reasons too. There's no reason Apple/Firefox/Microsoft/Meta and any other major id providers couldn't offer this too. But if they did, then you'd see 5 of these show up [Sign in with Google], [Sign in with Apple], [Sign in with Facebook], [Sign in with Microsoft], [Sign in with Firefox]. So in other words, this seems like a tragedy of the commons in progress.
To steelman the feature though, easily sign up and easy login would be super convenient if that's what I wanted. It might be nice for a Web API that made this more privacy focused (or maybe that already exists). But yes, I'd like to see Google's specific popup disappear - be banned.
> I would never visit a site like pornhub in a profile that I was logged in to anything other than similar sites.
But that's not relevant. The popup appears whether you're logged into a google account or not. It's just an extremely annoying popup that appears all over the web.
As I said above, the feature is super useful to people who want to "login with Google" so plenty of people with common sense would "use the feature".
The common sense part is it's common sense, at least to the HN crowd, to not visit a site like pornhub using your main profile, or so I would have expected.
I did too, until uBO got blocked. So I had to reevaluate.
Chrome now has a site setting that blocks this crap. For the browser-based popup at least. That's the one that pops up in the top-right and is not part of the DOM of the page.
You can go directly to chrome://settings/content/federatedIdentityApi to set "Block sign-in prompts from identity services" as the default behaviour for sites. You can also set exceptions for some sites if you want that.
If you need to go there manually, it is:
1. Settings
2. Privacy and security (in the menu on the left)
3. Site settings (at the bottom)
4. Expand Additional content settings (under Content)
5. Third-party sign-in
> How do you get ublock to work in chrome after the update?
Why does anyone keep using Chrome if they care the slightest about privacy? You're using a browser owned by a company that sells online ads. What do you expect?
Works fine for me. It has a lot less options, truly "Lite", but most people will be fine. Whatever Google might do that will make this extension worthless, we will se, for now, it seems to be working. (It's funny that the Chrome Web Store lists this extension as "Featured".)
By the way, on Android, I replaced Firefox with Microsoft's Edge. It supports uBlock Origin (no "Lite" in the name, not sure what that means, I did not check the details of how much it supports since it just works as it is). It is significantly faster than Firefox (again, Android). It plays all videos, while Firefox just showed an "unsupported" placeholder for videos on some niche sex video site I happened to accidentally visit.
Supposedly, filter lists only get updated when the extension is updated with uBO-lite. Google could just start delaying approval for these adblockers and their filter lists would become out of date fairly quick.
Or just use Firefox because even using chromium is empowering Google to keep playing these games. Maybe you have a problem with Firefox (most people won't notice the difference) but is that problem worse that the problem you have with Google?
> Or just use Firefox because even using chromium is empowering Google to keep playing these games.
This. People like to complain about problems, but I wonder why they don't invest half that energy in actually fixing the problems.
> Maybe you have a problem with Firefox (...)
I've started to notice there is a very vocal opposition of Firefox whose common trait is that they actually do not or cannot present any tangible argument against Firefox. They just shit talk about Firefox, and hand-wave their criticism with inane comments like "they lost the boat".
Sometimes I wonder where that absurdity comes from.
I have plenty of arguments against Firefox, but engaging in browser holy wars is so tiresome. I used Firefox since before it was called Firefox up until v89 (I think) when I finally had enough. That's when they for the millionth time messed up the UI in new fanciful ways, and removed more features I relied upon daily. It's a pattern going back decades, and the usual tired old argument is, just install this addon to restore the functionality, or add/remove this to userchrome.css, or install whatever from some random Github link. The problem is I first have to spend time and energy finding these things, and then the authors have to keep supporting them in perpetuity. And often it's tiny stupid things like removing "show image" from the context menu, I now have to install an addon for, but it's a feature I use all the time, but their precious telemetry says only 10% (or whatever) of people use it, so it gets axed in the name of minimalism. Inevitably those 10% of users will whine about it on Bugzilla, and inevitably it will be WONTFIXed and comments disabled. I've seen this scenario play out SO MANY TIMES.
I like the idea of Firefox. Not the execution.
After ditching Firefox, I installed Vivaldi, and while it certainly isn't flawless, I can set up every aspect of it how I want, and in the four or so years I've used it - with a few minor exceptions I could revert with in-browser settings - it looks and works exactly how I set it up in 2021.
So in summary, for me it was very much a paper-cuts thing, rather than any single major Mozilla catastrophe.
> they actually do not or cannot present any tangible argument against Firefox. They just shit talk about Firefox, and hand-wave their criticism with inane comments like "they lost the boat".
Have you seen that Mozilla has basically become an ad agency?
> Have you seen that Mozilla has basically become an ad agency?
Even taking these comments at face value, this blend of arguments is pretty stupid given that you're making this sort of claims about Firefox when discussing not using Chrome.
What if my problem is that it's funded by Google to the tune of a billion a year and spent a large part of the last two years trying to reposition itself as an ad company?
their "private" is not private. about a month ago, i searched for some health-related stuff in a chrome incognito window and then immediately afterwards got related sponsored product ads on amazon in a logged in normal window.
"Private" and "incognito" mode are fundamentally misnamed. They provide almost no real privacy wrt counterparties over the network, just to other people using the same computer after you.
Try Mullvad’s browser. It does a lot more to avoid user fingerprinting, even locking the resolution of the rendered content to various sizes. There are some things that make it less practical as a daily driver, but it seems good as a secondary browser for private mode.
This is not true of any web browser because of fingerprinting. That’s the point of fingerprinting for ad networks.
You can try using a different device but even then, I occasionally get recommending things that are definitely influenced by my roommates (i.e. on the same WiFi)
Using something that prevents fingerprinting helps, but only if you don’t use that browser all the time — otherwise it’s just another fingerprint — and still on the same network.
Anti fingerprinting is nice but if you get served ads based on your IP address you're going to need more than just a browser to escape tracking based advertising. Adblockers aren't good enough when websites you visit use first-party servers to forward data back to ad networks.
Serving ads based on IP seems foolish when very, very few people have a static IP. I'm sure that a healthy minority of folks on HN do, but we're hardly representative of the general population.
Your IP is a lot more static than you give it credit for. It's not like the dialup era where you get a new IP each time. For example I have a dynamic IP on my cable modem, but it might as well be static as it only changes after there is a long term power outage. Also, it's likely if you're on a home connection most often, then you only have a limited pool of 32k or so IPs, which dramatically lowers the bits of information needed to identify you.
Untrue, you can modify it enough to avoid giving it more entropy. Possible approaches include:
- Spoofing browsers down to the TCP stack
- Plausibily random values
- Every possible bit scrambled on each request
You can see a similar thought-process behind Tor bridges so it is tried-and-tested. Noted that it is a much more difficult feat to accomplish in a full blown browser rather than network layer.
"Incognito", on ANY browser, is not meant for that. Is meant to not leave traces on your PC, so your son/daughter/wife/husband can't see you've been watching porn (for instance). You're still tracked by the sites you visit, unless you use some kind of blocker (and, even then, you may still be tracked server-side).
One of my fav party tricks when I get on someone's Wi-Fi is to search for an obscure disease with an expensive treatment. Everyone in the geographical area seems to start getting ads for it for a while afterwards!
The firefox private window seems to work better than the chrome incognito mode. Maybe brave would be even better because I tested brave against fingerprinting libraries once and it was the best at avoiding any detection.
Brave confuses me. On one hand it seems to have quite good privacy tech, but then on the other hand there are instances of what seem to be quite shady actions. Both impressions come from comments and anecdotes, I have not looked into it myself.
Deeply paranoid people can have occasional good arguments mixed in with their sociopathic traits. The fact that Brave didn't fork Firefox, or build their own like Ladybird implies to me that they are not really trying to improve the system. It's like Windows users extolling the virtues of the LTSC version.
Yes, also in hindsight of my comment, there is nothing inherently conflicting about those two sides of brave. I think my impression was that because they valued privacy, it follows they should be more 'on the level', or something. Which is clearly absurd.
I was trying Chrome on a work computer (because why not, I'm only doing work stuff on it). That incognito (but not really) mode made me download Firefox in an hurry.
> nearly-fullscreen popup on their site upon every visit
I did a bunch of trial and error awhile back instead of reading the docs but you can add a rule to ublock that will look something like this. Hopefully someone comments a better filter than this mess lol
> Seriously, how the fuck do people raw dog the web? It's unbearable.
I agree, I got it to “work for me” by only using the sites I like, but there are times where I stray from my beaten path because I’m searching for something and it’s awful. I don’t think I would have fallen in love with computers if I was raised with the web being what it currently is.
I wonder if this is a driver of ChatGPT as a search engine, everything else is so bafflingly bad and all people really want is information.
I find it intrusive on every single site it’s on. Every time I look at how to get rid of it, I’m pointed to a setting in my Google account to stop it, and it does absolutely nothing.
As far as I can tell, I’m more sensitive to this stuff than normal people, but I’m less likely to return to a site that annoys me like this. I’m also less likely to use Google as a result of them being behind this. While it’s not the only reason I use Kagi, it’s certainly an item in the pro/con list.
The same goes for all of Google’s pop-ups and nudges to switch to Chrome. It’s infuriating. Everyone not using Chrome knows Chrome exists and are choosing not to use it. They really need to stop with the heavy handed push and respect user defaults.
It does disrupt the user experience and clobber a site's own home page, but associating a persistent identity to a user is VERY valuable to sites, and normal sign up flows have a lot of friction. They probably figured it's worth the cost if it gets more users to login/create accounts. Its presence despite the drawbacks indicates a lot of people use this feature.
They also recently must have changed the container, I noticed my adblock wasn't catching it anymore. What I find annoying though is its often slow to load and conveniently the sign in button is right where you'd click
I lived alone for years and don't even bother with incognito.
But if I cared, I on Firefox can make a separate container for that stuff and login that way. I get a burner account and Google (at least from PH) can't see anything other than other adult sites I put in that container.
But yes, I chuckled the first two time but it quickly got boring.
And BTW this clearly indicates what the people who are responsible for this behaviour not only don't bother with this 'use case' but also never use the 'porn mode' themselves.
I’m super happy Google’s login with my name, appears on PornHub, especially since I’m using a separate browser, Firefox mobile, for this only, never used it for anything else, never logged in. Luckily Firefox mobile gives websites access to something on my phone about my identity. But I’m happy it does this.
Because it exposes how much websites know about us. It’s like Facebook showing face recognition in 2015. It’s creepy but it reminds you constantly how creepy it is.
Just imagine how many sites collect all this info and DONT personalize what’s shown to you…
Of course, one day AI will probably automatically do realtime editing of porn videos so they will be customized for your name/location/job/background/interests.
The Chrome experience is actually part of a new standard, Federated Credential Management (or FedCM for short).
The idea is to create a browser mediated login experience that gives the identity provider and web app what they need without being able to correlate requests across the Internet.
I am working on an article on this topic. If you are interested in learning more, here's a video from a recent auth focused conference (full disclosure: my company put it on and I emceed): https://m.youtube.com/watch?v=FBAD4x7MWdI
They are actively working on the standard and Firefox has committed to it. Edge already supports it. They are looking for identity provider feedback.
I don't speak for Mozilla, but I did see a bug in bugzilla which showed the blocking bugs for FedCM. I don't have the link now, but can share it later. That's what I thought of when I stated Firefox has committed to it. But I could be wrong.
If it's a new standard, it must have… some kind of cross-industry support right? I ask because it looks like https://github.com/w3c-fedid/FedCM/graphs/contributors is mostly people who work at Google (I gave up once I hit people with ten or fewer commits)…
Isn't that the case for half of modern browsers APIs? Google develops whatever it needs for its own products into Chrome and then pushes it to W3C. Other browsers perpetually behind. They've gotten quite good at this strategy.
While most of the contributions I have seen are from Google on the browser side, they are trying to work through the standards process. Here's the first draft of the w3c standard: https://www.w3.org/TR/fedcm/
I know there's a later draft but can't find it right now. Will share when I do.
As mentioned in sibling comments I have seen are least on Firefox contributor and they are actively seeking input from identity providers.
As usual, the feature is being railroaded by google and other implementers are given the choice between following Chrome's de-facto choices or not implementing it, and breaking websites that will use it anyway.
My gmail is quite old and well used, and it gets relatively little spam. I go through and aggressively unsubscribe link everything I don't want to see, and it surprisingly works. I get more spam on my @myname.tld address than my gmail even and I keep that one quieter.
Almost every site actually does unsubscribe, and those that don't get marked as junk.
And we should also do something about website that consider you a "customer" when you've only started an order and entered your email but you've never pressed submit to complete the order.
I don't generally want any site to have anything they can use that associates me with other sites. If 2 sites get the same email for me or the same GAIA id, or the same anything then I won't use the id system. (with obvious exceptions - see below)
This includes "privacy first" companies like Apple and their Apple Pay system where I went to a restaurant in SF. The bill was a QR code that took me to Toast with the option to pay via Apple Pay. The apple prompts told me my email address would be shared and there was no option to say "no" so I bailed out and paid the waiter directly.
Sometimes I need my real name and address for shipping. In those cases that can't be helped. I also have to give my CC card for a purchase. But there are sites I want to sign up for for which I don't need to give that info. A "one click to sign up" option would be useful if I knew it was giving random data. An example might be medium.com or substack.com. They don't need my real name nor do they need my "real" email. If I was sure this "one click sign up" didn't share a common one I'd consider using it.
Maybe even better, if it was managed similar to subscriptions in iOS where I could trivial revoke any membership at will from a central location, with the understanding that there'd be no recovery since signing up again would get random new data and so no way to associate the new with the old.
I'm curious - how does the standard make "to continue, google.com will share your name, e-mail address and profile picture" compatible with "a modern, privacy-preserving standard for federated identity on the web" ??
I mean, that doesn't sound privacy-preserving at all?
I don't think they are trying to preserve privacy between you and the identity provider you are logging in with and the website you are logging into. (At least not now. There's talk about some of this with IDP delegation, I think. Here's more on that: https://github.com/w3c-fedid/delegation )
The first goal is to prevent data brokers from correlating data about users across the Internet using cookies and redirects. You can read more about the privacy focus here:
Why would you share your real name with Google when making a gmail account, or use your real picture?
It's fine to be pseudonymous on the Internet if you are in control of your pseudonyms, which Google accounts actually does allow with some extra work (don't mix your chrome profiles and Google accounts, etc.)
Or, like me, you can roll the dice on real names on the Internet (for professional things mostly)
> Why would you share your real name with Google when making a gmail account, or use your real picture?
Google made a big push in that direction starting in the Google+ era. IIRC at some point my fake names were rejected by Google and I had to change to more plausible fake names.
You can't fault regular people for falling into Big Tech's traps.
This popup should be criminal. Ive misclicked the signin button multiple times, causing PII to be sent to a third party I dont trust without my authorization.
Good information, but you can already turn this off via the (quite hidden, I admit) setting that is mentioned in the article. That's a better way to turn this off completely, rather than patch it via a visual rule.
Brave browser does not have an option to turn it off but uBlock Origin custom filter works.
In the Brave community the only solution offered was an adblock filter:
brave://adblock (custom filter) ||accounts.google.com/gsi/client$script,third-party
Either way it's something you'd need to go out of your way to configure any time you interact with a new web browser. And both ways can be disabled randomly (Chrome settings changes during browser updates, or uBlock extension being deprecated).
Yes, both are PII, which is highly regulated in EU and CA (among others I'm sure). If these knowingly "leaked" in a data breach, the company which leaked them would be legally obligated to notify me. Sounds pretty serious to me.
But it's a similar concept. If someone accidentally gives some website their name + email, they could be part of a leak for some service they don't even use. People probably care less about Tea in particular because they've never heard about it before the data leaks.
"So-and-so used Tea" is clearly not the focus of the coverage of the Tea app leak. Again, let's be explicit about impacts here. You can deploy hyperbole and hypothesis to make anyone a horrifying villain. But if you do that at least be honest about it.
Edit to note: the Tea story has now fallen off the front page while this one is still going strong.
> You can deploy hyperbole and hypothesis to make anyone a horrifying villain.
Alternatively you can deploy a dismissive attitude and subtle ridicule to make any concern sound silly, no matter how important the issue is to people for a variety of different reasons which you don't seem to be receptive to understanding.
And that sort of infighting is certainly many orders of magnitude more fashionable, both on social media and in real life, than people being observant and critical of companies and governments when they find new ways of eroding our rights and freedoms a little bit more than they already have.
I sympathize with ~everyone affected by any type of data leak, but I'm only human with limited time and attention. That means I can't actively engage with every single issue that plagues our world, both out of practical, as well as sanity-maintaining reasons.
Implying that we're hypocrites if we don't engage with completely unrelated issues before we engage with issues that directly affect us is probably the clearest example of a bad faith argument I've read on this site in a very long time.
The only one arguing in bad faith here is clearly you.
First, you say that a full name or email is somehow not a big deal, even though these are some of the most critical pieces of PII, either one would obviously be enough to unmask exactly who the person is.
And now, because there is some random HN post about a hack that affects a significantly smaller user base than Google's and Chrome's invasive practices and it doesn't have as many upvotes that somehow means this topic isn't serious and that everyone is arguing in bad faith.
You either have absolutely no understanding of PII or privacy, and I seriously hope you never work on anything related to it. Or you're just arguing in bad faith, I’m not sure which is worse, to be honest.
You can create multiple profiles in Chrome. You shouldn't sign into Google in your main profile. That should be reserved for just one profile reserved for Gmail.
You can also just not use chrome. It's still a problem that shouldn't exist and the blame for that falls entirely on Google and the websites that push google's crap on users
Edge has its own shenanigans. Solution: When signing into Gmail use Edge. When signing int Outlook use Chrome. That way Google/Microsoft can't use your credentials to sign into the browser itself.
The crazy part is that the popup is not part of the DOM, it's injected by the browser *over the page content*. If it were in a browser toolbar I woudln't mind, but obscuring page content is just asking for an antitrust suit.
I left chrome and switched to Brave 6mo ago because I couldn't get these "Sign in with Google" popups to stop. I tried both the chrome://settings/content/federatedIdentityApi option and the option under https://myaccount.google.com/ and neither one worked, I just kept getting them.
Still an unforgivable violation of trust to have a floating popup over the content that's not part of the DOM and not part of the browser's normal native UI. I never want my browser to inject unblockable overlays over sites I'm trying to browse.
It works with providers other than Google, just no one else has implemented it yet. Google's One Tap library tries to use the new api, and falls back to the classic One Tap popup when using a browser that doesn't yet implement FedCM (notice how the chrome built-in one says "sign in with google.com" rather than "sign in with Google" like One Tap normally shows)
Mozilla are working on implementing it, but it's a pretty complex system so it'll take time. I presume Safari will as well if it gets popular enough
Yeah, I attend the FedCM meetings. Firefox has one dev working on it who attends regularly. I have found some posts where the safari team has said "seems like a good idea, we'll consider implementing" but have not seen further action.
Edge supports it, and it should be relatively easy for the other Chromium based browsers.
What is there to fallback to I wonder - 3rd party cookies should be deprecated/blocked by now, so how can the gsi script retrieve google session information?
While I agree with the 50+ comments I’ve read here, I think the point is being missed (or I just haven’t gotten to this comment yet) - these super annoying pop-ups should only be a thing AFTER you’ve clicked on login or register. In fact they shouldn’t appear and should instead just be a button the user can click if they wish to use their Google account as the login device for XYZ site.
In other words there’s no reason for these to appear when you first visit a webpage, they should only be relevant when the user has taken action specifically to login, or is looking to register an account at xyz.com
It’s as if someone at Google saw the whole cookie banner -> accept cookies fiasco and said wow this seems like a good idea let’s add our own
Only if you set UBO to block scripts as well. Though I prefer noscript’s UI personally.
Edit: To elaborate, you need to turn on “hard mode”[0] for UBO to replace noscript. Then you need to manage it through UBO interface which I don’t like[1]
Kinda related to this: I _really_ wish that SSO providers would be better about telling me when my account was already used to log into a service. When I hit "sign in with Google", see my 4 accounts, and have to guess which one I used to sign into the service...
This is my big issue too. There are some times where I think I have SSO for something, but don’t remember with who, so I spend 5 minutes logging into various providers and hunting down where they say what sites I’m using SSO with, so I can see what to use.
I started adding them to my password manager as a quick reference, but the irony is that this makes the SSO slower than a typical standard login. I almost never use these SSO options anymore as a result.
The problem is that at that point in the flow, it's owned by the SSO provider. The SSO provider can't know with certainty what account has an active account with the website.
I don't think that's true though? The OAuth provider knows which third parties you have authorized to have access to your account(s) as well as what information or privileges you've approved for each. And when you land on that screen, they know which third party referred you to them.
In other words, they could definitely highlight or otherwise hint to you which of the Google accounts you've already approved/used via one or more of your authenticated Google accounts.
The provider knows you have given those privileges _at some point_ but it doesn't know if that account still exists or anything about the state of the account.
So, yes, they could do more to highlight _potential_ accounts but it's not the case that they have any visibility into the actual state of accounts.
They could thought right? because if you login to a website (that's passed along an ID) then you would have that bit set.
I don't need to know for certain the account on the receiving side exists, just that I have signed in before with it. Facebook does this at least!
Like "has an account" isn't possible without leakage, but "has logged in through this flow before" (hell, stick timestamps in there too!) does.
One thought though: your SSO provider has that account list, but often prompts a re-login. So it could be that your SSO provider account picker _doesn't have access to your account information fully either_.
And I don't think it makes sense for the SSO provider to leak a list of all your accounts to the website either. That being said, I think the SSO provider could maybe track that information maybe?
As others mentioned, this is backed by the "open" standard FedCM. While this seems like an open play on the surface (and the standard is open), in practice this is a highly anti-competitive and will just lead to Google being in even more control of the web.
The vast majority of users will chose the default for identity. On Chrome this is Google. On Android this is Google. Even on iOS this may be Google because identity is often tied to email and Apple does not have a strong email story. Identity is huge. It gives you moat that outlives platforms.
And all the while, Google gets to claim this standard is open, while in practice this is clearly intended as a monopolistic move to increase their share of identity on the web.
If they were forced to show a randomized list of identity providers a user needs to choose from (similar to search engines on iOS), I bet you they would reconsider this whole approach. But by the time regulators figure out what's going on, they will have already cemented their lead.
This "standard" also seems interestingly timed with respect to Passkey adoption, too. If one were feeling pessimistic enough, it almost seems too easy to suggest some interests exist here that want to muddy the sign-in waters to capture users considering switching to Passkeys before they actually switch to Passkeys.
Having implemented Passkey-only account creation (and management) I would absolutely disagree. I think that Passkeys can greatly streamline the process. The iOS Passkey flow especially feels as simple by default as the "Sign in with Apple" flow (with the ability to customize it with smart password managers in a way you'd never be able to with "Sign in with Apple").
That's partly because Apple sees it their job to migrate people away from OIDC-style signups, for privacy reasons if nothing else, and towards Passkeys, so their UX team is doing a remarkable job trying to reduce friction.
What's Google's interests here? Are there intentional reasons the Android and Chrome Passkey flows don't "simplify" the account creation process enough? It's easy to be cynical here, and seeing them as orthogonal concerns also feels like muddying waters that shouldn't be muddied right now.
That Google popups are so annoying, they often cover the content, I wonder does Google pay websites for this or they annoy users for free?
Also I don't understand who registers Google Accounts these days because every time I try to do this, they show a QR code and require to scan it with a mobile device, and I don't have time now to set up a virtual machine and research what it does to a mobile device and how one can bypass the check.
Also if you buy a Google Account it eventually requires linking a phone number, and doesn't accept most of the Russian numbers I buy.
So I don't understand how do other people sign up when there are so many obstacles. It is easier just to register email account elsewhere.
They either already have a gmail, or sign up for one my scanning the QR code you mention. I don't recall if a phone number is mandatory, but the average user probably has one, doesn't mind giving it to Google (to not lose access to their account if they forget their password is a perfectly valid reason for most people). And they'll probably not provide one from a sanctioned terrorist state with a reputation of nefarious cyber activities. Like buying Google Accounts, but much worse too.
I absolutely hate the ‘Sign in with Google’ prompt and I am very concerned that I will either accidentally or absent-mindedly tap on it and share my email address and identity with some random untrustworthy website.
The idea of identity managed by one’s browser is a pretty decent one, but the implementation which ties it to other information such as email address and which makes it so easy to accidentally use is user-hostile.
This option never worked for me, I also tried the options under myaccount.google.com with no luck, I kept getting the popups and ended up having to switch to Brave and Safari to get rid of them.
You could block account.google.com (or google.com) if you don’t use any google services or expect anyone on your network to use any google services*.
* I think search still works without an account, but I don’t think anything else works that way these days. The last I know was YouTube and I get a “sign in to confirm your age” on YouTube on most videos I try to watch without being logged in.
That does not completely turn off the federated sign-in popup you see on the top right in various websites. The solution is actually already mentioned in the article.
> What you may not realize if you use Safari or Firefox is that the banners are never displayed in Google Chrome!
Ah, so that's why so many websites are OK with it - they probably just don't realise that it's there.
> If the courts and antitrust regulators are reading—they probably won’t read my blog, but one can dream—this is yet another example of Google advantaging its own browser Chrome over other web browsers.
And vice versa: how Google is advantaging its own SSO/data collection platform over others, through Chrome.
> the banners are never displayed in Google Chrome!
this is demonstrably false, I can share dozens of screenshots of this popup appearing in Chrome despite all the options checked that are supposed to disable it.
I always thought drawing over the content area is a no-no, because then anybody can fake that dialog via html/css and make it do something completely different.
> This is what Google calls the One Tap user experience. Fortunately, my web browser extension StopTheMadness Pro hides “Sign in with Google” banners.
This sounds awesome. I like the author's classification of this and other anti-user website behaviors as "madness". Are there any similar add-ons for Firefox?
StopTheMadness provides browser extensions for Safari, Firefox and Chrome. But it’s a paid product AFAIK. I don’t know of similar Firefox extensions that do everything that this one does or allows one to do.
uBlock Origin is still fully functional in Firefox as well so I guess I could find a way to block the "Sign in with Google" prompts somehow with a custom rule.
What's crazy is that it trains users to trust a component that can be faked by the website.
You can mimic the component and then redirect the button anywhere, and the user is primed to comply with whatever they see.
Like a fake "Actually it seems like your Google account is compromised. Please verify that it's you by doing X."
This kind of shit-tier feature should at the very least appear inside the browser chrome, not inset in/over the website. I'm so tired of amateur slop from megacorps that should know better.
This stupid pop-up (being a "window" of its own and not a DOM popup) also steal focus back to the chrome window. For example: open reddit.com in chrome (without logged in to reddit) and before the page loads switch to another app window, when the popup is ready the chrome window will get focused again.
> Indeed, while Chrome is displaying the dialog, it blocks all Chrome extension popup windows from appearing.
We discovered this one the hard way at work. I keep learning this the hard way myself because I've been working on browser extension dev lately. I don't understand how this could possibly be an intended feature.
I actually needed that button the other day. I have an account on Etsy, but wasn't sure if it was sign in with google or an etsy account using my gmail. Signing in to the website's own "login with google" button was a redirect loop. Requesting password reset sent me no email. At some point Chrome offered to sign-in for me, and that worked.
I'm never confused about what I've used to sign in because I only use randomly generated passwords using my password manager (Bitwarden), and it offers to use them automatically when I go to a website.
Another advantage is that Google cannot cut my access to all of my accounts on the internet.
HN userbase is not representative of the large majority of the users of a service.
Most of are fully capable of using a password manager, some even self-hosted that we expose via Tailscale, but for a lot of users, they are using a service to get things done and authentication is a necessary hurdle.
Counterpoint: my parents managed to lock each other out of their shared Amazon account after being coerced into "upgrading" their login method. Thankfully they managed to reset it somehow and go back to saved passwords, which Just Work™.
Aside: annoying when a site, specifically a govt website URL changes... I get REALLY skeptical if I land on a page my password manager (also Bitwarden) doesn't recognize with my credentials.
My local city utilities switched to some kind of google based auth from their previous separate user/password account login. Had to create a new login/account tied to my billing account.
It's odd how these browser popups—especially ones like the notification permission dialog—essentially hijack the Mac interface. I can't swipe to go back using the trackpad until I manually close the popup.
It's not just a Google annoyance, these types of things are all over the web. I have uBlock Origin settings to limit these types of things, like others in this thread have explained.
But there's a bigger issue with the modern web. Here's my message to any web developer, company, organization, anyone who has control over content on the public web: if I visit your page and I have to click away something in order to do what I came to do, you have failed miserably.
I get why Google finds this advantageous, but I don’t understand why so many brands want to willingly diminish the impression and reputation of their web properties by adding “Sign in with Google.”
>want to willingly diminish the impression and reputation of their web properties
because that's not what happening. The average Chrome user finds that feature useful, and personally I have to agree because having a sign-in option through the browser chrome (the non-content portion of the application, bad name in this case) is significantly more sane from a security standpoint than trusting the webpage operator.
why are these threads always full of performative indignation by people who know perfectly well that 99% of people aren't going to be upset
> The average Chrome user finds that feature useful
I don´t know about that. It displays on so many sites where I was not intending to login at all. If I want to login, I would have clicked on the websites' login button. This popup really blatantly shows that Google is everywhere, even if that was already the case. It's possible that this actually reflects badly on Google as a whole.
Poor Google, they have to screw over the entire online population for their own sake. The masses love being screwed over, which is why Google uses dark patterns instead of having people make informed decisions. That this helps make Google even richer is just a happy accident. Shame on technologists who question Google's morality!
Every other sign in solution seems to involve multiple clicks and loads of redirects and loading time. It seems to even beat a password manager because there is no need to wait for a login form to load and be prefilled.
Googles solution frequently has you signed in within 1 second and 1 click.
On today's episode of "Addicted to the AdTech browser":
Our protagonist face yet another case of being fucked over by their favorite advertisement and surveillance vehicle disguised as a web browser. How will they gaslight themselves into keeping their toxic relationship with Chrome alive rather than switching to a browser that respects their privacy and sanity this time?!
> Just one more extension, just one more chrome://flags tweak... He loves me, he respects me, he just has a ... unique way of showing it... I'll just tell my friends I fell and that's why my eye is black... Chrome, I'm sorry I'm not good enough, I probably deserve this...
1) The annoying Sign in with Google banners appear in Firefox and Safari with no toggle to disable them, even if you aren't logged in with Google, even if you don't have a Google account.
2) Those banners do not appear at all in Chrome.
3) There is a Chrome-specific sign-in UI, but it appears only if you're already signed in to your Google account in Chrome.
4) You can disable the Chrome-specific sign-in UI in Chrome settings.
So Chrome users have control, whereas Firefox and Safari users are inundated with annoyance.
Does nobody find this intrusive when it appears on sites like pornhub? Of all places where I'd sign in with a Google account... holy heck, I was very surprised they chose to let Google do that nearly-fullscreen popup on their site upon every visit (since you visit in private tab, it's a fresh session every time)
Even on reddit it annoys the heck out of me and I was very surprised they let this third party ruin the experience (when they don't even do it as first party). What if they all start doing it, facebook and github and the lot, you need to click away four banners? But maybe not enough people have privacy extensions installed and reddit can just track them forever and thus store a one-time dismissal. Anyone here in the know whether this doesn't show a measurable drop in returning users?
> Does nobody find this intrusive when it appears on sites like pornhub?
It's extremely intrusive, regardless of which site it shows up. It's a reminder that the likes of Google are collecting all the personal information they can get from you, and building up a personal profile that covers all aspects of your life, not only your online presence.
There's a big upside to Google One Tap. It makes users sign up for your product like crazy.
I recently added it to a SaaS web app I'm working on, and the number of new sign ups went up 8x overnight. You don't necessarily have to create an account to use the minimal functionalty of our app, but after signing up you do get some perks, and we get a way to communicate with the user through email. So I think it can be beneficial for both parties.
You're assuming that the user actually wants to sign up. In reality, it's likely that they're just clicking "Continue" in order to get rid of the dialog and couldn't care less about a signup.
Users want to use the site and don't care whether or not they are signed up. They do care about going through tedious registration forms and email verification codes. That's why sign-ups go up so much - users know they won't have to deal with the registration tedium.
They trade that for the tedium of dealing with being automatically added to email lists for sites they don’t even remember signing up for and only used one time.
All the spam email is why I’m very picky where I choose to register.
That’s why I register to sites with Apple using Hide my Email and I can just disable forwarding for the one burner email that spam is coming from.
I've encountered more than a few places that block temp emails like 10minutemail etc. It's so infuriating.
They have yet to block the Apple email relay. Granted, I haven't used it or tested it on every site. That said, Apple has one advantage other filters don't have, which is people who own Apple devices tend to be desirable to very desirable customers, which means adding friction to this would drive away higher average spenders.
I also use the fastmail.com masked email address for things, and that has not yet been an issue either.
And if you have an app in the AppStore and you allow third party sign ups through Google, Facebook, etc. You must allow “sign in with Apple”.
There is absolutely no app or service that I would use thst forces me to sign in with Google and doesn’t give me a choice to Sign in with Apple and let me Hide My Email.
Same. Pretty sure Meta was the first to get mad at me for it.
In fairness, they never said they thought the user signups were intentional..
Behind it, add one-click Stripe “free trial” and you boosted your revenues at zero cost.
Maybe even call this button “Accept all”, like these cookie banners
it still ads up in metric yooo, who tf didnt like when the metric numbers goes up????
also you must understand, most people are dumb as shit if you not showing it to the face, then prolly would not notice
that's why big tech not listening to HN user base because they know that its hard to fool nerd
But the number goes up, the line goes up. VCs like that, it's growth!!!
P.S.: This is obvious irony, I don't support this DataGrab(TM), fyi.
Big upside to the provider, not necessarily the consumer.
Perplexity has a "sign in with Google" pop up that loads late, often when I've already started typing in my query, and thus blocks the rest of my typing, negatively affecting the UX of the service. So I looked up how to get the fuck rid of it and added that method to uBlock Origin, and now I'm a happy (freeloading) chappy.
The delayed focus capture is the most annoying part. I'll be in the middle of typing or scrolling with the keyboard when it steals focus. I type pretty fast, so sometimes I've punched in a bunch of text before realising it all vanished into the popups frame.
Since shifting to firefox it's not a big deal as I have more control, vimium can stop focus being stolen and ublock can block the in web versions of the popups. Which if Googlers are reading, I made the swap after a decade of Chrome use because of your continued anti-user, anti-privacy stewardship of the product. Your trajectory is obvious. I hope the products leadership gets the message some day, but I suspect it's financially working out just fine.
Last month I subscribed to DAZN TV through Google in order to watch a FIFA world football semifinal match. I deleted the third party allowance a week later. The final was free globally.
Do they pay for anything? I'm all for reducing login friction. But that popup is like people that accost you in the street trying to enlist you into their cult.
>and we get a way to communicate with the user through email.
Don't call your spam "communication".
> the number of new sign ups went up 8x overnight.
What's the number if you adjust for quality of signups? E.g. how many people convert and how many people stay on and convert later.
> So I think it can be beneficial for both parties.
No. Because those who don't want to sign up do get bothered by that popup which also reminds them of the fact that Google just tracked that visit and wants you to use Google to sign up on that page.
The chuzpe it takes to do that, from part of the website owner and Google...
…until the user loses access to their Google account with no recourse and you have no secondary way to authenticate them.
Also true if I use my gmail address. I'll confess that for many websites I don't care that much. Depending on a password manager would be better, though.
Semi-related anecdote: I lost my Reddit account to a cryptocurrency spammer due to a weak password and had to create another, so I lost my preferred username. Annoying but not a huge deal. (Reddit did freeze the old account but wouldn't give it back.)
That’s why you shouldn’t be using a Gmail address, and instead have your own domain for email.
No. You just cant password reset if you lose access to email. You can still log in.
The email is ultimately the second factor that lets you make important changes to the account in many cases. For example, changing your password. It's more important than the password in nearly every security critical account I have.
This is not always the case. Reddit sometimes locks the account until you verify it or reset the password by email. Happened with my email pointed at a .tk domain and I had to call freenom a bunch to get the domain back.
>Reddit sometimes locks the account until you verify it or reset the password by email.
I still remember when you could create Reddit accounts without an email...
Brace yourself: https://www.biometricupdate.com/202506/reddit-considers-worl...
Since the last few years Reddit has basically just become Facebook 2.0 and it's not even worth using at all. They probably got acquired by private equity or something.
I personally have my personal email as Google account email, so even when I lose my access to google I am still in control of my domain (and email).
And still couldn't sign-in-with-google. On an email linked that way, so no password recovery. Would likely be a new account - with bonus "that address is already in use" problem.
I agree, there may be an additional step necessary if the page doesn't handle this case already, but this way you can still prove (more easily) ownership to the support.
You're both right. If an account on your service is completely meaningless, I'd rather press one button than type my email, choose a password and go through a stupid email confirmation workflow. Also, it's very annoying that you need an account at all.
> Beneficial to both parties
Ah yes, because who doesn’t want more emails from a sites they’ve visited one time
[dead]
I would never visit a site like pornhub in a profile that I was logged in to anything other than similar sites.
note: I'm not excusing the feature but come on! Have some common sense before visiting a site like that?
The place I hate the popup the most is mobile. It comes up moments (0.5 to 2 seconds) after the site loads (say tripadvisor) which means it's possible accept it by accident as it appears under your finger. Your info is immediately shared so there is no way to recover. You're effed.
I means sure, I hate it on desktop too, but on mobile it's directly on top of the content and so more likely to be accepted by accident. IIRC you can turn this off in your Google account (or maybe only Google Workspace?)
Note that I hate it for other reasons too. There's no reason Apple/Firefox/Microsoft/Meta and any other major id providers couldn't offer this too. But if they did, then you'd see 5 of these show up [Sign in with Google], [Sign in with Apple], [Sign in with Facebook], [Sign in with Microsoft], [Sign in with Firefox]. So in other words, this seems like a tragedy of the commons in progress.
To steelman the feature though, easily sign up and easy login would be super convenient if that's what I wanted. It might be nice for a Web API that made this more privacy focused (or maybe that already exists). But yes, I'd like to see Google's specific popup disappear - be banned.
> I would never visit a site like pornhub in a profile that I was logged in to anything other than similar sites.
But that's not relevant. The popup appears whether you're logged into a google account or not. It's just an extremely annoying popup that appears all over the web.
It does not for me and I only use chrome. ¯\_(ツ)_/¯
I would be shocked if that timing was not intentional and thoroughly tested for maximizing sign ups.
Completely agree. It’s like a game from their point of view— watching how many inadvertent logins they can capture.
I wouldn't visit it without tails at this point. But I go for the better option than tails. Just dont visit it!
> I'm not excusing the feature but come on! Have some common sense before visiting a site like that?
For sure… but there’s a self-fulfilling element there. If no one with common sense would ever use the feature… why add the feature?
As I said above, the feature is super useful to people who want to "login with Google" so plenty of people with common sense would "use the feature".
The common sense part is it's common sense, at least to the HN crowd, to not visit a site like pornhub using your main profile, or so I would have expected.
>Does nobody find this intrusive when it appears on sites like pornhub?
Porn sites are a testament that no amount of popups, ads, clickjacking, etc. can deter users from your site if your product is compelling enough.
Of course! That's why I even added this to my uBlock filter list on mobile:
accounts.google.com/gsi/client
I did too, until uBO got blocked. So I had to reevaluate.
Chrome now has a site setting that blocks this crap. For the browser-based popup at least. That's the one that pops up in the top-right and is not part of the DOM of the page.
You can go directly to chrome://settings/content/federatedIdentityApi to set "Block sign-in prompts from identity services" as the default behaviour for sites. You can also set exceptions for some sites if you want that.
If you need to go there manually, it is:
1. Settings 2. Privacy and security (in the menu on the left) 3. Site settings (at the bottom) 4. Expand Additional content settings (under Content) 5. Third-party sign-in
> until uBO got blocked
If you're on Android, give Firefox a try. It works well and it has full support for uBlock Origin.
I tried for a few months, but sync kept failing.
And with uBO Lite I got nearly everything I used uBO for.
Also Reader Mode is awesome. And translating pages locally is great.
I've never added a custom filter. Do they sync to all my Firefox browsers that have uBO installed?
https://github.com/gorhill/uBlock/wiki/Cloud-storage
How do you get ublock to work in chrome after the update? I tried a fix I found here but it resets every time I restart the browser
> How do you get ublock to work in chrome after the update?
Why does anyone keep using Chrome if they care the slightest about privacy? You're using a browser owned by a company that sells online ads. What do you expect?
The last thing I remember about Firefox was that it was a memory hog. Maybe this has changed in recent years
Firefox is still terrible, but it's now the least worst browser.
There is the "Lite" version by the same author written for the current Chrome.
https://chromewebstore.google.com/detail/ublock-origin-lite/...
Works fine for me. It has a lot less options, truly "Lite", but most people will be fine. Whatever Google might do that will make this extension worthless, we will se, for now, it seems to be working. (It's funny that the Chrome Web Store lists this extension as "Featured".)
By the way, on Android, I replaced Firefox with Microsoft's Edge. It supports uBlock Origin (no "Lite" in the name, not sure what that means, I did not check the details of how much it supports since it just works as it is). It is significantly faster than Firefox (again, Android). It plays all videos, while Firefox just showed an "unsupported" placeholder for videos on some niche sex video site I happened to accidentally visit.
Supposedly, filter lists only get updated when the extension is updated with uBO-lite. Google could just start delaying approval for these adblockers and their filter lists would become out of date fairly quick.
I don't. I use Firefox, on desktop and mobile. (Sorry, I should have mentioned this since OP is Chrome related.)
Firefox exists, and it’s pretty awesome. I’m typing this in Firefox now. I use Firefox on my phone.
Mozilla is from all appearances a pretty terrible organisation, but their browser is good.
Use ungoogled-chromium (or Firefox).
> Or just use Firefox because even using chromium is empowering Google to keep playing these games.
This. People like to complain about problems, but I wonder why they don't invest half that energy in actually fixing the problems.
> Maybe you have a problem with Firefox (...)
I've started to notice there is a very vocal opposition of Firefox whose common trait is that they actually do not or cannot present any tangible argument against Firefox. They just shit talk about Firefox, and hand-wave their criticism with inane comments like "they lost the boat".
Sometimes I wonder where that absurdity comes from.
I have plenty of arguments against Firefox, but engaging in browser holy wars is so tiresome. I used Firefox since before it was called Firefox up until v89 (I think) when I finally had enough. That's when they for the millionth time messed up the UI in new fanciful ways, and removed more features I relied upon daily. It's a pattern going back decades, and the usual tired old argument is, just install this addon to restore the functionality, or add/remove this to userchrome.css, or install whatever from some random Github link. The problem is I first have to spend time and energy finding these things, and then the authors have to keep supporting them in perpetuity. And often it's tiny stupid things like removing "show image" from the context menu, I now have to install an addon for, but it's a feature I use all the time, but their precious telemetry says only 10% (or whatever) of people use it, so it gets axed in the name of minimalism. Inevitably those 10% of users will whine about it on Bugzilla, and inevitably it will be WONTFIXed and comments disabled. I've seen this scenario play out SO MANY TIMES.
I like the idea of Firefox. Not the execution.
After ditching Firefox, I installed Vivaldi, and while it certainly isn't flawless, I can set up every aspect of it how I want, and in the four or so years I've used it - with a few minor exceptions I could revert with in-browser settings - it looks and works exactly how I set it up in 2021.
So in summary, for me it was very much a paper-cuts thing, rather than any single major Mozilla catastrophe.
> they actually do not or cannot present any tangible argument against Firefox. They just shit talk about Firefox, and hand-wave their criticism with inane comments like "they lost the boat".
Have you seen that Mozilla has basically become an ad agency?
> Have you seen that Mozilla has basically become an ad agency?
Even taking these comments at face value, this blend of arguments is pretty stupid given that you're making this sort of claims about Firefox when discussing not using Chrome.
So, like Google, the makers of Chrome?
Google _is_ an ad agency
What if my problem is that it's funded by Google to the tune of a billion a year and spent a large part of the last two years trying to reposition itself as an ad company?
So when options are
Your choice is #1, because #2 is funded by #1?I'm honestly having a difficult time following this logic
Sure, but let's keep things in perspective... "it's funded by Google" is still a lesser evil than "it is Google".
I use Brave and never seen those popups. Only read about them. I didn't configure anything special, as far as I remember.
Have you tried https://github.com/r58Playz/uBlock-mv3
go to chrome://flags ,
follow these instructions https://youtu.be/q7dnkGdndNo?t=220
then load extension in developer mode
Chrome 139 removes all Manifest v2 code so this will no longer work with it starting... tomorrow https://developer.chrome.com/docs/extensions/develop/migrate... https://chromestatus.com/roadmap
> https://chromestatus.com/roadmap
I clicked the link and got the Sign in with Google prompt... on Firefox.
Why would I ever need to sign in to that website?!
their "private" is not private. about a month ago, i searched for some health-related stuff in a chrome incognito window and then immediately afterwards got related sponsored product ads on amazon in a logged in normal window.
"Private" and "incognito" mode are fundamentally misnamed. They provide almost no real privacy wrt counterparties over the network, just to other people using the same computer after you.
Amnesiac mode, if you will.
Try Mullvad’s browser. It does a lot more to avoid user fingerprinting, even locking the resolution of the rendered content to various sizes. There are some things that make it less practical as a daily driver, but it seems good as a secondary browser for private mode.
This is not true of any web browser because of fingerprinting. That’s the point of fingerprinting for ad networks.
You can try using a different device but even then, I occasionally get recommending things that are definitely influenced by my roommates (i.e. on the same WiFi)
Using something that prevents fingerprinting helps, but only if you don’t use that browser all the time — otherwise it’s just another fingerprint — and still on the same network.
> This is not true of any web browser because of fingerprinting.
Some browsers, like the one you should be using, have anti-fingerprinting tech in them.
Anti fingerprinting is nice but if you get served ads based on your IP address you're going to need more than just a browser to escape tracking based advertising. Adblockers aren't good enough when websites you visit use first-party servers to forward data back to ad networks.
Serving ads based on IP seems foolish when very, very few people have a static IP. I'm sure that a healthy minority of folks on HN do, but we're hardly representative of the general population.
Your IP is a lot more static than you give it credit for. It's not like the dialup era where you get a new IP each time. For example I have a dynamic IP on my cable modem, but it might as well be static as it only changes after there is a long term power outage. Also, it's likely if you're on a home connection most often, then you only have a limited pool of 32k or so IPs, which dramatically lowers the bits of information needed to identify you.
European ISPs (at least some) change your IP every day, including IPv6, unless you opt out from the router's configuration page, as a privacy feature.
Apparently tracking data of Europeans has a much higher market price.
Mullvad Browser comes with the fingerprint protection of the tor browser and a VPN addon but you do need to pay for there vpn.
You didn’t finish my comment. Read the last sentence.
Anti-fingerprinting tech just produces a different fingerprint. Google knows e.g. when things are scrambled but certain other things stay the same.
Untrue, you can modify it enough to avoid giving it more entropy. Possible approaches include: - Spoofing browsers down to the TCP stack - Plausibily random values - Every possible bit scrambled on each request
You can see a similar thought-process behind Tor bridges so it is tried-and-tested. Noted that it is a much more difficult feat to accomplish in a full blown browser rather than network layer.
"Incognito", on ANY browser, is not meant for that. Is meant to not leave traces on your PC, so your son/daughter/wife/husband can't see you've been watching porn (for instance). You're still tracked by the sites you visit, unless you use some kind of blocker (and, even then, you may still be tracked server-side).
One of my fav party tricks when I get on someone's Wi-Fi is to search for an obscure disease with an expensive treatment. Everyone in the geographical area seems to start getting ads for it for a while afterwards!
Please tell us you have a list to share.
The firefox private window seems to work better than the chrome incognito mode. Maybe brave would be even better because I tested brave against fingerprinting libraries once and it was the best at avoiding any detection.
Brave confuses me. On one hand it seems to have quite good privacy tech, but then on the other hand there are instances of what seem to be quite shady actions. Both impressions come from comments and anecdotes, I have not looked into it myself.
Brave is the preppers/tea party/Jan 6th browser.
Deeply paranoid people can have occasional good arguments mixed in with their sociopathic traits. The fact that Brave didn't fork Firefox, or build their own like Ladybird implies to me that they are not really trying to improve the system. It's like Windows users extolling the virtues of the LTSC version.
Yes, also in hindsight of my comment, there is nothing inherently conflicting about those two sides of brave. I think my impression was that because they valued privacy, it follows they should be more 'on the level', or something. Which is clearly absurd.
The only one reading tea leafs here to criticize a browser is you. This website is not reddit but about technical discussions.
I was trying Chrome on a work computer (because why not, I'm only doing work stuff on it). That incognito (but not really) mode made me download Firefox in an hurry.
How does Firefox improve on icognito?
I haven't used chrome in a long time but as far as I was aware they do the same thing: wipe session data on close.
If you add your Google account into chrome, it will bring it into Incognito mode.
I don't experience this at all; in what way are you saying?
That is not true.
That's why I blocked it everywhere. Pornhub was the last straw for me as well: https://andinfinity.eu/post/2025-07-14-blocking-google-sso-p... works quite well. Using Orion and ublock origin.
Fuck all these cookie popups...
I just want to browse
Seriously, how the fuck do people raw dog the web? It's unbearable. When are people going to move away from Chrome(ium)?
> Seriously, how the fuck do people raw dog the web? It's unbearable.
I agree, I got it to “work for me” by only using the sites I like, but there are times where I stray from my beaten path because I’m searching for something and it’s awful. I don’t think I would have fallen in love with computers if I was raised with the web being what it currently is.
I wonder if this is a driver of ChatGPT as a search engine, everything else is so bafflingly bad and all people really want is information.
And google’s “do as I say, not as I do”. Doesn’t their search engine penalise websites with popups/overlays as it is meant to be user hostile?
I do and that is why I remain neutral/buy on their stock, Meta and Google are bad bad bad actors with to much power in the web.
I find it intrusive on every single site it’s on. Every time I look at how to get rid of it, I’m pointed to a setting in my Google account to stop it, and it does absolutely nothing.
As far as I can tell, I’m more sensitive to this stuff than normal people, but I’m less likely to return to a site that annoys me like this. I’m also less likely to use Google as a result of them being behind this. While it’s not the only reason I use Kagi, it’s certainly an item in the pro/con list.
The same goes for all of Google’s pop-ups and nudges to switch to Chrome. It’s infuriating. Everyone not using Chrome knows Chrome exists and are choosing not to use it. They really need to stop with the heavy handed push and respect user defaults.
It does disrupt the user experience and clobber a site's own home page, but associating a persistent identity to a user is VERY valuable to sites, and normal sign up flows have a lot of friction. They probably figured it's worth the cost if it gets more users to login/create accounts. Its presence despite the drawbacks indicates a lot of people use this feature.
> associating a persistent identity to a user is VERY valuable
My fear is that this is the real "AI" endgame. Flood the world with bots then become the defacto authority of "real" users.
Wasn't this literally Reddit's game plan?
Do I find it intrusive? Yes, it doesn't matter what site it is on.
They also recently must have changed the container, I noticed my adblock wasn't catching it anymore. What I find annoying though is its often slow to load and conveniently the sign in button is right where you'd click
Sometimes reddit will automatically log-in for you :(
I lived alone for years and don't even bother with incognito.
But if I cared, I on Firefox can make a separate container for that stuff and login that way. I get a burner account and Google (at least from PH) can't see anything other than other adult sites I put in that container.
I find it like to pop up in an incognito Google search. Not all the time. Just when one searches the more questionable things
Try visiting pornhub from Texas :)
that's the 300-million dollar button and it's not going anywhere
It sells.
But yes, I chuckled the first two time but it quickly got boring.
And BTW this clearly indicates what the people who are responsible for this behaviour not only don't bother with this 'use case' but also never use the 'porn mode' themselves.
I’m super happy Google’s login with my name, appears on PornHub, especially since I’m using a separate browser, Firefox mobile, for this only, never used it for anything else, never logged in. Luckily Firefox mobile gives websites access to something on my phone about my identity. But I’m happy it does this.
Because it exposes how much websites know about us. It’s like Facebook showing face recognition in 2015. It’s creepy but it reminds you constantly how creepy it is.
Just imagine how many sites collect all this info and DONT personalize what’s shown to you…
Of course, one day AI will probably automatically do realtime editing of porn videos so they will be customized for your name/location/job/background/interests.
Are you telling me there are single ladies in my area who want to play backpack battles!?
"I have no idea what you're talking about and I have never experienced this myself and I don't even know this website you speak of."
(obligatory comment just in case the wife is watching ...)
The Chrome experience is actually part of a new standard, Federated Credential Management (or FedCM for short).
The idea is to create a browser mediated login experience that gives the identity provider and web app what they need without being able to correlate requests across the Internet.
I am working on an article on this topic. If you are interested in learning more, here's a video from a recent auth focused conference (full disclosure: my company put it on and I emceed): https://m.youtube.com/watch?v=FBAD4x7MWdI
They are actively working on the standard and Firefox has committed to it. Edge already supports it. They are looking for identity provider feedback.
More here: https://github.com/w3c-fedid/FedCM (we meet weekly on Tuesdays).
> They are actively working on the standard and Firefox has committed to it.
Mozilla standards position says neutral:
https://mozilla.github.io/standards-positions/#fedcm
Their issue tracker on the subject shows they are interested but have a lot of reservations about the details:
> However, some of our reservations on the initial positive position have not been addressed and some new issues have arisen.
— https://github.com/mozilla/standards-positions/issues/618
Apple had a vague “interested” position over three years ago, with no further detail:
https://github.com/WebKit/standards-positions/issues/309
Have these positions changed?
I don't speak for Mozilla, but I did see a bug in bugzilla which showed the blocking bugs for FedCM. I don't have the link now, but can share it later. That's what I thought of when I stated Firefox has committed to it. But I could be wrong.
I do see a Mozilla employee engaging regularly. You can see some of the issues he has filed here: https://github.com/w3c-fedid/FedCM/issues?q=is%3Aissue%20sta...
If it's a new standard, it must have… some kind of cross-industry support right? I ask because it looks like https://github.com/w3c-fedid/FedCM/graphs/contributors is mostly people who work at Google (I gave up once I hit people with ten or fewer commits)…
Isn't that the case for half of modern browsers APIs? Google develops whatever it needs for its own products into Chrome and then pushes it to W3C. Other browsers perpetually behind. They've gotten quite good at this strategy.
While most of the contributions I have seen are from Google on the browser side, they are trying to work through the standards process. Here's the first draft of the w3c standard: https://www.w3.org/TR/fedcm/
I know there's a later draft but can't find it right now. Will share when I do.
As mentioned in sibling comments I have seen are least on Firefox contributor and they are actively seeking input from identity providers.
As usual, the feature is being railroaded by google and other implementers are given the choice between following Chrome's de-facto choices or not implementing it, and breaking websites that will use it anyway.
Can we block sharing email addresses by default? It seems every time I sign in with Google the site / app starts SPAMming me without my consent.
It's pretty much why I don't use it: The SPAM.
My gmail is quite old and well used, and it gets relatively little spam. I go through and aggressively unsubscribe link everything I don't want to see, and it surprisingly works. I get more spam on my @myname.tld address than my gmail even and I keep that one quieter.
Almost every site actually does unsubscribe, and those that don't get marked as junk.
I've maintained one vanity email for about 15 years. I use it for literally everything. I unsubscribe from everything.
It gets some typical low effort spam that the spam filters easily screen out, other than that it's pretty quite.
And we should also do something about website that consider you a "customer" when you've only started an order and entered your email but you've never pressed submit to complete the order.
Does that happen to you often?
Not often, but recently.
And after giving it some thought, I guess that I'm also in the wrong to believe that I have to press submit somewhere to agree to their policies.
This is a "nice" reminder that just entering my email in a text input is enough to send it to any website.
I love how the word submit takes on a second meaning in this context.
That's you/OAuth giving the provider your google account id, which is your @gmail.com email.
I don't generally want any site to have anything they can use that associates me with other sites. If 2 sites get the same email for me or the same GAIA id, or the same anything then I won't use the id system. (with obvious exceptions - see below)
This includes "privacy first" companies like Apple and their Apple Pay system where I went to a restaurant in SF. The bill was a QR code that took me to Toast with the option to pay via Apple Pay. The apple prompts told me my email address would be shared and there was no option to say "no" so I bailed out and paid the waiter directly.
Sometimes I need my real name and address for shipping. In those cases that can't be helped. I also have to give my CC card for a purchase. But there are sites I want to sign up for for which I don't need to give that info. A "one click to sign up" option would be useful if I knew it was giving random data. An example might be medium.com or substack.com. They don't need my real name nor do they need my "real" email. If I was sure this "one click sign up" didn't share a common one I'd consider using it.
Maybe even better, if it was managed similar to subscriptions in iOS where I could trivial revoke any membership at will from a central location, with the understanding that there'd be no recovery since signing up again would get random new data and so no way to associate the new with the old.
Google uses GAIA for ID though, which is not the same as gmail address
I'm curious - how does the standard make "to continue, google.com will share your name, e-mail address and profile picture" compatible with "a modern, privacy-preserving standard for federated identity on the web" ??
I mean, that doesn't sound privacy-preserving at all?
I don't think they are trying to preserve privacy between you and the identity provider you are logging in with and the website you are logging into. (At least not now. There's talk about some of this with IDP delegation, I think. Here's more on that: https://github.com/w3c-fedid/delegation )
The first goal is to prevent data brokers from correlating data about users across the Internet using cookies and redirects. You can read more about the privacy focus here:
https://www.w3.org/TR/fedcm/#privacy
Why would you share your real name with Google when making a gmail account, or use your real picture?
It's fine to be pseudonymous on the Internet if you are in control of your pseudonyms, which Google accounts actually does allow with some extra work (don't mix your chrome profiles and Google accounts, etc.)
Or, like me, you can roll the dice on real names on the Internet (for professional things mostly)
> Why would you share your real name with Google when making a gmail account, or use your real picture?
Google made a big push in that direction starting in the Google+ era. IIRC at some point my fake names were rejected by Google and I had to change to more plausible fake names.
You can't fault regular people for falling into Big Tech's traps.
Is this a successor to Mozilla's old Persona project, or similar in anyway?
Sounds great in theory, but how does this square with Google/Facebook tracking pixels and such.
Seems like either way, they’re in control of a massive amount of tracking data…
Vaguely reminds me of the now defunct OpenID. But with browser-native integration.
That sounds really interesting, but is there any hope chrome would allow use of an identity provider other than google?
Yeah, websites can choose any other identity provider, and in fact, do.
> The Chrome experience is actually part of a new Google non-standard
Fixed it for you.
This popup should be criminal. Ive misclicked the signin button multiple times, causing PII to be sent to a third party I dont trust without my authorization.
Don't worry about misclicks, Google already tracked your visit when the webpage was loaded.
Google One Tap works via a script tag from Google servers: https://developers.google.com/identity/gsi/web/guides/displa...
The bad thing is not sharing the info with Google (you are right, just by siing it, Google has your info), but the random third party website.
FWIW, these uBlock Origin rules solve the ploblem:
source: https://stackoverflow.com/a/78429389. Last rule is from me since popup was invisible but still blocked the content underneath.Good information, but you can already turn this off via the (quite hidden, I admit) setting that is mentioned in the article. That's a better way to turn this off completely, rather than patch it via a visual rule.
Brave browser does not have an option to turn it off but uBlock Origin custom filter works.
In the Brave community the only solution offered was an adblock filter: brave://adblock (custom filter) ||accounts.google.com/gsi/client$script,third-party
https://community.brave.com/t/annoying-login-with-google-pop...
Either way it's something you'd need to go out of your way to configure any time you interact with a new web browser. And both ways can be disabled randomly (Chrome settings changes during browser updates, or uBlock extension being deprecated).
The article mentions a setting in Chrome only. Someone using uBlock Origin is not using Chrome.
Blocked this using uBlock since years ago.
I hope the PMs are reading this thread. They misjudged the tradeoffs
If teaching ethics to big tech worked, this would've ceased to be a problem more than a decade ago.
Delete your Google account and this won’t happen.
It happens a lot regardless of browser and accounts and incognito. It just pops up everywhere.
I haven't signed in to my Google account since browser install but I still see it in StackOveflow.
[flagged]
Just throw in only a date of birth and you have only all you need for identity theft.
Besides, email is usually enough to cross reverence with other benign data troves. But there is no way any reseller could possibly profit from that.
Really no reason to be overly paranoid about.
> Name and Email
Yes, both are PII, which is highly regulated in EU and CA (among others I'm sure). If these knowingly "leaked" in a data breach, the company which leaked them would be legally obligated to notify me. Sounds pretty serious to me.
[flagged]
But it's a similar concept. If someone accidentally gives some website their name + email, they could be part of a leak for some service they don't even use. People probably care less about Tea in particular because they've never heard about it before the data leaks.
"So-and-so used Tea" is clearly not the focus of the coverage of the Tea app leak. Again, let's be explicit about impacts here. You can deploy hyperbole and hypothesis to make anyone a horrifying villain. But if you do that at least be honest about it.
Edit to note: the Tea story has now fallen off the front page while this one is still going strong.
> You can deploy hyperbole and hypothesis to make anyone a horrifying villain.
Alternatively you can deploy a dismissive attitude and subtle ridicule to make any concern sound silly, no matter how important the issue is to people for a variety of different reasons which you don't seem to be receptive to understanding.
And that sort of infighting is certainly many orders of magnitude more fashionable, both on social media and in real life, than people being observant and critical of companies and governments when they find new ways of eroding our rights and freedoms a little bit more than they already have.
I sympathize with ~everyone affected by any type of data leak, but I'm only human with limited time and attention. That means I can't actively engage with every single issue that plagues our world, both out of practical, as well as sanity-maintaining reasons.
Implying that we're hypocrites if we don't engage with completely unrelated issues before we engage with issues that directly affect us is probably the clearest example of a bad faith argument I've read on this site in a very long time.
I guess it's more about the chats there, but swap Tea with Ashley Madison or something. Having your name+email on that leak could be quite bad.
The only one arguing in bad faith here is clearly you.
First, you say that a full name or email is somehow not a big deal, even though these are some of the most critical pieces of PII, either one would obviously be enough to unmask exactly who the person is.
And now, because there is some random HN post about a hack that affects a significantly smaller user base than Google's and Chrome's invasive practices and it doesn't have as many upvotes that somehow means this topic isn't serious and that everyone is arguing in bad faith.
You either have absolutely no understanding of PII or privacy, and I seriously hope you never work on anything related to it. Or you're just arguing in bad faith, I’m not sure which is worse, to be honest.
> inarguably much more impactful a privacy issue
Except, you know, the volume of users impacted.
Tea had a few tens of thousands of users. Google has billions.
Yea, the use case is not wanting to be signed up for another stupid “newsletter” I never asked for that’s full of crap I don’t want.
> most of them are at least slightly criminal
Huh ? Not wanting reddit to know my government name makes me a suspect ?
Having a 'government name' and calling it that makes you suspicious alone.
I agree that it is problematic. You can mostly block it with the uBlock extension.
You can create multiple profiles in Chrome. You shouldn't sign into Google in your main profile. That should be reserved for just one profile reserved for Gmail.
You can also just not use chrome. It's still a problem that shouldn't exist and the blame for that falls entirely on Google and the websites that push google's crap on users
Edge has its own shenanigans. Solution: When signing into Gmail use Edge. When signing int Outlook use Chrome. That way Google/Microsoft can't use your credentials to sign into the browser itself.
Better: Use browsers not owned by search companies
Safari seems to have this too, now — especially with the latest iOS 18.
Any workarounds would be massively appreciated.
This is the #1 reason I don't use apple OS. Even if you install another browser it's just a wrapper around safari restrictions...gross.
There is one! Mac only though.
Scroll down to "#credential_picker_container" here: https://pxlnv.com/blog/user-stylesheets-are-still-pretty-gre...
Firefox?
Yes blame the victim
The crazy part is that the popup is not part of the DOM, it's injected by the browser *over the page content*. If it were in a browser toolbar I woudln't mind, but obscuring page content is just asking for an antitrust suit.
I left chrome and switched to Brave 6mo ago because I couldn't get these "Sign in with Google" popups to stop. I tried both the chrome://settings/content/federatedIdentityApi option and the option under https://myaccount.google.com/ and neither one worked, I just kept getting them.
> just asking for an antitrust suit
According to other commenters in here [0], it's an open standard and other identity providers are allowed, not just google
[0]: https://news.ycombinator.com/item?id=44715875
Still an unforgivable violation of trust to have a floating popup over the content that's not part of the DOM and not part of the browser's normal native UI. I never want my browser to inject unblockable overlays over sites I'm trying to browse.
I think this is referring to the FedCM api [1]
It works with providers other than Google, just no one else has implemented it yet. Google's One Tap library tries to use the new api, and falls back to the classic One Tap popup when using a browser that doesn't yet implement FedCM (notice how the chrome built-in one says "sign in with google.com" rather than "sign in with Google" like One Tap normally shows)
Mozilla are working on implementing it, but it's a pretty complex system so it'll take time. I presume Safari will as well if it gets popular enough
[1]: https://developer.mozilla.org/en-US/docs/Web/API/FedCM_API
Yeah, I attend the FedCM meetings. Firefox has one dev working on it who attends regularly. I have found some posts where the safari team has said "seems like a good idea, we'll consider implementing" but have not seen further action.
Edge supports it, and it should be relatively easy for the other Chromium based browsers.
- https://github.com/WebKit/standards-positions/issues/309
- https://github.com/mozilla/standards-positions/issues/618
What is there to fallback to I wonder - 3rd party cookies should be deprecated/blocked by now, so how can the gsi script retrieve google session information?
While I agree with the 50+ comments I’ve read here, I think the point is being missed (or I just haven’t gotten to this comment yet) - these super annoying pop-ups should only be a thing AFTER you’ve clicked on login or register. In fact they shouldn’t appear and should instead just be a button the user can click if they wish to use their Google account as the login device for XYZ site. In other words there’s no reason for these to appear when you first visit a webpage, they should only be relevant when the user has taken action specifically to login, or is looking to register an account at xyz.com
It’s as if someone at Google saw the whole cookie banner -> accept cookies fiasco and said wow this seems like a good idea let’s add our own
> Add noscript too
The Noscript extension becomes redundant with the uBlock Origin extension
https://github.com/arkenfox/user.js/wiki/4.1-Extensions#-don...
Only if you set UBO to block scripts as well. Though I prefer noscript’s UI personally.
Edit: To elaborate, you need to turn on “hard mode”[0] for UBO to replace noscript. Then you need to manage it through UBO interface which I don’t like[1]
[0] https://github.com/gorhill/uBlock/wiki/Blocking-mode:-hard-m...
[1] https://github.com/gorhill/uBlock/wiki/Dynamic-filtering:-qu...
Kinda related to this: I _really_ wish that SSO providers would be better about telling me when my account was already used to log into a service. When I hit "sign in with Google", see my 4 accounts, and have to guess which one I used to sign into the service...
Maybe I'm missing some security detail here
This is my big issue too. There are some times where I think I have SSO for something, but don’t remember with who, so I spend 5 minutes logging into various providers and hunting down where they say what sites I’m using SSO with, so I can see what to use.
I started adding them to my password manager as a quick reference, but the irony is that this makes the SSO slower than a typical standard login. I almost never use these SSO options anymore as a result.
The problem is that at that point in the flow, it's owned by the SSO provider. The SSO provider can't know with certainty what account has an active account with the website.
I don't think that's true though? The OAuth provider knows which third parties you have authorized to have access to your account(s) as well as what information or privileges you've approved for each. And when you land on that screen, they know which third party referred you to them.
In other words, they could definitely highlight or otherwise hint to you which of the Google accounts you've already approved/used via one or more of your authenticated Google accounts.
The provider knows you have given those privileges _at some point_ but it doesn't know if that account still exists or anything about the state of the account.
So, yes, they could do more to highlight _potential_ accounts but it's not the case that they have any visibility into the actual state of accounts.
They could thought right? because if you login to a website (that's passed along an ID) then you would have that bit set.
I don't need to know for certain the account on the receiving side exists, just that I have signed in before with it. Facebook does this at least!
Like "has an account" isn't possible without leakage, but "has logged in through this flow before" (hell, stick timestamps in there too!) does.
One thought though: your SSO provider has that account list, but often prompts a re-login. So it could be that your SSO provider account picker _doesn't have access to your account information fully either_.
And I don't think it makes sense for the SSO provider to leak a list of all your accounts to the website either. That being said, I think the SSO provider could maybe track that information maybe?
I don't get why so many sites allow a Google pop-up to cover half their content.
As others mentioned, this is backed by the "open" standard FedCM. While this seems like an open play on the surface (and the standard is open), in practice this is a highly anti-competitive and will just lead to Google being in even more control of the web.
The vast majority of users will chose the default for identity. On Chrome this is Google. On Android this is Google. Even on iOS this may be Google because identity is often tied to email and Apple does not have a strong email story. Identity is huge. It gives you moat that outlives platforms.
And all the while, Google gets to claim this standard is open, while in practice this is clearly intended as a monopolistic move to increase their share of identity on the web.
If they were forced to show a randomized list of identity providers a user needs to choose from (similar to search engines on iOS), I bet you they would reconsider this whole approach. But by the time regulators figure out what's going on, they will have already cemented their lead.
This "standard" also seems interestingly timed with respect to Passkey adoption, too. If one were feeling pessimistic enough, it almost seems too easy to suggest some interests exist here that want to muddy the sign-in waters to capture users considering switching to Passkeys before they actually switch to Passkeys.
These are orthogonal concerns. Passkeys don't meaningfully simplify the account creation process.
Having implemented Passkey-only account creation (and management) I would absolutely disagree. I think that Passkeys can greatly streamline the process. The iOS Passkey flow especially feels as simple by default as the "Sign in with Apple" flow (with the ability to customize it with smart password managers in a way you'd never be able to with "Sign in with Apple").
That's partly because Apple sees it their job to migrate people away from OIDC-style signups, for privacy reasons if nothing else, and towards Passkeys, so their UX team is doing a remarkable job trying to reduce friction.
What's Google's interests here? Are there intentional reasons the Android and Chrome Passkey flows don't "simplify" the account creation process enough? It's easy to be cynical here, and seeing them as orthogonal concerns also feels like muddying waters that shouldn't be muddied right now.
That Google popups are so annoying, they often cover the content, I wonder does Google pay websites for this or they annoy users for free?
Also I don't understand who registers Google Accounts these days because every time I try to do this, they show a QR code and require to scan it with a mobile device, and I don't have time now to set up a virtual machine and research what it does to a mobile device and how one can bypass the check.
Also if you buy a Google Account it eventually requires linking a phone number, and doesn't accept most of the Russian numbers I buy.
So I don't understand how do other people sign up when there are so many obstacles. It is easier just to register email account elsewhere.
Well, Android is the largest phone ecosystem in the world. Most of those phones ask you to sign in with your Google account when it first starts.
You don't sound like the average user.
They either already have a gmail, or sign up for one my scanning the QR code you mention. I don't recall if a phone number is mandatory, but the average user probably has one, doesn't mind giving it to Google (to not lose access to their account if they forget their password is a perfectly valid reason for most people). And they'll probably not provide one from a sanctioned terrorist state with a reputation of nefarious cyber activities. Like buying Google Accounts, but much worse too.
I absolutely hate the ‘Sign in with Google’ prompt and I am very concerned that I will either accidentally or absent-mindedly tap on it and share my email address and identity with some random untrustworthy website.
The idea of identity managed by one’s browser is a pretty decent one, but the implementation which ties it to other information such as email address and which makes it so easy to accidentally use is user-hostile.
“Sign in with Google” is annoying, but at least you can turn it off with chrome://settings/content/federatedIdentityApi
Does anyone know how to switch this off on Safari please, especially Mobile Safari. I’ve noticed these sign-in popups on iOS 18.
This option never worked for me, I also tried the options under myaccount.google.com with no luck, I kept getting the popups and ended up having to switch to Brave and Safari to get rid of them.
There is no switch in Safari. As the blog post mentions, you'd have to use a Safari extension such as StopTheMadness Pro.
A generic way to stop this across all devices would be great. I don't suppose something can be done with DNS via Pi-hole?
You could block account.google.com (or google.com) if you don’t use any google services or expect anyone on your network to use any google services*.
* I think search still works without an account, but I don’t think anything else works that way these days. The last I know was YouTube and I get a “sign in to confirm your age” on YouTube on most videos I try to watch without being logged in.
As much as I'd love to do that, it might be a bridge too far...
You can turn this off
1. https://myaccount.google.com/connections/settings for mobile
2. same link, sidebar help, for Chrome on Desktop settings.
That does not completely turn off the federated sign-in popup you see on the top right in various websites. The solution is actually already mentioned in the article.
this requires being signed in (obviously), which doesn't help with the limit tracking part of hating these things
First, “Accept all cookies”, and now this. The competition for the worst web UX is heating up.
Firefox + uBlock Origin is the only sane way to browse the web in 2025.
> What you may not realize if you use Safari or Firefox is that the banners are never displayed in Google Chrome!
Ah, so that's why so many websites are OK with it - they probably just don't realise that it's there.
> If the courts and antitrust regulators are reading—they probably won’t read my blog, but one can dream—this is yet another example of Google advantaging its own browser Chrome over other web browsers.
And vice versa: how Google is advantaging its own SSO/data collection platform over others, through Chrome.
> the banners are never displayed in Google Chrome!
this is demonstrably false, I can share dozens of screenshots of this popup appearing in Chrome despite all the options checked that are supposed to disable it.
I always thought drawing over the content area is a no-no, because then anybody can fake that dialog via html/css and make it do something completely different.
> This is what Google calls the One Tap user experience. Fortunately, my web browser extension StopTheMadness Pro hides “Sign in with Google” banners.
This sounds awesome. I like the author's classification of this and other anti-user website behaviors as "madness". Are there any similar add-ons for Firefox?
StopTheMadness provides browser extensions for Safari, Firefox and Chrome. But it’s a paid product AFAIK. I don’t know of similar Firefox extensions that do everything that this one does or allows one to do.
I have used the Don't Fuck With Paste extension https://addons.mozilla.org/en-US/firefox/addon/don-t-fuck-wi... in Firefox for a few years. Seems to work well when I need it (and when I remember to try it, as it needs enabling on a per-site basis).
For removing tracking query parameters from the URL I've used ClearURLs https://addons.mozilla.org/en-US/firefox/addon/clearurls/ for a few years.
uBlock Origin is still fully functional in Firefox as well so I guess I could find a way to block the "Sign in with Google" prompts somehow with a custom rule.
I use uMatrix to block all third-party requests by default.
What's crazy is that it trains users to trust a component that can be faked by the website.
You can mimic the component and then redirect the button anywhere, and the user is primed to comply with whatever they see.
Like a fake "Actually it seems like your Google account is compromised. Please verify that it's you by doing X."
This kind of shit-tier feature should at the very least appear inside the browser chrome, not inset in/over the website. I'm so tired of amateur slop from megacorps that should know better.
100% the implementation is setting a terrible precedent to trust non-browser-native-looking UI for whats supposed to be a browser-level feature.
Thank you. I have been wanting to disable that popup forever
This stupid pop-up (being a "window" of its own and not a DOM popup) also steal focus back to the chrome window. For example: open reddit.com in chrome (without logged in to reddit) and before the page loads switch to another app window, when the popup is ready the chrome window will get focused again.
> Indeed, while Chrome is displaying the dialog, it blocks all Chrome extension popup windows from appearing.
We discovered this one the hard way at work. I keep learning this the hard way myself because I've been working on browser extension dev lately. I don't understand how this could possibly be an intended feature.
I actually needed that button the other day. I have an account on Etsy, but wasn't sure if it was sign in with google or an etsy account using my gmail. Signing in to the website's own "login with google" button was a redirect loop. Requesting password reset sent me no email. At some point Chrome offered to sign-in for me, and that worked.
I'm never confused about what I've used to sign in because I only use randomly generated passwords using my password manager (Bitwarden), and it offers to use them automatically when I go to a website.
Another advantage is that Google cannot cut my access to all of my accounts on the internet.
HN userbase is not representative of the large majority of the users of a service.
Most of are fully capable of using a password manager, some even self-hosted that we expose via Tailscale, but for a lot of users, they are using a service to get things done and authentication is a necessary hurdle.
Sign in with Google/Apple/Github solves that.
Counterpoint: my parents managed to lock each other out of their shared Amazon account after being coerced into "upgrading" their login method. Thankfully they managed to reset it somehow and go back to saved passwords, which Just Work™.
Aside: annoying when a site, specifically a govt website URL changes... I get REALLY skeptical if I land on a page my password manager (also Bitwarden) doesn't recognize with my credentials.
My local city utilities switched to some kind of google based auth from their previous separate user/password account login. Had to create a new login/account tied to my billing account.
If Bitwarden can come up with something similar, I'd gladly welcome it, even though it's awesome already.
You didn't need that button, but rather Etsy needed to test their own website.
It's odd how these browser popups—especially ones like the notification permission dialog—essentially hijack the Mac interface. I can't swipe to go back using the trackpad until I manually close the popup.
It's not just a Google annoyance, these types of things are all over the web. I have uBlock Origin settings to limit these types of things, like others in this thread have explained.
But there's a bigger issue with the modern web. Here's my message to any web developer, company, organization, anyone who has control over content on the public web: if I visit your page and I have to click away something in order to do what I came to do, you have failed miserably.
https://issuetracker.google.com/issues/343584523
Nobody cares.
"Sign in with Google" has become the new un-blockable popup for me. I fucking hate it.
I get why Google finds this advantageous, but I don’t understand why so many brands want to willingly diminish the impression and reputation of their web properties by adding “Sign in with Google.”
>want to willingly diminish the impression and reputation of their web properties
because that's not what happening. The average Chrome user finds that feature useful, and personally I have to agree because having a sign-in option through the browser chrome (the non-content portion of the application, bad name in this case) is significantly more sane from a security standpoint than trusting the webpage operator.
why are these threads always full of performative indignation by people who know perfectly well that 99% of people aren't going to be upset
> The average Chrome user finds that feature useful I don´t know about that. It displays on so many sites where I was not intending to login at all. If I want to login, I would have clicked on the websites' login button. This popup really blatantly shows that Google is everywhere, even if that was already the case. It's possible that this actually reflects badly on Google as a whole.
Poor Google, they have to screw over the entire online population for their own sake. The masses love being screwed over, which is why Google uses dark patterns instead of having people make informed decisions. That this helps make Google even richer is just a happy accident. Shame on technologists who question Google's morality!
Yep, that logic makes total sense. /s
uBlock is great for this. Settings > Filter lists and Enable Annoyances.
Am I the only one who likes this?
Every other sign in solution seems to involve multiple clicks and loads of redirects and loading time. It seems to even beat a password manager because there is no need to wait for a login form to load and be prefilled.
Googles solution frequently has you signed in within 1 second and 1 click.
Not sure if it's a result of multiple privacy extensions or whatever but it's about a coin-flip on whether Google login actually works for me.
On today's episode of "Addicted to the AdTech browser": Our protagonist face yet another case of being fucked over by their favorite advertisement and surveillance vehicle disguised as a web browser. How will they gaslight themselves into keeping their toxic relationship with Chrome alive rather than switching to a browser that respects their privacy and sanity this time?!
> Just one more extension, just one more chrome://flags tweak... He loves me, he respects me, he just has a ... unique way of showing it... I'll just tell my friends I fell and that's why my eye is black... Chrome, I'm sorry I'm not good enough, I probably deserve this...
Another annoying, possibly less known thing about this popup is that you as a user can disable it.
But only if you log in to Google and set a preference for your Google account.
No more nagging popups! Sounds great, right?
Except Google can now track you, with a confirmed ID and session cookie across all these sites.
It’s blackmail, plain and simple.
I never see this popup in my main browser thanks to proper content blockers, but it should not exist in the first place, indeed.
I save this rule in my pastebox (bitwarden) to add to all my Ublock Origin configs:
||accounts.google.com/gsi/*$xhr,script,3p
> ... example of Google advantaging ...
Way to bury the lead.
Anyway, what's the advantage? Please elaborate.
The blog post elaborates. But to summarize:
1) The annoying Sign in with Google banners appear in Firefox and Safari with no toggle to disable them, even if you aren't logged in with Google, even if you don't have a Google account.
2) Those banners do not appear at all in Chrome.
3) There is a Chrome-specific sign-in UI, but it appears only if you're already signed in to your Google account in Chrome.
4) You can disable the Chrome-specific sign-in UI in Chrome settings.
So Chrome users have control, whereas Firefox and Safari users are inundated with annoyance.
https://www.merriam-webster.com/wordplay/bury-the-lede-versu...
Being able to shut the damn thing off.
Adding
img { max-width: 100%;}
To this site’s css will fix the layout on mobile.
Unpopular opinion (apparently): I like this a lot. Sign up flows are annoying, and rarely well designed. Getting around them is nice.
that federated id api setting was crucial. danke shoen OP
Not only that, on Chrome this popup shows up on TOP of the search dialog and no way to push it behind it (screenshot and write up at https://ivanca.tumblr.com/post/790352779945410560/on-chrome-... )
I hate this popup so much. This is on the same level as adblockers displaying "premium" ads.
Those obnoxious Sign In With Google overlays on so many sites like Reddit, or any other "Sign In With ETC" should be outlawed honestly.
I hate this banner. It made my Vimium addon unable to work unless I pressed Esc first.
[flagged]
Is this scam still available?