evil alert

What do you call a site which, to display a page, requires so many hundreds of cookies to be set – or at least brings up so many hundreds of cookie alerts, possibly all doing the same thing – that you simply lose count and the will to ... live with the page, and so go away?

How about one which, once you've struggled on and got to the login page, brings up six cookie alerts every time you try to click in a form field?  How about one which requires three alerts to be cleared?  How about one which requires six first time you try to activate the field, then once you've done these, another three, and still doesn't activate the field, but just returns you to the first set of six alerts in an infinite loop?

The answer to the above seems to be “Facebook”.

What do you call a site which requires you to deal with an endless loop of cookie alerts in order to set/retrieve login information?  (Still Facebook.)

What do you call someone whoʼs going to have to sort this out for the client?  (Not well enough paid.)

There is a workaround ... new browser, adjust cookie exceptions, fix password, logout, revert cookie exceptions.  Some browsers have multiple session options which would allow all this to be handled in one browser, but there may still be better security from using two entirely different applications.  And if you still have to kill the application in order to get out of an infinite loop, you aren't losing anything else.

But this isnʼt good enough.  I propose a simple principle – any site which:

  • can set off infinite loops of any kind in a browser,
  • which requires more than half a dozen cookies per page,
  • which requires even one cookie to activate a form field, or
  • in any other way makes usage impossible without lowering normal security settings,

– is evil and should never be used even by/for a paying client.  Itʼs your job to tell them not to use it.  They may not listen.  Then you are allowed to charge them danger money.

Tags: