This is pretty awesome. I work with editors and monaco-like things a ton, and I review (look at) very large PRs very often. Having this speedy optimized interface is a delight. Check out their trees lib as well.
Did they even ask their customer base before approving the design? I don't care about Ferrari, but people who do care about Ferrari will not like this.
Influencer with access is always going to say the thing that will keep them that access. We moved away from writers and magazines, right back to the same stupid shit.
It’s a silly car; and their UI on the screen and app are terrible.
Bold of you to assume that lawmakers have any common sense when it comes to technology legislation. It could have taken 3 interns 3 hours at each browser company to implement a cookie consent standard 15 years ago, yet here we are in cookie banner hell.
Agree. Its like in some countries you put a sticker on the mail box "no advertisement, please" and its illegal tor postman to deliver you ad brochures. Same could have been possible with browsers, but oh no, now you have to go out to each postman ant tell him explicitly that you do not want ads, and postman has no memory, if you tel him that you don't want ads. He can come back ten minutes later and you have to tell him again.
Fun fact: in the US, the Supreme Court ruled that postal workers cannot filter out mail by the owner’s request.
It makes a bit of sense, since the mailer had already paid, but the main justification (iirc; it was years ago that I read the opinion) was that a postal service should be neutral and trusted to deliver.
Sure, the ISP _should_ deliver the packets. No worries.
The user agent should... be an agent for the user, and be able to perform actions on their behalf.
(The legality of those actions is of course assumed by the user here... if I add an automated flamethrower to my mailbox and burn my bills, well the debt collectors may come regardless if I read them or not - we cannot shift blame to the USPS here).
Not terribly persuasive because the first argument could just as well be seen as the postal service selling a service it can't deliver.
The second argument has the problem that for the whole thing to work the recipient must also have reason to trust the post office, but here their interests are not considered at all.
Fair enough. Most advertising isn't individually posted to each address because that's expensive - they hire their own guy, who isn't a postal worker, to go around and put it in everyone's mailbox. It's like paying one cent per email to prove it isn't spam.
At least in the states, the postman is almost assuredly doing the end delivery of the mail, and is often given a stack of advert materials to mix into the delivery for a certain delivery area. The use of a mailbox by anyone who isn't a USPS employee delivering paid mail is prohibited by law. https://about.usps.com/news/state-releases/tx/2010/tx_2010_0...
No, 99.9% of the mail I get is trash and is delivered by USPS. You can't even recycle most of it because of the paper they are printed on. It's a huge, disgusting waste of resources on multiple levels.
> It's a huge, disgusting waste of resources on multiple levels.
The companies on the ads wouldn't do it that way if they were not getting a positive ROI from it. They probably only need to get 2 maybe 3 new customers to offset the cost of mass mailings.
This isn't true. Proctor and Gamble cancelled $200m of advertising and saw no change in sales. And companies using AI are costing more money to produce worse quality stuff more slowly. Facts don't matter, only how well you can convince a CEO.
I don't care if the are local or national. I don't want it, I'm not interested. Most of what I get is not local, it's credit card offers. There's also the fake missed package notices that are actually home warranty companies trying trick you into calling them.
I don't care. Its still garbage I didn't ask for that is now in my mailbox so I have to deal with it. They have plenty of other ways to advertise. Everywhere I turn in public there's more ads.
Because the site (or marketing agency in charge of the ads) has plausible deniability for the user opting into marketing and tracking when they show a banner, whereas if it's a browser setting automatically applied then there's no such chance.
Same sort of thing when you log into Wizzair and the check box below the password field is not "remember me" but "subscribe to our marketing emails".
Yes, the data protection people are always blamed for the banners when, in fact, the marketing people are responsible.
If you build a website without all that tracking stuff and without 'free' services from the data collection companies Google and Facebook, then you have a pretty good chance of not requiring a banner at all, because for logins, etc., you are allowed to use cookies et al. without requiring an opt-in.
But I never saw anybody at the OMR being proud about the state of cookie banners they created...
The law does mandate that opting out should be as easy as opting in. The choices are meant to be equal. It is simply that no one is actually compliant.
Tech companies could have headed off this legislation 15 years ago by just solving the problem as Bender suggested. But they wanted to pretend they had no social responsibility to not deliver filth to children, and so now the legislators are involved and they get to deal with that. I have no sympathy.
Here's one thing Apple did well on. Their screentime settings also work in the browser. It could be better, but at least it's something if you set up your kids device properly.
I had a teen whose main device was an iPad 4ish years ago and now a tween whose main device is a Windows laptop. I like Windows' implementation better--it's more granular when it comes to site access on Edge, and allows time limits in specific programs rather than categories of apps. I remember some apps that were clearly games had themselves listed as education apps.
In the US all the age verification legislation is written by data broker companies that want to mine this data. The government also wants to be able to have access to this information by proxy.
It’s not written the way it’s written because they’re oblivious it’s written the way it’s written because it’s plain lobbying writing the bill.
For example, there’s little in the way of protections in how the age verification would be protected or prevent the analytics from being sold
Take the volume and mass of lobbying by all of data broker companies, data collection companies, and executive agencies.
Combine that with the character of practically every law written involving data privacy, use, IP, and associated regulation of activity around these since the 1990s. It becomes painfully clear that the interests of private citizens have not had a seat at the table, and the Constitution has been taken as an inconvenience to bypass, not a guiding document.
I was referring to the intern being able to add the header. Politicians need financial incentive. I don't have the resources to lobby them. I think that might require a philanthropist should there happen to be one that lurks on HN. There are some interesting people that lurk here that we sometimes learn about.
They can't do anything today as it is a federal holiday but they could do something tomorrow.
Also should have been easy to design an OAuth like flow where the government that seems to care so damn much about age verification to attest someone's age in a privacy respecting way - only yes/no if the person is of the desired age.
But then again if it was to protect children, better support for voluntary age control would be so much more useful as most minors use devices managed/owned by their parents.
But then similar to cookie banners it is just about enabling surveillance
Most laws make a distinction between cookies stored for "technical purposes" and those stored for marketing / tracking.
The former are things like "does the user want dark mode", the language you chose to use the website in, the contents of your cart, your login info etc. The latter are for tracking. Typically, the former don't need consent, the latter do. Browsers have no way of telling the two apart.
Can browsers know which cookies are necessary for a site functioning, logins, etc and which are for tracking, ads etc? There are many ways one can eg block third party cookies and that helps and rarely causes issues, but tracking can also be done with first party cookies, let alone fingerprinting.
For example, firefox's "strict tracking protection" setting also breaks a bunch of websites.
There are some browsers, that implement it like it was originally intended and asks the user for each cookie individually: Do you want to store "PHPSESSIONID=12345"? -> Yes. Do you want "AdTRackingID..." -> No. Do you want "AWStelemtry..." -> No, and reject all further.
Midori is an example for a graphical one, while there is Lynx for the terminal.
There actually is/was a "Do not Track" header in browsers, but due to failing or toothless legislation, websites and ad-tech companies never honored it.
It's our duty as informed persons to educate the general population to exert pressure on policy makers to act in the common good - otherwise indeed nothing will change but increasing corruption.
As always, downvoting me doesn't change the legality of those banners. The law clearly states the "deny all" button must be as prominent as the accept button, and the banners employ all sort of dark patterns.
I don't think 'the law' does clearly state that, although I'd be happy to be proved wrong, and honestly it's a point of pedantry, the enforcement indicates that you're right about the actual expectation, and definitely you're right about the actual usage.
> 8. When authorities were asked whether they would consider that a banner which does not provide for accept and refuse/reject/not consent options on any layer with a consent button is an infringement of the ePrivacy Directive, a vast majority of authorities considered that the absence of refuse/reject/not consent options on any layer with a consent button of the cookie consent banner is not in line with the requirements for a valid consent and thus constitutes an infringement. Few authorities considered that they cannot retain an infringement in this case as article 5(3) of the ePrivacy Directive does not explicitly mentioned a “reject option” to the deposit of cookies.
Also the law doesn't require anything to be done by the user to reject cookies, to begin with, as that is the default state. I often just delete the cookie dialog from the DOM.
I agree with all the points here, but the task force report is not law, and this is not “clearly stated” (this specific phrase is fine, but the rest of the document is full of disclaimers).
It’s a useful guide on how the law is likely to be interpreted, and likely influences the interpretation itself, but my inner pedant is not satisfied.
Yeah, it was the closest I could find, but I don't really care that much to search the actual laws. I would expect it to be true, it's basically what you hear in the news and all the advise says that you should do that, when you create a GDPR-compliant website.
This is misinformation stemming from disinformation propagated by organized industry retaliation to the law. Cookie banners are not and never have been required by law, they are intentional harassment designed to make users oppose laws that actually just say “you may not track users without their consent”. A good faith implementation would be simply nothing, because no explicit consent is required when you’re actually using cookies for honest purposes.
All of the cookie banners have separate categories for strictly necessary, functional, performance and marketing, because those come from the law.
The problem is that people generally want functional and often performance cookies, and then you end up with the stupid cookie banner regardless of marketing cookies.
Strictly necessary cookies don’t require explicit consent, and generally can’t be rejected. Functional cookies don’t require additional explicit consent if you actually use that function. “Performance” actually refers to analytics, probably rebranded because users did not want it. Making you think they had to ask for the reasonable cookies, too, is the whole trick being pulled here.
> Functional cookies don’t require additional explicit consent if you actually use that function.
To not be indistinguishable from "strictly necessary" there would have to be a case where the "functional cookie" actually required consent, right? What case is that and how would you solicit that consent other than some kind of cookie banner?
> “Performance” actually refers to analytics, probably rebranded because users did not want it.
It refers to statistics, but sometimes you do want that, e.g. so the site can tell you how long it took you to do something compared to the average user, or provide those analytics to you. And the fact that this is ambiguous is an obvious problem -- if you get access to the data they collect is that "analytics" or "functional"?
In the face of an ambiguity, most corporate bureaucrats are going to take the risk-averse option, which is to ask for consent in case it turns out to be adjudicated as required ex post facto. The result is quite predictable. If you pass a poorly drafted law, businesses have a general preference for doing something stupid/wasteful/annoying over something that could get them sued or fined.
> To not be indistinguishable from "strictly necessary" there would have to be a case where the "functional cookie" actually required consent, right?
The case is when you don’t use that feature.
> how would you solicit that consent other than some kind of cookie banner?
Using the feature that requires the cookie is considered consent, same as using the website is considered consent to set cookies actually necessary for the entire website to function. For example, if you click “save settings”, that’s consent to save those settings, there’s no need for a “but am I allowed to save settings?” popup.
You might be tempted to dive into the potential grey area here, and sure, one exists, but (a) that’s why the laws go into 1,000 times more detail than this HN comment, (b) most of it’s not in the grey area, and (c) even in the worst case, making 100% sure is as easy as a checkbox before the button that activates the feature, there’s never a requirement for a blanket “can we do whatever we want” before even displaying the homepage.
> It refers to statistics, but sometimes you do want that, e.g. so the site can tell you how long it took you to do something compared to the average user, or provide those analytics to you. And the fact that this is ambiguous is an obvious problem -- if you get access to the data they collect is that "analytics" or "functional"?
The GDPR calls it “statistics”, but in this context defines the word to mean analytics, not statistics shown to users. If it’s shown to users then it’s either strictly necessary or functional.
> In the face of an ambiguity, most corporate bureaucrats are going to take the risk-averse option, which is to ask for consent in case it turns out to be adjudicated as required ex post facto. The result is quite predictable. If you pass a poorly drafted law, businesses have a general preference for doing something stupid/wasteful/annoying over something that could get them sued or fined.
Businesses are generally risk averse, yes, but don’t mistake knowing a force at play for knowing them all. The “cookie consent banner” was invented and evangelized not by the laws they’re commonly believed to have sprung from but by the IAB, an ad industry consortium counting Google, Facebook, and many others as members. The same organization that organized efforts to prevent third party cookie blocking, and that tried to block the GDPR entirely. The banner norms they created did not even comply with the law until changes a few years ago, the EU just took its sweet time on enforcement.
The average small business, of course, is not in on some grand scheme, but this is where your risk aversion comes in: if all the big players are doing something, and everybody around you is doing it, and you Google it and the first 20 results all say to do it, then the risk averse move is of course to just do it and move on. After all, trusting your own judgement is scary, what if you get sued or fined?
They were crazy overzealous about not allowing these technologies for a long time. I'm pretty sure I had many posts about this complaining over the years.
I'm delighted about this and also really hated the debate that had surrounded it.
Bring up WebSerial and WebUSB and oh no, all of a sudden, my 'document browser should not be accessing hardware' - yes we get it, you think the web is a collection of documents and are technically - in the most strictest sense possible correct. Hyper TEXT Transfer Protocol and all that.
Of course I've been watching Netflix and YouTube on my Firefox 'document browser' for years, because if I couldn't then there would literally no hope of anyone using Firefox in the real world, but WebUSB and WebSerial people are nerds who we can argue the toss about document browsers with and prove wrong.
What I don't quite understand is why would one of the most advanced AI labs use rudimentary broken text match heuristics to track and detect abuse. Why not run simple inference on actual turns out of band, and if abuse is detected, adjust the quotas semi-retroactively.
They’re idiots who hacked together a shockingly useful tool by leveraging the billions of dollars they received from shamelessly hyping up chatbots. The Claude Code leak makes this very clear.
You seem to be implying that the company that employs the best chemists should therefore also make the best cakes. I don't see an obvious reason why this should hold true. I think it's fair to ridicule a bunch of chemists acting as master patissiers.
They're completely vibe-coding one of their flagship products. It's not unreasonable to consider that the people who took that decision are, indeed, idiots.
> most advanced AI labs use rudimentary broken text match
> It's vibe-coded
I called this out when I saw Claude Code CLI source code reach for regex on a certain task a while back and got told it was very unlikely that nobody reviewed the diff. Looks like the bar was lower than imagined.
Maybe running additional inference on all sessions to detect OpenClaw usage would require spending more money than they would save with that detection in the first place (which is the original goal). I also suspect the Claude Code team is just a regular software team without immediate access to ML pipelines (or competence to run them) to quickly develop proper abuse detection systems with extensive testing (to avoid false positives, which people would also complain about), and they're under pressure by the management to do something right now, so a regex is all they can do within those constraints.
Yall remember https://en.wikipedia.org/wiki/Mystery_meat_navigation? Back in 2004-ish era, there was an explosion of very creative interaction methods due to flash and browser performance improvements, and general hardware improvements which led to "mystery meat navigation" and the community's pushback.
Since then, the "idiomatic design" seems to have been completely lost.
> I know that there's a deceptively high amount of engineering required for these kinds of things
I think there's a deceptively low amount of engineering required for most medical and medical-adjacent tech. The high costs are rooted in pervasive industry-wide centuries-long FUD campaigns.
reply