No idea if this is useful to anyone but it was an interesting exercise.
By default I have disabled storing cookies in my main web browser. I have a custom list of specific web sites that I allow to set cookies. (Whether that makes any sense regarding all the other data your browser sends which might create a unique fingerprint anyway is a different question up to your personal judgement/opinion on “privacy” and not the topic here.)
Ideally that whitelist would only include web sites that use my data in a way that I can agree with. In reality, services exist that could either be considered convenient (like Facebook; if you want to use their services you could use a private browser session every time and reenter your password, or use a separate browser to isolate Facebook’s cross-site cookie pollution) or services that your employer or customers use or expect for whatever reasons.
Google Hangouts video calls and Google Hangout text chats (which are proprietary after dropping XMPP) are used by some of my co-workers.
I have been wondering for a while which specific Google sites to allow setting cookies in order to be able to use these services but could not find information on the web. Google lists a bunch of domains but that list seems neither specific nor complete.
Going for trial and error, I removed any Google cookies (which might require more than a simple string search due to sites such as accounts.youtube.com), removed any potential rules allowing Google cookies, set my browser to not allow any cookies, and see how far I can make it working around random error messages and getting logged out immediately after having logged in.
I ended up allowing the sites accounts.google.com, client-channel.google.com, clients[1-6].google.com, hangouts.google.com, people-pa.clients[1-6].google.com, plus.google.com, talkgadget.google.com to set cookies. Some of these were trickier to find but your web browser’s developer tools allow you to check which sites want to set cookies.
And now back to actual work.
Keep in mind the sites can still use IndexedDB, HTML localstorage, or WebSQL. It’s really pointless for browsers to restrict cookies while allowing sites to maintain local databases on your computer, but such is the world we live in.
I’ve been using this for certain websites like Facebook. It’s not perfect but gets the job done: https://www.npmjs.com/package/nativefier
Thank you for this! I’ll probably use this to customize my Privacy Badger settings.
I am using a Firefox Plugin called ‘self destructing cookies’ [1] that deletes cookies (for non-whitelisted domains) after some seconds only. Maybe that is more convenient than blocking cookies from the beginning.
[1] https://addons.mozilla.org/de/firefox/addon/self-destructing-cookies/