The Unnecessary Evil of RSS Cookies

There is absolutely positively no reason whatsoever for cookies to be triggered by an RSS (or ATOM) syndication feed. They have no practical benefit to the user. Thus, they are a bad practice and should be stopped. Content providers should avoid advertising bureaus that use them.

The primary promulgators of this evil are advertising bureaus such as Pheedo and Google AdSense for Feeds. The cookie problem isn't caused by the syndication feed itself. Instead, the feed includes advertisements from a third-party bureau, and the included ads serve up the cookies.

The purpose of HTTP cookies is to "add state" to a stateless protocol. HTTP, the protocol used on the web, simply fetches web pages. Cookies extend the protocol to let the server note important information such as your username, your session identifier, and your pornographic preferences.

There are benefits you get from adding state to web interactions. You can establish a session. Your option settings can be remembered.

There is, however, no good reason for state to exist in an RSS feed. You can't interact with an RSS feed, thus state is meaningless. The only use I've seen is so advertisers can track users. I'm not arguing against ads in RSS feeds. I understand a content provider may choose to do this to support their feed. But they can do that without the intrusion of cookies.

These cookies are bad because they are intrusive a couple of ways. First, they are collecting personal information that provides no benefit to you. Second, if you manage your cookie permissions, you get inundated with popups. This is a significant problem with Pheedo, which forces a popup with each ad due to its host naming scheme. This is less a problem for normal web pages, where you commonly see a single ad from a given ad bureau, not a whole stream of them like you might in a syndication feed.

So here is my lazyweb proposal: I want a Firefox extension that disables third-party cookies for an included image or script when the referring page matches a given pattern (such as That way I can read my syndication feeds with cookies disabled (while still allowing cookie interactions with the web-hosted feed reader application).

There is a workaround that can mitigate part of the trouble. You can tell Firefox to block cookies for an entire domain, including its subdomains. That is, if I tell Firefox to block it will also block cookies for hostnames such as (Yes, Pheedo does that.)

You can do this by going into Firefox and selecting: Edit → Preferences → Privacy → Cookies → Exceptions ...

Then, type the domain you want to block (such as into the "Address of web site" field. Then click "disable." That will block cookies from the specified domain (and all its subdomains). It's not an ideal solution, but it's sufficient to handle the most annoying of the bunch. Like Pheedo.


Comments have been closed for this entry.

I disagree

If a web site wants to serve up a feed only to registered users cookies are the ONLY available method of validation.
As you say they can be misused. The ability for a user to control the use of cookies is well understood and already
implemented by all modern browsers. A good feed reader should be able to do the same.


For some reason I thought Firefox required wildcards (i.e., * to accomplish this. Thanks for setting me straight.

And that other guy? He clearly is in advertising.