66 comments

[ 0.29 ms ] story [ 111 ms ] thread
I actually needed that button the other day. I have an account on Etsy, but wasn't sure if it was sign in with google or an etsy account using my gmail. Signing in to the website's own "login with google" button was a redirect loop. Requesting password reset sent me no email. At some point Chrome offered to sign-in for me, and that worked.
You didn't need that button, but rather Etsy needed to test their own website.
This popup should be criminal. Ive misclicked the signin button multiple times, causing PII to be sent to a third party I dont trust without my authorization.
I hope the PMs are reading this thread. They misjudged the tradeoffs
FWIW, these uBlock Origin rules solve the ploblem:

    ||accounts.google.com/gsi/iframe
    ##iframe[src^="http://accounts.google.com/gsi/iframe"]
    ##iframe[src^="https://accounts.google.com/gsi/iframe"]
    ##iframe[src^="//accounts.google.com/gsi/iframe"]
    ###credential_picker_container
source: https://stackoverflow.com/a/78429389. Last rule is from me since popup was invisible but still blocked the content underneath.
The irony of getting that popup on Stack Overflow when I clicked that link
Another annoying, possibly less known thing about this popup is that you as a user can disable it.

But only if you log in to Google and set a preference for your Google account.

No more nagging popups! Sounds great, right?

Except Google can now track you, with a confirmed ID and session cookie across all these sites.

It’s blackmail, plain and simple.

I never see this popup in my main browser thanks to proper content blockers, but it should not exist in the first place, indeed.
Does nobody find this intrusive when it appears on sites like pornhub? Of all places where I'd sign in with a Google account... holy heck, I was very surprised they chose to let Google do that nearly-fullscreen popup on their site upon every visit (since you visit in private tab, it's a fresh session every time)

Even on reddit it annoys the heck out of me and I was very surprised they let this third party ruin the experience (when they don't even do it as first party). What if they all start doing it, facebook and github and the lot, you need to click away four banners? But maybe not enough people have privacy extensions installed and reddit can just track them forever and thus store a one-time dismissal. Anyone here in the know whether this doesn't show a measurable drop in returning users?

And google’s “do as I say, not as I do”. Doesn’t their search engine penalise websites with popups/overlays as it is meant to be user hostile?
I might consider switching back to Google Search if there were a "put any good results without tracking wall up top" setting
"I have no idea what you're talking about and I have never experienced this myself and I don't even know this website you speak of."

(obligatory comment just in case the wife is watching ...)

I find it intrusive on every single site it’s on. Every time I look at how to get rid of it, I’m pointed to a setting in my Google account to stop it, and it does absolutely nothing.

As far as I can tell, I’m more sensitive to this stuff than normal people, but I’m less likely to return to a site that annoys me like this. I’m also less likely to use Google as a result of them being behind this. While it’s not the only reason I use Kagi, it’s certainly an item in the pro/con list.

The same goes for all of Google’s pop-ups and nudges to switch to Chrome. It’s infuriating. Everyone not using Chrome knows Chrome exists and are choosing not to use it. They really need to stop with the heavy handed push and respect user defaults.

I do and that is why I remain neutral/buy on their stock, Meta and Google are bad bad bad actors with to much power in the web.
Sometimes reddit will automatically log-in for you :(
Reminds me of a tweet I saw a long time ago that went something like

"PornHub lets you share videos on Google+. That's disgusting! I don't want people to know I use Google+!"

That said, it is quite invasive.

(I laughed out loud.) Hey! I liked Google+ >:( Met some cool people on that site and I guess my thought was that anything is better than a facebook monopoly on social media and this has an actual chance
I actually did like Google+ as well. I used Google Buzz (I believe it was the precursor to Google+) because Twitter seemed weird, and then it just made sense for me to use Google+ because I was already invested in the ecosystem. And it just seemed so much cozier than FB.
That Google popups are so annoying, they often cover the content, I wonder does Google pay websites for this or they annoy users for free?

Also I don't understand who registers Google Accounts these days because every time I try to do this, they show a QR code and require to scan it with a mobile device, and I don't have time now to set up a virtual machine and research what it does to a mobile device and how one can bypass the check.

Also if you buy a Google Account it eventually requires linking a phone number, and doesn't accept most of the Russian numbers I buy.

So I don't understand how do other people sign up when there are so many obstacles. It is easier just to register email account elsewhere.

     ||accounts.google.com/gsi/*$xhr,script,3p
UBO rule to block that. Or enable the “annoyances” list. It hides annoying cookie bs too. Add noscript too.
“Sign in with Google” is annoying, but at least you can turn it off with chrome://settings/content/federatedIdentityApi

Does anyone know how to switch this off on Safari please, especially Mobile Safari. I’ve noticed these sign-in popups on iOS 18.

This option never worked for me, I also tried the options under myaccount.google.com with no luck, I kept getting the popups and ended up having to switch to Brave and Safari to get rid of them.
I think this is referring to the FedCM api [1]

It works with providers other than Google, just no one else has implemented it yet. Google's One Tap library tries to use the new api, and falls back to the classic One Tap popup when using a browser that doesn't yet implement FedCM (notice how the chrome built-in one says "sign in with google.com" rather than "sign in with Google" like One Tap normally shows)

Mozilla are working on implementing it, but it's a pretty complex system so it'll take time. I presume Safari will as well if it gets popular enough

[1]: https://developer.mozilla.org/en-US/docs/Web/API/FedCM_API

(comment deleted)
The Chrome experience is actually part of a new standard, Federated Credential Management (or FedCM for short).

The idea is to create a browser mediated login experience that gives the identity provider and web app what they need without being able to correlate requests across the Internet.

I am working on an article on this topic. If you are interested in learning more, here's a video from a recent auth focused conference (full disclosure: my company put it on and I emceed): https://m.youtube.com/watch?v=FBAD4x7MWdI

They are actively working on the standard and Firefox has committed to it. Edge already supports it. They are looking for identity provider feedback.

More here: https://github.com/w3c-fedid/FedCM (we meet weekly on Tuesdays).

Vaguely reminds me of the now defunct OpenID. But with browser-native integration.
I save this rule in my pastebox (bitwarden) to add to all my Ublock Origin configs:

||accounts.google.com/gsi/*$xhr,script,3p

You can turn this off

1. https://myaccount.google.com/connections/settings for mobile

2. same link, sidebar help, for Chrome on Desktop settings.

That does not completely turn off the federated sign-in popup you see on the top right in various websites. The solution is actually already mentioned in the article.
First, “Accept all cookies”, and now this. The competition for the worst web UX is heating up.
Firefox + uBlock Origin is the only sane way to browse the web in 2025.
> ... example of Google advantaging ...

Way to bury the lead.

Anyway, what's the advantage? Please elaborate.

As others mentioned, this is backed by the "open" standard FedCM. While this seems like an open play on the surface (and the standard is open), in practice this is a highly anti-competitive and will just lead to Google being in even more control of the web.

The vast majority of users will chose the default for identity. On Chrome this is Google. On Android this is Google. Even on iOS this may be Google because identity is often tied to email and Apple does not have a strong email story. Identity is huge. It gives you moat that outlives platforms.

And all the while, Google gets to claim this standard is open, while in practice this is clearly intended as a monopolistic move to increase their share of identity on the web.

If they were forced to show a randomized list of identity providers a user needs to choose from (similar to search engines on iOS), I bet you they would reconsider this whole approach. But by the time regulators figure out what's going on, they will have already cemented their lead.

Adding

img { max-width: 100%;}

To this site’s css will fix the layout on mobile.

uBlock is great for this. Settings > Filter lists and Enable Annoyances.
It's not just a Google annoyance, these types of things are all over the web. I have uBlock Origin settings to limit these types of things, like others in this thread have explained.

But there's a bigger issue with the modern web. Here's my message to any web developer, company, organization, anyone who has control over content on the public web: if I visit your page and I have to click away something in order to do what I came to do, you have failed miserably.

Kinda related to this: I _really_ wish that SSO providers would be better about telling me when my account was already used to log into a service. When I hit "sign in with Google", see my 4 accounts, and have to guess which one I used to sign into the service...

Maybe I'm missing some security detail here

This is my big issue too. There are some times where I think I have SSO for something, but don’t remember with who, so I spend 5 minutes logging into various providers and hunting down where they say what sites I’m using SSO with, so I can see what to use.

I started adding them to my password manager as a quick reference, but the irony is that this makes the SSO slower than a typical standard login. I almost never use these SSO options anymore as a result.

There's a website I use irregularly (I sign in maybe every other month) that doesn't use passwords, doesn't use sign in with X, etc. Instead, they have a form to enter an email address, and they send you a magic link to log in. Since it's a generic email field with no password prompt, my password manager doesn't offer to fill it in for me, and my browser helpfully offers every email address I've ever put into a form. I now have 7 accounts with this website; half of them were created to get a new API key, the other half were to submit feedback that I'll never get notified of responses to because I can't be signed into multiple accounts at once and they don't email me about comments.

I expect that by sometime next year I'll hit 10 accounts with them.

I get why Google finds this advantageous, but I don’t understand why so many brands want to willingly diminish the impression and reputation of their web properties by adding “Sign in with Google.”
The crazy part is that the popup is not part of the DOM, it's injected by the browser *over the page content*. If it were in a browser toolbar I woudln't mind, but obscuring page content is just asking for an antitrust suit.

I left chrome and switched to Brave 6mo ago because I couldn't get these "Sign in with Google" popups to stop. I tried both the chrome://settings/content/federatedIdentityApi option and the option under https://myaccount.google.com/ and neither one worked, I just kept getting them.

I hate this banner. It made my Vimium addon unable to work unless I pressed Esc first.
This stupid pop-up (being a "window" of its own and not a DOM popup) also steal focus back to the chrome window. For example: open reddit.com in chrome (without logged in to reddit) and before the page loads switch to another app window, when the popup is ready the chrome window will get focused again.
that federated id api setting was crucial. danke shoen OP