Skip to content
This repository has been archived by the owner on Jul 21, 2021. It is now read-only.

Site can read cookies even though they are blocked #987

Closed
ghost opened this issue Apr 2, 2018 · 8 comments
Closed

Site can read cookies even though they are blocked #987

ghost opened this issue Apr 2, 2018 · 8 comments
Labels

Comments

@ghost
Copy link

ghost commented Apr 2, 2018

solved - umatrix does currently (April 2018) not block JS from reading cookies, therefore the cookie block can be easily circumvented

@guakamole
Copy link

guakamole commented Apr 4, 2018

+1

I'll add that sites can write cookies even though they are blocked in the matrix. Note that it seems to be related to first party cookies only (third party are blocked by firefox anyway so I can't tell).

Firefox 61.0a1 and uMatrix 1.3.4.

@ArchangeGabriel
Copy link

@guakamole Writing cookies is allowed by uMatrix. Read the doc.

@theWalkingDuck
Copy link

theWalkingDuck commented Apr 4, 2018

uMatrix is working properly. Cookies are not leaving your browser at all.
The value of the Drop Down menu is not set by the DDG server, it's set by a local script
that reads the cookie and changes the value of the Drop Down menu after the page is loaded.

@guakamole
Copy link

Thank you for your answers.

I didn't know that cookies are actually allowed to be written. This is quite counter-intuitive. When I block something in the matrix, I would expect for it to be... blocked. And if people want to inspect what is going on (as stated in the doc), free for them to temporarily unblock the domain in the matrix.

There is still a problem somewhere anyway, even with the "Delete blocked cookies" option checked, cookies never get deleted. Here are my settings:

screenshot from 2018-04-05 02-58-17

By the way, what is up with the 15min limit ? Why can't I set it to 5 or 10min ?

@ArchangeGabriel
Copy link

They are currently issues with cookie deletion in some cases, see #878. The minimum interval is set by the browser AFAIK.

@Atavic
Copy link

Atavic commented Apr 7, 2018

That requirement is most of the times a workaround to bypass adblockers or grab as much data as possible from the visitor's browsers. That's why we should block scripts when not needed.

@gorhill
Copy link
Owner

gorhill commented Apr 8, 2018

The idea is if someone is unhappy with the 0-120 seconds gap before cookies are deleted by uMatrix, whitelist cookies in uMatrix and use a specialized extension which does what you want if you can find one.

@GeographicCone
Copy link

I've tried finding more ways to block cookies

Cookie-AutoDelete works great for me with uMatrix and uBlock Origin:
https://github.com/Cookie-AutoDelete/Cookie-AutoDelete

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

No branches or pull requests

6 participants