Periodically purge expired cookies

[Lusito]

Firefox seems to keep expired cookies until some cookie limit is reached before it purges them: https://bugzilla.mozilla.org/show_bug.cgi?id=576347

It would be nice to have an option to purge expired cookies at set intervals and/or browser start (both of course optional).

[Joel889]

That would be a great addition!

I was wondering why CC Cleaner is showing those cookies when Firefox doesn't. Seems like FF has only marked them deleted, but waits a while for the job to run as you point out.

[Lusito]

The implemented solution does no periodical purging, but rather removes them whenever another cleanup happens. I think this should be enough. It's marked as experimental for now, as it's unclear whether there are side effects.

[Joel889]

I turned on the feature, and let the addon clean cookies (manually and automatically), but CCleaner is still showing tons of cookies from sites visited in the past, all belonging to Firefox.

[Lusito]

Well, some websites make cookies expire in 2020 or later (reddit for example), so these cookies might not have expired yet. Can you confirm that they are actually expired?

[Joel889]

I assumed that FF would automatically expire cookies that are deleted, but only purge them from its database every once in a while. I guess not, although I don't see the point of keeping deleted cookies until their expiration date since websites cannot read from them anymore once deleted.

[Lusito]

There is no flag "deleted" for a cookie. It's either expired (i.e. its expiration date is set to anything before 'now'), or it's still active. So if you see cookies, that you think are deleted, then check what expiration date they have and get back to me with some more information and I will try to fix it.

[Joel889]

How do I find the expiration date? They are no longer showing in Firefox, but CCleaner is showing the,. I'm assuming they are somewhere in FF's internal cookie database, but haven't been purged yet.

[Lusito]

You could use a cookie manager extension like this one: https://addons.mozilla.org/firefox/addon/cookie-quick-manager/

[Joel889]

Would it be technically possible for the addon to flush all cookies (manually or automatically), except the ones that are on the whitelist, regardless of expiration date?

[Lusito]

That would be what the "perform manual cleanup" does. If that doesn't work and the cookies show up in a cookie manager extension, then they are either protected by some rule or there is a bug in either FMN or Firefox. In that case, I'd need some more information about the cookies.

Once a cookie list is implemented, I will show a flag for each cookie, that would tell you which rule is chosen for a specific cookie.

[Joel889]

Only cookies.sqlite shows the cookies when opened with a file editor, but no extension or Firefox itself is showing the cookie. CCleaner does show the cookies and can delete them, but I'm assuming it is reading the cookies directly from the cookies.sqlite file.

[Lusito]

I'm afraid what you're seeing in ccleaner are HSTS supercookies. They are not stored in cookies.sqlite, but in SiteSecurityServiceState.txt

There is currently no way to clear them from a web-extension.. and as stated in the article above, it might be bad for security to clear them.

[crssi]

^^ delete SiteSecurityServiceState.txt file and create folder with the same name ;)

[Lusito]

As said, that's a potential security risk you're taking there. Imho, the best compromise is to enable First Party Isolation, so that tracking beyond the domain in your url-bar is prevented.

[crssi]

Can you elaborate why this would be a "potential security risk"?

[Lusito]

See this article: https://nakedsecurity.sophos.com/2015/02/02/anatomy-of-a-browser-dilemma-how-hsts-supercookies-make-you-choose-between-privacy-or-security/

If you want to block hsts cookies from ever being set, I probably could accomplish that with a filter (as long as firefox doesn't accept the header before it passes the extension), but I'm not sure I want to give users that option without making them press "yes, I know what I'm doing" at least 3 times.

[Lusito]

okay, I did some more digging and found another possible solution that might be worth looking into: Use something like https://addons.mozilla.org/en-US/firefox/addon/smart-https-revived/ in combination with blocking hsts supercookies.

[crssi]

^^this one or this https://addons.mozilla.org/en-US/firefox/addon/https-by-default/, both are good. HTTPS protocol should be default and not HTTP. Blocking HSTS impacts security only theoretically, but non-blocking impacts privacy in reality. For what I say I do not have scientific backgrounds, but it is just my humble opinion. Who would actually abuse non-HSTS browser when majority of browsers in use are HSTS and who would not abuse HSTS for tracking for the same reason.

[Joel889]

Tracking through HSTS is overblown, and not currently used in the wild. From Wikipedia:

if twenty browser requests to twenty different domains are used, theoretically over one million visitors can be distinguished (220) due to the resulting requests arriving via HTTP vs. HTTPS

It's easier and more reliable to use browser fingerprinting instead.

The real privacy issue is that the HSTS file records HSTS compatible websites that the user has visited. Using any of the addons in this post makes this even worse, because they are tracking every non-https website you've ever visited in order to avoid the performance hit of the failed https attempt in the future.

https everywhere would be the better solution.