Open cy7yz2rj opened 6 years ago
Because FP isolation will break CSP (and other cookie controlling addons, and cache and storage access)
https://github.com/pyllyukko/user.js/issues/245#issuecomment-286997868
wait 15 minutes and
failed to delete cookie: https://github.com/...
will be reported in logger
Nothing I can do. The message is merely uMatrix reporting the result of the webext API call.
Is there no way to fix this in uMatrix? Recent update to Cookie Autodelete addon fixed the deletion of cookies even with privacy.firstparty.isolate=true so maybe it is possible
https://github.com/Cookie-AutoDelete/Cookie-AutoDelete/issues/75#issuecomment-355788774
Thanks for the link.
It says the issue was fixed for FF59, and @cy7yz2rj reports the issue for FF58.
So is there really an issue with uMatrix when using FF59+?
I don’t know, I don’t use this feature currently because I haven’t had the time to read enough about the implications.
That being said, I have a lot of things like:
22:06:33 failed to delete cookie: http://darkpatterns.org/{persistent-cookie:laravel-session}
in the log.
OK, I can now see that cookies that should be deleted by Delete blocked cookies
don’t get deleted.
For which version of Firefox?
60
Cookies are not deleted in current Firefox 59 (aurora) and 60 (nightly), repro steps same as OP except for browser and uMatrix (1.2.1rc3) versions.
Cookie extensions dealing with first party isolation have to add explicit support for it.
https://developer.mozilla.org/en-US/Add-ons/WebExtensions/API/cookies
In the cookies API, the first party domain is represented using the firstPartyDomain attribute. All cookies set while first-party isolation is on will have this attribute set to the domain of the original page. In the example above, this would be "bbc.com" for one cookie and "cnn.com" for the other. All cookies set while first-party isolation is off will have this property set to an empty string.
The cookies.get(), cookies.getAll(), cookies.set() and cookies.remove() APIs all accept a firstPartyDomain option. When first-party isolation is on, you must provide this option or the API calls will fail.
For get(), set(), and remove() you must pass a non-null value for firstPartyDomain. For getAll(), you may also pass null here, and this will get all cookies, whether or not they have a non-empty value for firstPartyDomain.
you can use browser.privacy.websites.firstPartyIsolate.get({})
to detect if isolation is enabled.
see https://developer.mozilla.org/en-US/Add-ons/WebExtensions/API/privacy/websites
Activating Firefox's first party isolation feature imported from Tor Browser breaks cookie deletion in uMatrix.
Steps for reproducing:
Delete non-blocked session cookies 15 minutes after the last time they have been used.
privacy.firstparty.isolate
to truefailed to delete cookie: https://github.com/...
will be reported in loggerFirefox 58.0b10 (64-bit) / uMatrix 1.1.18