Clear blocked cookies immediately

[grenzor]

With the delete blocked cookies option enabled in dashboard it looks like blocked cookies will get deleted within a few minutes of them being set. Is there any reason for this delay?

In my opinion if this option is ticked they should get deleted immediately after being set. Even if the possibility for any kind of attacks or leaking/hijacking/etc of cookies within these few minutes is low I think it's still theoretically safer to delete them right after they are set.

[gorhill]

Declined. There is no API to synchronously delete cookies, all APIs are asynchronous in WebExtensions.

If you are afflicted by such worries, just prevent all cookies from being set in your browser, or block all javascript by default.

[grenzor]

I allow cookies/javascript for regularly visited sites so I can't prevent them in the browser.

I do believe APIs to reject cookies immediately instead of storing of them is being implemented. https://bugzilla.mozilla.org/show_bug.cgi?id=1363860 https://bugzilla.mozilla.org/show_bug.cgi?id=1291841

[gorhill]

These issues have nothing to do with synchronous cookie deletion. If so, point me exactly where it's explicitly said. First link is merely about controlling the global Firefox setting regarding cookie behavior. The second issue is the implementation of browser.contentSettings, which already exists in Chromium. That API is not suitable for uMatrix, it's a declarative API, while in uMatrix decisions are handled on the fly according to matrix ruleset. As said, you will have to look elsewhere if you are not happy with how uMatrix deals with cookies -- simply whitelist all cookies in uMatrix and install whatever extension works for you with regard to cookies.

[grenzor]

Sorry, I wasn't implying them for cookie deletion. I was thinking storing cookies and deleting wouldn't be ideal for an option such as "delete blocked cookies" and rather functionality would change to "reject blocked cookies" or "reject cookies from blacklisted domains".

[gorhill]

"reject cookies from blacklisted domains"

Ok, I will consider the proposal.

A side-effect of rejecting cookies is that uBO won't be able to report specific cookies in the logger, but given that they come from blacklisted sites, that shouldn't be seen as an issue.

[ghost]

Is it possible to make uMatrix work in sync with browser settings?

Example: if all cookies are blocked by default and the user enables them for a particular site (through uMatrix) uMatrix to propagate this setting to the browser settings too (add an exception for current session or permanently, depending on if the the rule is "commited"). And if the rule is removed from uMatrix - to remove the exception.

[gorhill]

After more thoughs, back to declined. This has been already discussed in the past. So again, if you do not like the way uMatrix deals with cookies, whitelist them all and use another extension that meet your expectations to deal with them.

[gorhill]

@t33rex No browser settings match the matrix ruleset.

Frankly, there is no real actual issue, aside people spending too much time to worry. So far is what has never happened with this cookie story: come up with an actual, working proof of concept which shows real, actual harm. And as said, if one obsessively worries about these cookies, just block javascript. It does not make much sense to worry about cookies being deleted immediately before a fraction of second elapse while having no issue to execute javascript from the same site.

[grenzor]

And as said, if one obsessively worries about these cookies, just block javascript. It does not make much sense to worry about cookies being deleted immediately before a fraction of second elapse while having no issue to execute javascript from the same site.

Not sure what you mean. I can block all scripts on Github and it will still set cookies.

I agree that the chance of harm is low with the current way uMatrix does things as blocked cookies aren't sent as headers and they are locally deleted relatively quickly. But IMO if there is a way to reject them immediately that would be better (just as a guarantee nothing can be leaked/hijacked/etc).

[gorhill]

Not sure what you mean. I can block all scripts on Github and it will still set cookies.

Yes, and none of those cookies will ever leave your browser if uMatrix is told to block them. Why do you leave that out in your response above as if not relevant?

If you want your point to move further, provide a working proof of concept of harm -- there is no way around this -- anything else is just repeating what has already been said and to keep spending time on this is a burden at this point.

[grenzor]

I didn't leave it out, I mentioned how uMatrix doesn't send any blocked cookies in headers in the next sentence. I just didn't understand what you meant by suggesting to block JS if someone is worried about cookies since uMatrix won't send blocked cookies even if JS is on or off.

Anyways, I'm ok with what you say about not going forward without a POC so I'll leave it here.