search

gorhill / uMatrix

uMatrix: Point and click matrix to filter net requests according to source, destination and type
GNU General Public License v3.0
4.54k stars 470 forks source link

Site can read cookies even though they are blocked #987

Closed ghost closed 6 years ago

ghost commented 6 years ago

solved - umatrix does currently (April 2018) not block JS from reading cookies, therefore the cookie block can be easily circumvented

guakamole commented 6 years ago

+1

I'll add that sites can write cookies even though they are blocked in the matrix. Note that it seems to be related to first party cookies only (third party are blocked by firefox anyway so I can't tell).

Firefox 61.0a1 and uMatrix 1.3.4.

ArchangeGabriel commented 6 years ago

@guakamole Writing cookies is allowed by uMatrix. Read the doc.

theWalkingDuck commented 6 years ago

uMatrix is working properly. Cookies are not leaving your browser at all. The value of the Drop Down menu is not set by the DDG server, it's set by a local script that reads the cookie and changes the value of the Drop Down menu after the page is loaded.

guakamole commented 6 years ago

Thank you for your answers.

I didn't know that cookies are actually allowed to be written. This is quite counter-intuitive. When I block something in the matrix, I would expect for it to be... blocked. And if people want to inspect what is going on (as stated in the doc), free for them to temporarily unblock the domain in the matrix.

There is still a problem somewhere anyway, even with the "Delete blocked cookies" option checked, cookies never get deleted. Here are my settings:

screenshot from 2018-04-05 02-58-17

By the way, what is up with the 15min limit ? Why can't I set it to 5 or 10min ?

ArchangeGabriel commented 6 years ago

They are currently issues with cookie deletion in some cases, see #878. The minimum interval is set by the browser AFAIK.

Atavic commented 6 years ago

That requirement is most of the times a workaround to bypass adblockers or grab as much data as possible from the visitor's browsers. That's why we should block scripts when not needed.

gorhill commented 6 years ago

The idea is if someone is unhappy with the 0-120 seconds gap before cookies are deleted by uMatrix, whitelist cookies in uMatrix and use a specialized extension which does what you want if you can find one.

GeographicCone commented 6 years ago

I've tried finding more ways to block cookies

Cookie-AutoDelete works great for me with uMatrix and uBlock Origin: https://github.com/Cookie-AutoDelete/Cookie-AutoDelete