search

semenko / chrome-limit-cookie-lifetime

Persistent cookies are annoying. This Chrome extension limits cookie lifetime to a user-adjustable value.
https://chrome.google.com/webstore/detail/limit-cookie-lifetime/pplilgolafepgkdmocfpgblngcpdlopm
MIT License
6 stars 2 forks source link

Request: add whitelist option for trusted websites #2

Open opwvhk opened 7 years ago

opwvhk commented 7 years ago

Limiting the lifetime of most cookies is a great boon, especially for laptops: a sleeping browser essentially has an unlimited session cookie lifetime. This extension makes short work of that 😄

However, there are a few cases where this is actually a hindrance: I have accounts for several work applications, where it's a hassle to start the day by logging in into every. single. one. of. them.

Proposed solution: a whitelist where I can apply a different (or no) limit.

mikkorantalainen commented 3 months ago

Maybe just have a single multiline textbox on the options page and never delete cookies of the whitelisted hosts, one host per line?

As an alternative, allow one regex per line which is matched against the cookie host and if matched, the cookie is kept regardless of lifetime. Or support both: whitelisted value "google.com" on a single line would keep your Google sessions alive but if you start the line with a slash (/) it would be considered a regex and the line must end with an another slash + maybe flags. That way I could have config such as

/[a-z]+\d+[.]nordea[.]fi/i

for my bank using multiple domain names for online banking. And implementing this in the extension would only need to detect if the line starts with a slash or not and then match against plain string or feed the regex to new RegExp(...). (You need to remove the slashes and and feed the flags as second argument to the constructor but that should be doable with a single regex match.)

I think doing matching this way would be easier than trying to support syntax such as "*.google.com".

This would allow me to have maybe 10 regexes and set cookie lifetime to a couple of hours or 24h max.

Yet another option would be to have just a single line regex input and another field for regex flags and simply pass those to new RegExp() and match it against the host of a cookie before deleting the cookie. Since you can write very complex regexp to match all the domains you want with a single regex, this would be enough to handle all the whitelisting you'd ever need. You wouldn't even need any kind of syntax checking for those two fields because self-XSS is the only possible vulnerability here. You could try matching the user inputted fields against string "google.com" to see if the syntax is correct enough to not raise an exception before saving the fields.