Open bendover22 opened 6 years ago
Hi, first of all here are some reminders about what Firefox does, what the API allows and what this addon does (hoping to be clear). I will take this opportunity to leave this issue visible or to add the content to the documentation.
For the moment here is what Firefox allows from its preferences:
What Firefox allows from its Webextensions API:
PS: A session cookie identifies a user on a site without storing any personal information on it.
They allow to recognize you when you move from page to page within one site and that any information you have entered is remembered. Session cookies are supposed to be used to manage logins, shopping cart, game score, or anything else the server needs to remember.
But like all cookies, they can also be used to analyze user behavior; it is impossible to predict the true role of a cookie. Nevertheless, we can assume that advertising tracking seeks to identify users over the long term and therefore that third-party cookies are used, and that they are not session cookies that are too ephemeral.
Session cookies are supposed to be deleted when the browser is restarted since they don't have an expiration date.
In practice, if you configured Firefox to restore the active tabs during its restart, then the session cookies are retained. They become permanent.
First of all, the purpose of this addon is not to provide a firewall to manage cookies authorizations depending on the sites visited. Doing these things right is a complex subject that goes beyond editing and viewing cookies which is the already complex purpose of this addon, and what I strive to do the best I can. The danger of addons which want to do everything (editing AND blocking) is to do things not as well as an addon dedicated to one of these tasks.
For blocking cookies and other navigation elements (scripts, ajax requests, media, iframe, etc.), I use uMatrix in addition to uBlockOrigin (ad blocking oriented). These 2 addons of the same author work on the principle of matrix firewall. The project is very dynamic (githubAMO) and the community is large enough to guarantee good software quality. I will try to explain how uMatrix seems to meet your needs.
PS: I do not participate in this project, so I have no reason to try to sell it, other than its effectiveness :p
Deny all, then allow according to the sites visited ?
Yes uMatrix does this very well with a very fine tuning possibility that Cookie Monster did not have, at the time of Firefox pre-WebExtensions:
-global context management: You authorize a third-party domain systematically on all the sites you visit. -local context management: You authorize a third-party domain specifically on the current site. The same third-party domain on another site will not be able to create or access to any cookies.
Thus, this addon allows you to see which third party cookies have which permissions and to change them.
Cookies protection according to CQM is a functionality which allows to recreate on the fly a cookie that has been deleted by a site or by the user of the addon.
Example: You delete all cookies from the browser: only the protected cookies will still be there afterwards.
PS: In the CQM options you can program this type of selective removal at Firefox startup.
In fact, what really matters is to prevent cookies from leaving the browser instead of preventing them from entering.
This is explained on the GitHub of the uMatrix project and I agree with that (furthermore, uMatrix allows you to remove them from your browser): uMatrix: cookies.
In fact it is better/easier to allow all cookies in Firefox and delegate the responsibility for fine filtering to addons. So if you go in the parameters of uMatrix, just put the following rule, if it is not there:
* * cookie block
That is to block cookies by default on all sites (first party cookies) to all sites (third party cookies). After that, you can start creating a whitelist.
Example:
Cookies on 20minutes.fr by 20minutes.fr are allowed:
20minutes.fr 20minutes.fr cookie allow
Cookies from 20minutes.fr on any site are allowed:
* 20minutes.fr cookie allow
Cookies of third party sites are allowed on 20minutes.fr:
20minutes.fr * cookie allow
Obviously the interface of the addon allows you not to write these rules by hand and to work on a global scale or by domain (which I do).
There is a feature, still hidden to users under Firefox 61: First-Party Isolation.
The firstPartyIsolate preference makes the browser associate all data (including cookies, HSTS data, cached images, and more) for any third party domains with the domain in the address bar. This prevents third party trackers from using directly stored information to identify the user across different websites
I think once this option is enabled in combination with aggressive filtering on uMatrix, you'll be pretty well protected.
Note: The cookies we are talking about here are not the only data that the sites are storing on the computer. LocalStorage and IndexedDB technologies are also problematic because there is no API to manage them in the same way as classic cookies. The advertising agencies and sites quickly understood their usefulness. So they can allow you to refuse cookies but immediately after, they place data in the LocalStorage.
This goes so far as to recreate cookies on the fly that you could delete by conventional ways: Zombie cookies and Evercookies.
First-Party Isolation technology is a good way to stop this. I am also working on a way to view this new data in CQM.
I add that I designed a program to translate the global rules created by the user via the old CookieMonster addon, or via the permissions configuration of the visited sites. These rules are stored in the file 'permissions.sqlite' in the Firefox profile, and my project translates them into uMatrix rules: demo, GitHub.
ysard , Thank you for a detailed reply. I received a full copy in email & I responded, but realized you may / may not see that reply. A good bit you discussed I knew (or thought I did); some of your helpful info either contradicts what some others say, or I'm just confused. The devil's in the details.
I don't know if I want to deal w/ NoScript (NS), uBlockOrigin (uBo) and Matrix - all at once. it's enough dealing w/ just the 1st 2, when visiting tons of new sites each week. If you visit some sites regularly, you can create settings just for them.
Otherwise, it's a pain figuring out which scripts / data sites need to function. Even big sites constantly change their CDNs & other 3rd parties that make certain features or data available. It seems these change constantly.
Question on your comment:
What Firefox allows from its Webextensions API: Modify exactly the same preferences as above,
And the "as above" preferences that Fx 57+ cookie API allows, was:
For the moment here is what Firefox allows from its preferences: Accept or reject cookies and site data,
I asked about CQM's ability to deny cookies globally, then allow them - as desired - after a site is loaded. Your helpful discussion has a lot about Matrix, but I didn't understand if you said CQM could block cookies by default.
Maybe the cookie API allowing blocking cookies globally is a very recent change? Otherwise, I don't understand why addons aren't offering what I'm asking about (lots of users want the same features).
Hopefully, BOTH "Temporary" exceptions - deleted when Fx closes, and "Session" exceptions, saved after Fx closes - but session COOKIES are deleted. Some cookie addons call Session cookies "gray cookies," which seems less descriptive to me, but hey.
Hi, Indeed the exchanges of messages can be done only via the interface of GitHub.
I don't know if I want to deal w/ NoScript (NS), uBlockOrigin (uBo) and Matrix - all at once.
Today NoScript may be less useful than before uMatrix and uBlockOrigin but it remains an excellent addon. In general, all these addons use automatically updated lists that handle the blocking of most elements very well without hindering navigation.
Confidentiality has a price that anyway will increase in the future. However an appreciable unexpected reward is the speed of loading of the pages without the useless contents. This is obvious on the news sites.
I did not understand if you said CQM could block cookies by default.
CQM is neither a cookie blocker, nor a firewall blocking multiple requests and tracking attempts based on the use of cookies.
Why I'm confused: OTHERS have said - many times since Fx 57, that Fx 's Cookie API (copied from Google) does not allow web - ext addons to block all cookies by default.
When I say that the API allows to allow or block cookies, it is because it allows to encode a button in an addon that will have exactly the same role as if you configured Firefox preferences: doc: change cookie settings. This type of blocking (feasible via CookieMonster before WebExtensions): allow or block websites from storing information is not accessible today via the WebExtensions APIs.
Fine adjustments are therefore excluded from the API and fall under matrix firewall addons like uMatrix, which in my opinion meets this type of needs.
About a convenient, fast way to allow creating cookie exceptions for the currently loaded site w/ a mouse click.
Yes, matrix firewalls operate in 2 contexts: global or local, with 2 types of duration: temporary or permanent. On uMatrix you can persist your temporary settings via a small padlock. The changes will be there at restart.
session COOKIES are deleted. Some cookies addons call Session cookies "gray cookies,"
Yes session cookies are temporary but you can just edit them by setting an expiration date, so that they become normal cookies. Maybe I should allow this type of automatic conversion in my addon....
I hope I answered your questions.
Regards.
Here's one of the best examples I can think of for Mozilla allowing "temporary" cookies, only for that session and doesn't store a "session exception." If I want to play something on youtube, I have to allow some google related scripts (unless stream vids in a local player). If I want to read youtube comments, I have to allow "google.com" cookies, AFAIK.
I don't want that exception saved as a session exception, because Google is on most sites, except countries that ban them. I don't want Google setting cookies on every site I visit (even session). It's NOT just Google - they're one example. There are dozens if not hundreds of trackers like Google, just not as big & their numbers are growing constantly.
The Fx pref, firstPartyIsolate, supposedly stops trackers from correlating 3rd PARTY cookies between sites, but I've never allowed 3rd party cookies & lots of others don't either.
I appreciate the detailed info about uMatrix. I'll have to install uMatrix in a clean profile, look at options & play w/ settings. At least uMatrix, uBlcocko, NoScript have wikis & help pages. As with most software, their Guides or wikis don't tell you lots of things.
uMatrix isn 't as simple as it sounds. It does say, "For Advanced Users." Typical users won't get it or NoScript or even quite a bit of uBlocko. I don't have enough experience with uMatrix to be certain, but I'd probably use either uMatrix or NoScript with uBlocko, but not all 3.
I get it that for CQM, you don't want to add functions to block or allow cookies.
When I say that the API allows to allow or block cookies, it is because it allows to encode a button in an addon that will have exactly the same role as if you configured Firefox preferences
I thought that's what I asked, in general - not just about CQM. Maybe not.
But I'm confused by your comment (disregarding CQM's current or future abilities) about the Firefox web ext. cookie API. Maybe I misread your comment:
For the moment here is what Firefox allows from its preferences:
**Accept or reject cookies and** site data Keep accepted cookies until they expire or until Firefox closes If cookies are globally accepted: Accept/Reject third-party cookies or accept them only if at least one cookie exists on the domain visited voluntarily by the user.
What Firefox allows from its Webextensions API:
**Modify exactly the same preferences as above**, The conversion of ALL cookies into session cookies.
I understand (now) that you don't want to add these functions to CQM. What I'm asking is, doesn't your statement say that the Fx WEB EXT cookie API will allow Web Ext devs to incorporate Accept or Reject cookies into their addon, IF they chose to do so (not whether YOU want to do so in CQM)?
Firefox 57+ cookie preferences also still allow users to set & save permanent & session cookies, on a PER SITE basis..
Does the current Fx web ext cookie API also allow a dev of a web ext cookie addon to control setting session or permanent cookie exceptions, the same as the web ext cookie API allows Accepting or Rejecting cookies?
Is there any Fx web ext addon or a reasonably quick way to create temporary cookies or "turn other cookie types" into temporary ones?
Temporary cookies, that enable certain sites to function, but I don't expect to visit the site again, or if I DO visit again, I don't necessarily want to allow session cookies, is a very useful tool. Storing even session cookie exceptions for sites I'll never visit again, -OR- having to search the session cookies or the exceptions - to delete certain ones, is a waste of time.
Hi, firstly I am sorry for the response time because I have had little time since 2 months.
At least uMatrix, uBlcocko, NoScript have wikis & help pages. As with most software, their Guides or wikis don't tell you lots of things.
Writing usage documentation is always a tedious thing because we focus more on the features than on how to use them (which seems innate given the many hours of development). With CQM I try to document all the features via tooltips. This may not be enough, and I'll be happy to know which points are unclear in order to detail them in a wiki or something like that.
uMatrix isn 't as simple as it sounds. It does say, "For Advanced Users." Typical users won't get it or NoScript or even quite a bit of uBlocko.
I agree and that's a problem. Only users sensitive to privacy issues will try to use these tools and among them a fraction will make the effort to understand what it is when the tool offers the detailed blocking (so effective) of cookies, CSS, images, media, scripts, XHR, iframes, etc.
Each of these categories can introduce a tracking technique, which is why, most of the time it is good to block at least everything that comes from other sites than the one consulted.
I have been on Linux for many years; the parallel is easy because it is quickly realized that the (apparent) complexity is the only way to really master a tool (the Web in this case, which is not the least common tools of our daily life). black boxes that are easy to access do not allow this.
When I say that the API allows to allow or block cookies, it is because it allows to encode a button in an addon that will have exactly the same role as if you configured Firefox preferences
I thought that's what I asked, in general - not just about CQM. Maybe not.
I can add this button but it's out of the subject of this addon and redundant with the button accessible from the browser preferences.
What I'm asking is, doesn't your statement say that the Fx WEB EXT cookie API will allow Web Ext devs to incorporate Accept or Reject cookies into their addon, IF they chose to do so (not whether YOU want to do so in CQM)?
For the moment there is no API for this, dedicated to the cookies which is able to decide on a case by case basis, as it was the case before FF Quantum where we could programmatically modify these parameters which remain accessible from the menu "Information on the page" (Ctrl + I):
However, all addon ad blockers use the webRequest API: https://developer.mozilla.org/fr/docs/Mozilla/Add-ons/WebExtensions/API/webRequest
This is more powerful and allows to manage more precisely what comes in and out of the browser (including cookies).
Does the current Fx web ext cookie API also allow a dev of a web ext cookie addon to control setting session or permanent cookie exceptions Is there any Fx web ext addon or a reasonably quick way to create temporary cookies or "turn other cookie types" into temporary ones?
By using the cookie API, my addon allows you to modify the status of a cookie on a case by case basis. By modifying the "isSession" flag you can specify an expiration date or delete it. I agree that the interface is not only designed for this, and does not try to minimize the time it takes to make this change frequently and massively.
Should I think about this type of feature? In this case it is necessary to redo an interface more oriented towards that. Why not. The problem is time. Not the lazyness as one can sometimes read it from people who are not tactful, since like many other developers I do not count anymore weeks spent for almost a year on this project :D
Storing even session cookie exceptions for sites I'll never visit again, -OR- having to search the session cookies or the exceptions - to delete certain ones, is a waste of time.
In the following release CQM could protect session cookies in one click in the whole store or just those of a domain.
Ps: yes uMatrix allows you to work at the domain level and not at the level of cookies in each domain.
I can think of an option to systematically convert my protected cookies into session cookies. Is it done elsewhere? I'm afraid it's beyond the scope of this addon.
Once more, sorry for the big block of text...
Regards.
Hello ysard,
first of all let me say, do you know user bendover22? If not, wow, you spend so much time to help your anonymous fellow/peer? That's really cool of you!
Regarding the issue, I think what would solve bendover22's request would be the option to delete the cookies for the current site (except the protected ones of course) upon leaving or revisiting the page. Because if you delete them before they can be read again cookies serve no purpose, right? And since protected cookies cannot be overwritten either it shouldn't matter at all that Firefox doesn't actually allow not saving cookies for a page (while still being able to read the ones you have saved as protected cookies).
So if that's correct the only question is whether someone wants to do it and you'd accept a merge request. That person could possibly copy code from other extensions that already do that (if licenses are compatible) or look up how it's done.
If not, people can always use an extension that deletes cookies like https://addons.mozilla.org/en-US/firefox/addon/cookie-autodelete/ , an extension that does that and is recommended by Mozilla.
Anyway, I'm already using your extension happily, that protected cookies feature is so useful to me! Thank you for being so helpful and for your contribution to software freedom!
Hello, Does cookie-quick-manager now have (or could have) the ability to deny all cookies by default, if user chooses? Then whitelist or graylist sites as they choose?
The cookie API & cookie-quick-manager have the ability to block all 3rd party cookies, yes? Then I don't see why 1st party shouldn't be allowed to block globally - other than an incomplete API.
I've read some discussion about the possibility of deleting cookies immediately after they're set, unless the user chooses not to. Is that a possibility?
Firefox57+ allows denying cookies globally. Why (other than Mozilla is....) can users deny cookies globally from the Fx UI, but webext cookie mgrs don't seem able to deny cookies globally and only allow sites that users want to set cookies?
Webext addons wouldn't be "changing Firefox internal function," when the function is already allowed for users. Is their cookie or other APIs so incomplete, they don't allow the same basic functions as the Fx UI?
I don't want to allow cookies on every site and have to wait until the tab is closed to delete the cookies. Sometimes I forget to close tabs when I'm finished with a site. On some sites, I really don't want to allow cookies at all.
Thanks.