craigmiskell / cookiemaster Goto Github PK
View Code? Open in Web Editor NEWCookie-managing web-extension for firefox
License: Other
Cookie-managing web-extension for firefox
License: Other
any website that has a Content-Security-Policy
header not whitelisting unsafe-eval
would block the execution of the eval
code
Since around December possibly longer, opening videos on youtube.com in a new/background tab would render only the video player, but not other elements (comments, recommendations). Force reloading the tab would make it render complete page.
Opening the main/index page of youtube was worse, since there is no video player, nothing would load.
Opening links in the current tab however would make them load instantly and in their entirety.
Firefox: 85.0.2
Cookiemaster: 1.2.0
Screenshot shows how it looks like, and a cookiemaster debug log generated when opening one such new/background tab. I couldn't attach it to this issue for some reason, had to use imgur: https://i.imgur.com/Cw4gtOB.jpg
Some websites are asking to re-login/sign-in again upon returning, after having already set the websites to ticked/green, & cookie settings were already previously set.
e.g.'s:
https://7plus.com.au/live-tv
https://www.9now.com.au/live/channel-9
[Waterfox G4.1.5 (64-bit)]
Here is a quick suggestion for how the Cookiemaster button's visual status should look.
Want something changed? Otherwise I can post all the .png files (or GIMP .xcf if you prefer).
Image that illustrate my suggestion has been uploaded to ImgBB =
https://i.ibb.co/tbfC2H2/Show-ready.png
I used GIMP 2.10.12 for this =
Icon Size = 96x96px
Dot (selection) = 41x41px
Dot Bottom-Left (FROM BORDER) = B1px,L0px
Dot Bottom-Right (FROM BORDER) = B1px,R1px
Dot Border = paintbrush size 5, hardness 70, color black
Red (HTML) = a00505
Green (HTML) = 0a7e05
Blue (HTML) = 0521bd
Black (HTML) = 000000
White (HTML) = d8d8d8
VIsiting https://duckduckgo.com/settings and attempting to change the language while cookies are blocked for that domain causes the page to reload and no language preferences to be saved.
Nice work, except for one detail -- it doesn't support the "allow for session" setting and that's the whole reason I want this: have the default Firefox setting at "allow for session" and change to "allow" or "block" for some specific domains.
Any chance you could implement that?
@craigmiskell
I haven't been home for a while, so I just notice it today.
When I do this with cookiemaster 1.1.4, the permission indicator disappears for the site =
When this happens, I tried these steps and it didn't fix it =
See screenshot for how it is with one of these sites=
https://i.ibb.co/kKwThPz/cookie-Error01.jpg
Hi,
It would be a good idea to allow user to backup its "Sites allowed to set cookies" list, especially since you can't copy/paste the list !
Or allow copying/pasting the said list.
Thank you very much for CookieMaster !
I got this idea when I read your comment = #9 (comment)
I think that some users will get confused and also think it's a bug, so I suggest that when a site has no cookies, the icon should turn gray with a tooltip that says (for Cookiemaster button when there is no color dot) =
"No cookies (Either the site has none OR blocked by a addon e.g. NoScript)"
Or atleast add the tooltip ๐
Now with FF 86.0, you might need to update cookiemaster =
https://blog.mozilla.org/security/2021/02/23/total-cookie-protection/
The eval that cookie-master uses to insert code to capture cookies set by javascript (since 1.1.0) is blocked by quite reasonable CSP, e.g. twitter.com
There are other ways to inject code from a content script, but it's not clear that they will be any more successful, and they may come with other limitations around ordering/risk of code running on the page before the capture is in place.
This could be hard to detect, and it might be necessary to re-add noticing cookies being set via events as a backstop, and just not present that in the UI (because the code that used to do that was awful and unreliable, and I'm glad it's gone).
Here is parts of log :
`
25/09/2023 11:34:59 | INFO | 1545: Blocking first party cookie in header for .fnac.com |
---|---|---|
25/09/2023 11:34:59 | INFO | 1545: Setting allOK to false because https://secure.fnac.com/ was not allowed (x 3) |
25/09/2023 11:34:59 | INFO | Allowing cookie-change cookie for .fnac.com in catch-all event |
25/09/2023 11:34:59 | INFO | Javascript cookie allowed on https://secure.fnac.com/identity/server/gateway/signin-signup |
ย |
25/09/2023 11:33:48 | INFO | 1497: Blocking first party cookie in header for .fnac.com |
---|---|---|
25/09/2023 11:33:48 | INFO | 1497: Setting allOK to false because https://secure.fnac.com/ was not allowed (x 3) |
25/09/2023 11:33:48 | INFO | Allowing cookie-change cookie for .fnac.com in catch-all event |
25/09/2023 11:33:48 | INFO | Javascript cookie allowed on https://secure.fnac.com/identity/server/gateway/signin-signup |
ย |
All this is in the list, even if the first one should be enough :
*.fnac.com
.fnac.com
fnac.com
secure.fnac.com
I had to disable the extension in order to log in, then re-enable it.
The addon complains about the "block all cookies" setting of Firefox.
Does the FF addon api not allow you to manage the cookie whitelist of firefox directly so you can block all and whitelist only the websites that need cookies to work?
From #15 (comment)
"There is also a bug if cookies are enabled with your addon on DuckDuckGo: once we enable the language change, we cannot disable it."
Hi,
I'm pretty satisfied with cookiemaster as it is the most useful and reliable cookie manager I have found.
However, I think it would be great if it could also manage local storage, which is used by some websites as an alternative to cookies.
Regards,
Miocastoor
First of all, love the extension. It seems to work great.
Other addons that block or add things present a number over the icon to show how many things blocked, for instance. Could we get this for cookiemaster?
Just tested the latest update! ๐ ๐ ๐
I discovered a bug. If NoScript blocks a individual website JavaScripts,
then Cookiemaster can't show visual status on that site.
When I enable the individual website JavaScripts, then the visual status works.
If I disable JavaScripts again, visual status stop working.
Seems to apply to all sites where NoScript blocks JavaScripts.
08/08/2023, 4:53:30 pm | INFO | 2461: Blocking first party cookie in header for login.my.gov.au
08/08/2023, 4:53:30 pm | INFO | 2461: Setting allOK to false because .my.gov.au. was not allowed
08/08/2023, 4:53:30 pm | INFO | 2461: Blocking first party cookie in header for login.my.gov.au
08/08/2023, 4:53:30 pm | INFO | 2461: Setting allOK to false because .my.gov.au. was not allowed
The following relevant entries are in the whitelist:
.my.gov.au
my.gov.au
login.my.gov.au
https://login.my.gov.au
CookieMaster Version 1.2.1
Firefox 115.0.3 (64-bit)
Hi
Since FF68.4.1 Linux Debian, I am not able to set/unset a cookie with Javascript when the extension is activated. When I disable it, it works well, even in strict mode.
Steps to reproduce : Use the code :
<script>
console.log ("Before", document.cookie);
document.cookie = "AdminCookie=on;expires=Sat, 08 Feb 2020 09:33:57 GMT;path=/"
console.log ("In", document.cookie);
document.cookie = "AdminCookie=;expires=Thu, 21 Aug 2014 20:00:00 UTC;path=/"
console.log ("After", document.cookie);
</script>
In console, without extension :
Before
In AdminCookie=on
After
in console, with extension, even if the site is allowed in list :
Before
In
After
Do you have an idea how to set the cookie ?
Thanks
While blocking cookies with this addon, the navigator.cookieEnabled
property will still return true
so a website will think cookies are enabled.
Switching language on a search engine like DuckDuckGo should work with cookies disabled since they have a fallback solution but it fails because the website tries to use cookies if they are enabled.
Example: https://www.w3schools.com/jsref/tryit.asp?filename=tryjsref_nav_cookieenabled
To avoid this problem, we have to disable a website's cookies through the web browser settings directly but it is less convenient than using a browser addon since it needs more clicks.
I heard it is not possible to solve this problem through an addon unless contentSettings
web extension API is supported by Firefox but maybe there is a workaround like you did to block read / write access to cookies through JavaScript? Overriding the JavaScript variable for example.
Remeber that "Ask" cookie option that was long time ago in Firefox, until approx version 50'ish? And which Mozilla, along with other Firefox forks like Pale Moon, has blatantly decided that "it didn't make sense anymore" and hence has removed it?
I enjoyed that option A LOT. It fitted my way of working and visiting web sites perfectly.
It worked like this: the very first time when you visited a domain, it would show a little pop-up dialog with 3 (three) options: (1) Allow, (2) Allow for session, or (3) Deny. And a checkbox would also control whether or not you want your choice/decision to apply for any sub-domain as well. Plus a button to see domain/cookie details.
Here's a screen shot of that little pop-up dialog, taken from a version of Pale Moon which is slightly older but I am purposely keeping because it's the last version still having this neat feature:
Obviously not all users may like this approach, so it should be made a configurable option.
Also, having such dialog popping up is no as intrusive as many might think. Because it shows up only for the first visit of any unique domain, and it's also a good way to remind me that I am visiting such site for the very first time.
I have been using this extension for about a month and find that it works well. I have also followed your excellent explanation of how it operates. However I am confused over the handling of some sub-domains that seem to be regarded as "third-party", but NOT identified as being in an iframe.
This happens on several sites, but my examples are for American Express. Note, I log in using the UK site - https://www.americanexpress.com/en-gb/account/login - the cookies may be different for other countries.
The first 2 images show the situation for the default "Block All by Policy", before and after the main cookie is set as approved.
I then set the third-party rule to "Allow only if explicitly permitted" and the 2 "Blocked" images show the situation before and after the main cookie is set as approved.
So, my query is why are these sub-domains being regarded as third-party?
Additionally I am confused regarding the .americanexpress.com cookie. I have seen similar occurrences for other sites โ cookies showing both with and without the leading period ( . ). What does this mean? Is this just another sub-domain?
As text says, nothing goes here
Hi,
Thanks for your project.
I wonder what you think about the many other ways to store user unique information on his browser like : local storage, indexdb, etc...
Is this also a problem as Javascript allows to get back and share information across domains?
On clicking on of the i menue beside the URL I see below Cookie' ->
Cookie and site Data' a few more cookies and for ebay I had to enable some of them. I could not do this with cookiemaster as those had not been shown there
Given that I previously enabled cookies for domain and/or subdomain, and later on I wish to disable cookies for that domain and/or subdomain (let's say because I wanted cookies enabled only for a while), all the existing cookies should be automatically removed when I switch from on to OFF.
Currently this feature does not exist. And whenever I changed my mind and wish to deny cookie access to a given domain / subdomain, by flipping the switch(es) from on to OFF, any cookie that got persisted, will still remain after switching to OFF, and that forces me to go thru Firefox => Options => Security and Privacy => Cookies => Manage Data, type in the domain, and the click "Delete". Doing such sequence of actions is too tedious.
Is this functionality possible on Chrome? There is nothing like this for Chrome. It likely is not but I had to ask.
Make easier to find blocked cookies into logs, either by a font/background color or using 'BLOCKED' instead of 'INFO' level keyword.
Thanks :)
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.