craigmiskell / cookiemaster Goto Github PK

any website that has a Content-Security-Policy header not whitelisting unsafe-eval would block the execution of the eval code

Since around December possibly longer, opening videos on youtube.com in a new/background tab would render only the video player, but not other elements (comments, recommendations). Force reloading the tab would make it render complete page.

Opening the main/index page of youtube was worse, since there is no video player, nothing would load.

Opening links in the current tab however would make them load instantly and in their entirety.

Firefox: 85.0.2
Cookiemaster: 1.2.0

Screenshot shows how it looks like, and a cookiemaster debug log generated when opening one such new/background tab. I couldn't attach it to this issue for some reason, had to use imgur: https://i.imgur.com/Cw4gtOB.jpg

Some websites are asking to re-login/sign-in again upon returning, after having already set the websites to ticked/green, & cookie settings were already previously set.

e.g.'s:

https://7plus.com.au/live-tv
https://www.9now.com.au/live/channel-9

[Waterfox G4.1.5 (64-bit)]

Here is a quick suggestion for how the Cookiemaster button's visual status should look.

Want something changed? Otherwise I can post all the .png files (or GIMP .xcf if you prefer).

Image that illustrate my suggestion has been uploaded to ImgBB =
https://i.ibb.co/tbfC2H2/Show-ready.png

I used GIMP 2.10.12 for this =

Icon Size = 96x96px
Dot (selection) = 41x41px
Dot Bottom-Left (FROM BORDER) = B1px,L0px
Dot Bottom-Right (FROM BORDER) = B1px,R1px
Dot Border = paintbrush size 5, hardness 70, color black
Red (HTML) = a00505
Green (HTML) = 0a7e05
Blue (HTML) = 0521bd
Black (HTML) = 000000
White (HTML) = d8d8d8

VIsiting https://duckduckgo.com/settings and attempting to change the language while cookies are blocked for that domain causes the page to reload and no language preferences to be saved.

Nice work, except for one detail -- it doesn't support the "allow for session" setting and that's the whole reason I want this: have the default Firefox setting at "allow for session" and change to "allow" or "block" for some specific domains.
Any chance you could implement that?

@craigmiskell
I haven't been home for a while, so I just notice it today.

When I do this with cookiemaster 1.1.4, the permission indicator disappears for the site =

1. Allow first party cookies a site.
2. Disable first party cookies a site.

When this happens, I tried these steps and it didn't fix it =

1. Refresh
2. Close tab->Open new tab->Go to site again->Refresh
3. Restart Firefox->Refresh the site

See screenshot for how it is with one of these sites=
https://i.ibb.co/kKwThPz/cookie-Error01.jpg

Hi,

It would be a good idea to allow user to backup its "Sites allowed to set cookies" list, especially since you can't copy/paste the list !
Or allow copying/pasting the said list.

Thank you very much for CookieMaster !

I got this idea when I read your comment = #9 (comment)

I think that some users will get confused and also think it's a bug, so I suggest that when a site has no cookies, the icon should turn gray with a tooltip that says (for Cookiemaster button when there is no color dot) =

"No cookies (Either the site has none OR blocked by a addon e.g. NoScript)"

Or atleast add the tooltip 😄

Now with FF 86.0, you might need to update cookiemaster =
https://blog.mozilla.org/security/2021/02/23/total-cookie-protection/

The eval that cookie-master uses to insert code to capture cookies set by javascript (since 1.1.0) is blocked by quite reasonable CSP, e.g. twitter.com

There are other ways to inject code from a content script, but it's not clear that they will be any more successful, and they may come with other limitations around ordering/risk of code running on the page before the capture is in place.
This could be hard to detect, and it might be necessary to re-add noticing cookies being set via events as a backstop, and just not present that in the UI (because the code that used to do that was awful and unreliable, and I'm glad it's gone).

Here is parts of log :

`

All this is in the list, even if the first one should be enough :
*.fnac.com
.fnac.com
fnac.com
secure.fnac.com

I had to disable the extension in order to log in, then re-enable it.

The addon complains about the "block all cookies" setting of Firefox.
Does the FF addon api not allow you to manage the cookie whitelist of firefox directly so you can block all and whitelist only the websites that need cookies to work?

From #15 (comment)
"There is also a bug if cookies are enabled with your addon on DuckDuckGo: once we enable the language change, we cannot disable it."

Hi,

I'm pretty satisfied with cookiemaster as it is the most useful and reliable cookie manager I have found.
However, I think it would be great if it could also manage local storage, which is used by some websites as an alternative to cookies.

Regards,
Miocastoor

First of all, love the extension. It seems to work great.
Other addons that block or add things present a number over the icon to show how many things blocked, for instance. Could we get this for cookiemaster?

Just tested the latest update! 👍 😄 🎉

I discovered a bug. If NoScript blocks a individual website JavaScripts,
then Cookiemaster can't show visual status on that site.

When I enable the individual website JavaScripts, then the visual status works.

If I disable JavaScripts again, visual status stop working.

Seems to apply to all sites where NoScript blocks JavaScripts.

08/08/2023, 4:53:30 pm | INFO | 2461: Blocking first party cookie in header for login.my.gov.au
08/08/2023, 4:53:30 pm | INFO | 2461: Setting allOK to false because .my.gov.au. was not allowed
08/08/2023, 4:53:30 pm | INFO | 2461: Blocking first party cookie in header for login.my.gov.au
08/08/2023, 4:53:30 pm | INFO | 2461: Setting allOK to false because .my.gov.au. was not allowed

The following relevant entries are in the whitelist:

.my.gov.au
my.gov.au
login.my.gov.au
https://login.my.gov.au

CookieMaster Version 1.2.1
Firefox 115.0.3 (64-bit)

first of all, thanks for this awesome extension, very much what I was desperately looking for since the tragic events of the Great Firefox Extensions Purge! :D

it looks like the extension fails to parse an IP addresses used in place of a domain name:

Hi
Since FF68.4.1 Linux Debian, I am not able to set/unset a cookie with Javascript when the extension is activated. When I disable it, it works well, even in strict mode.
Steps to reproduce : Use the code :

<script>
console.log ("Before", document.cookie);
document.cookie = "AdminCookie=on;expires=Sat, 08 Feb 2020 09:33:57 GMT;path=/"
console.log ("In", document.cookie);
document.cookie = "AdminCookie=;expires=Thu, 21 Aug 2014 20:00:00 UTC;path=/"
console.log ("After", document.cookie);
</script>

In console, without extension :

Before
In AdminCookie=on
After

in console, with extension, even if the site is allowed in list :

Before
In
After 

Do you have an idea how to set the cookie ?
Thanks

While blocking cookies with this addon, the navigator.cookieEnabled property will still return true so a website will think cookies are enabled.
Switching language on a search engine like DuckDuckGo should work with cookies disabled since they have a fallback solution but it fails because the website tries to use cookies if they are enabled.
Example: https://www.w3schools.com/jsref/tryit.asp?filename=tryjsref_nav_cookieenabled

To avoid this problem, we have to disable a website's cookies through the web browser settings directly but it is less convenient than using a browser addon since it needs more clicks.

I heard it is not possible to solve this problem through an addon unless contentSettings web extension API is supported by Firefox but maybe there is a workaround like you did to block read / write access to cookies through JavaScript? Overriding the JavaScript variable for example.

Remeber that "Ask" cookie option that was long time ago in Firefox, until approx version 50'ish? And which Mozilla, along with other Firefox forks like Pale Moon, has blatantly decided that "it didn't make sense anymore" and hence has removed it?

I enjoyed that option A LOT. It fitted my way of working and visiting web sites perfectly.
It worked like this: the very first time when you visited a domain, it would show a little pop-up dialog with 3 (three) options: (1) Allow, (2) Allow for session, or (3) Deny. And a checkbox would also control whether or not you want your choice/decision to apply for any sub-domain as well. Plus a button to see domain/cookie details.

Here's a screen shot of that little pop-up dialog, taken from a version of Pale Moon which is slightly older but I am purposely keeping because it's the last version still having this neat feature:

Obviously not all users may like this approach, so it should be made a configurable option.
Also, having such dialog popping up is no as intrusive as many might think. Because it shows up only for the first visit of any unique domain, and it's also a good way to remind me that I am visiting such site for the very first time.

I have been using this extension for about a month and find that it works well. I have also followed your excellent explanation of how it operates. However I am confused over the handling of some sub-domains that seem to be regarded as "third-party", but NOT identified as being in an iframe.
This happens on several sites, but my examples are for American Express. Note, I log in using the UK site - https://www.americanexpress.com/en-gb/account/login - the cookies may be different for other countries.
The first 2 images show the situation for the default "Block All by Policy", before and after the main cookie is set as approved.
I then set the third-party rule to "Allow only if explicitly permitted" and the 2 "Blocked" images show the situation before and after the main cookie is set as approved.
So, my query is why are these sub-domains being regarded as third-party?
Additionally I am confused regarding the .americanexpress.com cookie. I have seen similar occurrences for other sites – cookies showing both with and without the leading period ( . ). What does this mean? Is this just another sub-domain?

As text says, nothing goes here

Hi,

Thanks for your project.

I wonder what you think about the many other ways to store user unique information on his browser like : local storage, indexdb, etc...

Is this also a problem as Javascript allows to get back and share information across domains?

On clicking on of the i menue beside the URL I see below Cookie' -> Cookie and site Data' a few more cookies and for ebay I had to enable some of them. I could not do this with cookiemaster as those had not been shown there

Given that I previously enabled cookies for domain and/or subdomain, and later on I wish to disable cookies for that domain and/or subdomain (let's say because I wanted cookies enabled only for a while), all the existing cookies should be automatically removed when I switch from on to OFF.

Currently this feature does not exist. And whenever I changed my mind and wish to deny cookie access to a given domain / subdomain, by flipping the switch(es) from on to OFF, any cookie that got persisted, will still remain after switching to OFF, and that forces me to go thru Firefox => Options => Security and Privacy => Cookies => Manage Data, type in the domain, and the click "Delete". Doing such sequence of actions is too tedious.

Is this functionality possible on Chrome? There is nothing like this for Chrome. It likely is not but I had to ask.

Make easier to find blocked cookies into logs, either by a font/background color or using 'BLOCKED' instead of 'INFO' level keyword.

Thanks :)