Opened on 06/25/2018 at 11:51:43 AM
Closed on 10/09/2019 at 08:27:51 PM
#6762 closed defect (rejected)
Implement support for cookie-related filters
Reported by: | fanboy | Assignee: | |
---|---|---|---|
Priority: | Unknown | Milestone: | |
Module: | Core | Keywords: | circumvention, closed-in-favor-of-gitlab |
Cc: | mjethani, greiner | Blocked By: | |
Blocking: | Platform: | Unknown / Cross platform | |
Ready: | no | Confidential: | no |
Tester: | Unknown | Verified working: | no |
Review URL(s): |
Description
Have noticed that some sites will use cookies to set cookies if adblock is used, a website will either show different ads, or show anti-adblock by using Cookies.
Not sure how it'll check on either on-load or checks site realtime.
Possible allow regex also?
||website.com^$cookie-set="Name, variable"
Could set a filter Name and variable on load of website
||website.com^$cookie-remove="Name"
Remove a cookie.
||website.com^$cookie-hide="Name"
Hide a specific cookie from a site, but dont remove it? (not sure if this would be possible)
||website.com^$cookie,third-party
Block all third-party setting cookies to the site.
||website.com^$cookie
Stop cookies on a site.
Thoughts?
Attachments (0)
Change History (13)
comment:1 Changed on 06/25/2018 at 12:41:13 PM by mjethani
- Cc mjethani added
comment:2 Changed on 06/25/2018 at 12:43:17 PM by mjethani
- Keywords circumvention added
comment:3 Changed on 06/27/2018 at 05:51:26 AM by hfiguiere
- Summary changed from Implent support for cookie-related filters to Implement support for cookie-related filters
comment:4 Changed on 06/27/2018 at 06:09:29 PM by greiner
- Cc greiner added
comment:5 Changed on 07/17/2018 at 11:13:23 AM by fanboy
comment:6 Changed on 07/17/2018 at 01:44:10 PM by mjethani
There is of course a security risk with letting filter list authors set cookies.
comment:7 Changed on 10/16/2018 at 07:57:09 AM by fanboy
seems Adguard has a similar feature; see: https://github.com/AdguardTeam/AdguardFilters/blob/master/AnnoyancesFilter/sections/cookies_specific.txt#L1621
neckermann-reisen.de#%#document.cookie = "useOfCookiesAccepted_live = true"; dm.hu#%#document.cookie = "dmDrogeriemarkt_euLaw_userDidNotOptIn = true";
comment:8 Changed on 10/16/2018 at 08:24:51 AM by fanboy
Here is a testable use case (for cookies)
If you're from the EU, theverge.com will set 2 document.cookie's; to determine whether it show a cookie warning message. If you try and hide the element (##.m-privacy-consent & ###privacy-consent) it'll remove the message but also prevent content like videos from playing.
The 2 theverge.com document.cookie's set:
_chorus_geoip_continent:EU _chorus_privacy_consent:1539677377873-a9326516419003202124200154273271
Which in theory I could by pass the cookie message with something like; (using similar adguard syntax as a example)
theverge.com#%#document.cookie = "_chorus_geoip_continent=EU"; document.cookie = "_chorus_privacy_consent=111111111111-a9999999999999999999999999999999";
comment:9 Changed on 10/16/2018 at 08:29:51 AM by greiner
That appears to be more of a workaround on their end by using their JavaScript filters that allow filter authors to inject arbitrary JavaScript into a web page.
While we could technically offer a similar functionality using snippets - thereby avoid injecting arbitrary scripts - the more ideal approach would be to use the browser.cookies extension API.
That doesn't mean that such a functionality should be offered though since mjethani's argument remains valid. Presumably it'd require limiting the capabilities of such a feature to only a predefined set of values that a cookie can be set to.
comment:10 Changed on 10/16/2018 at 08:49:17 AM by fanboy
I do understand the privacy concerns, given ad companys (and cookie-message checks) rely on cookies being set, i thought it would be an easy way easily bypass. How would using snippets would fix the issue?
comment:11 Changed on 10/16/2018 at 09:16:21 AM by greiner
It wouldn't. JavaScript filters, snippets and the extension API are merely ways to implement such functionality. Privacy and security are overarching topics that affect how such functionality is exposed to filter authors and restrict which of the aforementioned techniques can be used.
For instance, as you pointed out, it is technically possible to implement such a feature using JavaScript filters but they aren't suitable concerning privacy and security since they allow/require filter authors to inject their own JavaScript code into web pages.
While snippets and the extension API reduce that risk (e.g. by not allowing arbitrary script injection), they'd still require sound design choices to limit the functionality as much as possible. That's necessary to allow only the use cases we need to support while preventing any potential misuses.
comment:12 Changed on 10/09/2019 at 12:10:35 PM by greiner
- Component changed from Unknown to Core
comment:13 Changed on 10/09/2019 at 08:27:51 PM by sebastian
- Keywords closed-in-favor-of-gitlab added
- Resolution set to rejected
- Status changed from new to closed
Sorry, but we switched to GitLab. If this issue is still relevant, please file it again in the new issue tracker.
Example of how it'd work, Blocking the cookie-consent dialog message from showing:
On www.mymuesli.com, the site will set a range of cookie names. But the one that is used is cookies_consent_set, if this set to true. It won't show the consent/gdpr warning.
Since I can't reliably block the message via css or standard filters. Having a cookie set/delete option would be pretty handy. Tested with the "Cookiebro" firefox extension.