Opened on 06/25/2018 at 11:51:43 AM

Closed on 10/09/2019 at 08:27:51 PM

#6762 closed defect (rejected)

Implement support for cookie-related filters

Reported by: fanboy Assignee:
Priority: Unknown Milestone:
Module: Core Keywords: circumvention, closed-in-favor-of-gitlab
Cc: mjethani, greiner Blocked By:
Blocking: Platform: Unknown / Cross platform
Ready: no Confidential: no
Tester: Unknown Verified working: no
Review URL(s):


Have noticed that some sites will use cookies to set cookies if adblock is used, a website will either show different ads, or show anti-adblock by using Cookies.

Not sure how it'll check on either on-load or checks site realtime.

Possible allow regex also?

||^$cookie-set="Name, variable"

Could set a filter Name and variable on load of website


Remove a cookie.


Hide a specific cookie from a site, but dont remove it? (not sure if this would be possible)


Block all third-party setting cookies to the site.


Stop cookies on a site.


Attachments (0)

Change History (13)

comment:1 Changed on 06/25/2018 at 12:41:13 PM by mjethani

  • Cc mjethani added

comment:2 Changed on 06/25/2018 at 12:43:17 PM by mjethani

  • Keywords circumvention added

comment:3 Changed on 06/27/2018 at 05:51:26 AM by hfiguiere

  • Summary changed from Implent support for cookie-related filters to Implement support for cookie-related filters

comment:4 Changed on 06/27/2018 at 06:09:29 PM by greiner

  • Cc greiner added

comment:5 Changed on 07/17/2018 at 11:13:23 AM by fanboy

Example of how it'd work, Blocking the cookie-consent dialog message from showing:

On, the site will set a range of cookie names. But the one that is used is cookies_consent_set, if this set to true. It won't show the consent/gdpr warning.


Since I can't reliably block the message via css or standard filters. Having a cookie set/delete option would be pretty handy. Tested with the "Cookiebro" firefox extension.

comment:6 Changed on 07/17/2018 at 01:44:10 PM by mjethani

There is of course a security risk with letting filter list authors set cookies.

comment:7 Changed on 10/16/2018 at 07:57:09 AM by fanboy

seems Adguard has a similar feature; see: = "useOfCookiesAccepted_live = true"; = "dmDrogeriemarkt_euLaw_userDidNotOptIn = true";

comment:8 Changed on 10/16/2018 at 08:24:51 AM by fanboy

Here is a testable use case (for cookies)

If you're from the EU, will set 2 document.cookie's; to determine whether it show a cookie warning message. If you try and hide the element (##.m-privacy-consent & ###privacy-consent) it'll remove the message but also prevent content like videos from playing.

The 2 document.cookie's set:


Which in theory I could by pass the cookie message with something like; (using similar adguard syntax as a example) = "_chorus_geoip_continent=EU"; document.cookie = "_chorus_privacy_consent=111111111111-a9999999999999999999999999999999";

comment:9 Changed on 10/16/2018 at 08:29:51 AM by greiner

That appears to be more of a workaround on their end by using their JavaScript filters that allow filter authors to inject arbitrary JavaScript into a web page.

While we could technically offer a similar functionality using snippets - thereby avoid injecting arbitrary scripts - the more ideal approach would be to use the browser.cookies extension API.

That doesn't mean that such a functionality should be offered though since mjethani's argument remains valid. Presumably it'd require limiting the capabilities of such a feature to only a predefined set of values that a cookie can be set to.

comment:10 Changed on 10/16/2018 at 08:49:17 AM by fanboy

I do understand the privacy concerns, given ad companys (and cookie-message checks) rely on cookies being set, i thought it would be an easy way easily bypass. How would using snippets would fix the issue?

comment:11 Changed on 10/16/2018 at 09:16:21 AM by greiner

It wouldn't. JavaScript filters, snippets and the extension API are merely ways to implement such functionality. Privacy and security are overarching topics that affect how such functionality is exposed to filter authors and restrict which of the aforementioned techniques can be used.

For instance, as you pointed out, it is technically possible to implement such a feature using JavaScript filters but they aren't suitable concerning privacy and security since they allow/require filter authors to inject their own JavaScript code into web pages.

While snippets and the extension API reduce that risk (e.g. by not allowing arbitrary script injection), they'd still require sound design choices to limit the functionality as much as possible. That's necessary to allow only the use cases we need to support while preventing any potential misuses.

comment:12 Changed on 10/09/2019 at 12:10:35 PM by greiner

  • Component changed from Unknown to Core

comment:13 Changed on 10/09/2019 at 08:27:51 PM by sebastian

  • Keywords closed-in-favor-of-gitlab added
  • Resolution set to rejected
  • Status changed from new to closed

Sorry, but we switched to GitLab. If this issue is still relevant, please file it again in the new issue tracker.

Add Comment

Modify Ticket

Change Properties
as closed .
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from (none).
Note: See TracTickets for help on using tickets.