Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

set-cookie not converting [] Cookie Names #2777

Closed
8 tasks done
ryanbr opened this issue Aug 14, 2023 · 10 comments
Closed
8 tasks done

set-cookie not converting [] Cookie Names #2777

ryanbr opened this issue Aug 14, 2023 · 10 comments
Labels
enhancement New feature or request

Comments

@ryanbr
Copy link

ryanbr commented Aug 14, 2023

Prerequisites

  • I verified that this is not a filter list issue. Report any issues with filter lists or broken website functionality in the uAssets issue tracker.
  • This is not a support issue or a question. For support, questions, or help, visit /r/uBlockOrigin.
  • I performed a cursory search of the issue tracker to avoid opening a duplicate issue.
  • The issue is not present after disabling uBO in the browser.
  • I checked the documentation to understand that the issue I am reporting is not normal behavior.

I tried to reproduce the issue when...

  • uBO is the only extension.
  • uBO uses default lists and settings.
  • using a new, unmodified browser profile.

Description

Using set-cookie, [] isn't translated or with \[ \]

A specific URL where the issue occurs.

https://www.dlalakierni.pl/

Steps to Reproduce

Add the following; to counter the cookie message: (or with \[ \])

dlalakierni.pl##+js(set-cookie, AtomStore[COOKIES_ACCEPTED], 1, , reload, 1)
dlalakierni.pl##+js(set-cookie, AtomStore[FUNCTIONAL_COOKIES_ACCEPTED], 1)
dlalakierni.pl##+js(set-cookie, AtomStore[MARKETING_COOKIES_ACCEPTED], 1)

or,

dlalakierni.pl##+js(set-cookie, AtomStore\[COOKIES_ACCEPTED\], 1, , reload, 1)
dlalakierni.pl##+js(set-cookie, AtomStore\[FUNCTIONAL_COOKIES_ACCEPTED\], 1)
dlalakierni.pl##+js(set-cookie, AtomStore\[MARKETING_COOKIES_ACCEPTED\], 1)

Expected behavior

Doesn't counter cookie message

Actual behavior

translate too AtomStore%5BCOOKIES_ACCEPTED%5D, AtomStore%5BFUNCTIONAL_COOKIES_ACCEPTED%5D, AtomStore%5BMARKETING_COOKIES_ACCEPTED%5D

Instead of

AtomStore[MARKETING_COOKIES_ACCEPTED], AtomStore[FUNCTIONAL_COOKIES_ACCEPTED],AtomStore[COOKIES_ACCEPTED]

uBO version

1.51.1b

Browser name and version

All Bravey baby

Operating System and version

Windows
@gothic-bum
Copy link

Per the documentation for set-cookie.js :

The scriptlet encodes cookie names and values, e.g value "{ test: 'value'}" becomes %7B%20test%3A%20'value'%7D.

Per the documentation for trusted-set-cookie.js :

The scriptlet does not encode cookie names and values.

The following filters therefore work - but only if they are from a "trusted source" which is currently the uBO created filter lists (i.e. those prefixed with "uBlock filters – ...") and the user's own filters from "My filters":

dlalakierni.pl##+js(trusted-set-cookie, AtomStore[COOKIES_ACCEPTED], 1, 1year, , reload, 1)
dlalakierni.pl##+js(trusted-set-cookie, AtomStore[FUNCTIONAL_COOKIES_ACCEPTED], 1, 1year)
dlalakierni.pl##+js(trusted-set-cookie, AtomStore[MARKETING_COOKIES_ACCEPTED], 1, 1year)

@ryanbr
Copy link
Author

ryanbr commented Aug 14, 2023

If only setting a simple value of 1 or 0, isn't this fine in set-cookie? Correct me if I'm wrong that trusted support applys to non-boolean values

@gorhill
Copy link
Member

gorhill commented Aug 14, 2023
edited
Loading

I followed AdGuard's reference documentation to implement set-cookie, and this is what it says:

scriptlet encodes cookie names and values

I think the idea is to prevent using set-cookie to set arbitrary values:

...##+js(set-cookie, cookiename=anystring;, allowedvalue)

Encoding the name prevents this.

When I enter this at the console of https://example.com/:

document.cookie="cookiename=anystring;=allowedvalue"

Which is what the set-cookie scriptlet would do without encoding, a new cookie cookiename set to anystring is created, which mean without encoding set-cookie would end up having the same functionality as trusted-set-cookie.

@ryanbr
Copy link
Author

ryanbr commented Aug 14, 2023

Okay.

@ryanbr ryanbr closed this as completed Aug 14, 2023
@MasterKia MasterKia added the wontfix won't be addressed label Aug 14, 2023
@gorhill
Copy link
Member

gorhill commented Aug 14, 2023
edited
Loading

Maybe we could discuss with @ameshkov a different safety approach: if a cookie name has any character outside the ones considered safe, the scriptlet won't do anything. The unsafe set of characters would be /[^\w%\[\]]/.

@stephenhawk8054
Copy link
Member

stephenhawk8054 commented Aug 14, 2023
edited
Loading

The unsafe set of characters would be /[^\w%\[\]]/

You mean safe set?

Ah nope, you're correct

@ameshkov
Copy link

@gorhill sounds like a good solution. The easiest way would be to follow the RFC, but the problem is that it actually forbids separators including [ ] while Chrome allows any character in a cookie name, even control characters.

Actually, what if we only forbid = and allow any other ASCII character? Do you see any potential problem with that approach?

@iam-py-test
Copy link
Contributor

iam-py-test commented Aug 14, 2023
edited
Loading

What about ;? It isn't valid in a cookie name, and can be used to set cookie attributes. Maybe not dangerous as I think most/all of those attributes can already be set and also useless if equal signs are blocked.

stephenhawk8054 added a commit to uBlockOrigin/uAssets that referenced this issue Aug 16, 2023
@stephenhawk8054
address uBlockOrigin/uBlock-issues#2777
4043800
@krystian3w
Copy link

krystian3w commented Aug 18, 2023
edited
Loading

IMO fine is:

dlalakierni.pl###RodoCookiesInfo:remove()

If nobody can document breakges. The webshop plug-in uses bootstrap, so it can be done in a way that doesn't even meet EU requirements and Google policy.

On older uBo without remove possible too:

dlalakierni.pl###RodoCookiesInfo, .modal-backdrop
dlalakierni.pl##.modal-open:style(overflow: visible !important;)

I guess uBo 1.7.x is unpopular to address by legacy scriptlets (##script:inject() from 2014-2016 (https://www.wikidata.org/wiki/Q19881587#Q19881587\$85FF91CD-4D06-4D10-964E-C7A6FAC2F5C8) (or legacy inline script filtering in Firefox PreQuantum (4-56)).

krystian3w added a commit to FiltersHeroes/PolishSocialCookiesFiltersDev that referenced this issue Aug 21, 2023
@krystian3w
Update komunikaty_suplement.txt
76a1734 
fix uBlockOrigin/uBlock-issues#2777
partial undo uBlockOrigin/uAssets@4043800 (I guess only trusted sources can disable by "#@#")
@gwarser gwarser added enhancement New feature or request and removed wontfix won't be addressed labels Oct 29, 2023
@gwarser gwarser reopened this Oct 29, 2023
@gwarser gwarser mentioned this issue Dec 21, 2023
Closed
9 tasks
@garry-ut99 garry-ut99 mentioned this issue Mar 23, 2024
Closed
11 tasks
gorhill added a commit to gorhill/uBlock that referenced this issue Mar 23, 2024
@gorhill
Improve [trusted-]set-cookie scriptlets
11a4856 
Related issues:
- uBlockOrigin/uBlock-issues#3178
- uBlockOrigin/uBlock-issues#2777
gorhill added a commit to gorhill/uBlock that referenced this issue Mar 26, 2024
@gorhill
Improve [trusted-]set-cookie scriptlets
f283d4c 
Related issues:
- uBlockOrigin/uBlock-issues#3178
- uBlockOrigin/uBlock-issues#2777
@gorhill
Copy link
Member

gorhill commented Apr 14, 2024

Fixed with gorhill/uBlock@11a4856

@gorhill gorhill closed this as completed Apr 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@gorhill @gwarser @ryanbr @ameshkov @MasterKia @krystian3w @stephenhawk8054 @gothic-bum @iam-py-test