Cookies can be leaked when JavaScript is enabled

[ghost]

In your wiki you describe that uMatrix prevents cookies from LEAVING the browser. This is not correct in all situations. If JavaScript is enabled for a website, "special" scripts can read the related domain cookies and send the content to the server. If the cookie data are transmitted in custom data structures in the HTTP body or maybe custom HTTP headers, uMatrix can't do anything about it.

From my perspective there are 2 possible options:

1. This behavior is intended and the wiki text should be updated to cover this fact. In this case it would also be interesting why this is intended, because it looks like a potential weak point.
2. uMatrix should be changed to prevent cookies from ENTERING the browser. That means the cookie should not be persisted.

What do you think?

[gorhill]

Declined.

Disable javascript, and/or enable cookie deletion.

In case you want to argue this, this won't change -- uMatrix has been existing for well over 4 years and this has been discussed well enough (I won't keep repeating everything that has been said). If you do not like the way uMatrix deals with cookies, use a extension that does what you want.

[uBlock-user]

"special" scripts can read the related domain cookies and send the content to the server.

That's not cookies getting leaked per se, but rather an alternative to fetch cookie information via JS,that has been possible since the beginning and the solution is to block the said javascript.

[ghost]

I'm not questioning the software. It's a nice and useful tool and I am thankful that you're doing this. I'm questioning your information management. I've read some of the issues. At least I found found this:

cookies can be set through javascript: there is no way to block the creation of cookies, the APIs to deal with cookies are asynchronous.

It looks like the beginning to explain that uMatrix can't deal with cookies that are set or read by JavaScript. That would be totally comprehensible to me. So what's the matter about to just add that useful information to your wiki, instead of being annoyed by all issues that have something to do with cookies and closing them without any explanation (in some cases)?! If I'd found that information in your wiki, this ticket wouldn't exists by now. Just sayin...

[gwarser]

"special" scripts can read the related domain cookies and send the content to the server

To be sure - you don't have any real world examples?

[uBlock-user]

there is no way to block the creation of cookies

FYI, that's an invalid statement. Browsers themselves can block ALL cookies from being inserted simply by editing the cookie settings. As for the wiki, you should be able to edit it and add more information, if that's the case.

[gwarser]

Fixed (wiki)

[crssi]

Once again... Firefox 60 (not Nightly), does not have any cookie settings over GUI. Search does not help at all.

[gwarser]

61:

60:

Unblock for page:

[crssi]

@gwarser thank you for your kindness and willing to help
I must apologies, the problem was on my side when I was experimenting in the near past and forgot about on preferences:

user_pref("browser.storageManager.enabled", false);

And it should be true, otherwise the cookies section is hidden.

Sorry for all the troubles
Cheers

[baptx]

@gorhill @uBlock-user Would it be possible to have a switch like the Spoof <noscript> tags feature but for cookies, to disable completely read / write access for cookies through JavaScript and make navigator.cookieEnabled return false when cookies are blocked (gorhill/uMatrix#855). I guess it is technically possible and the switch will make the feature optional if some people don't want it by default in uMatrix.

It looks like the addon CookieMaster (https://addons.mozilla.org/en-US/firefox/addon/cookiemaster/) can block reading and writing cookies through JavaScript but being able to allow / block domains in one place with uMatrix would be more convenient.

Update: I noticed there is a similar option to block localStorage and sessionStorage when cookies are disabled for a domain, by checking "Delete local storage content set by blocked hostnames" in uMatrix settings. If we check this option, cookies should be not be stored on the browser as well.