Skip to content
This repository has been archived by the owner on Sep 19, 2020. It is now read-only.

blocked cookies can be accessed through JavaScript and sent to a server #238

Closed
8 of 9 tasks
baptx opened this issue Mar 19, 2020 · 1 comment
Closed
8 of 9 tasks

blocked cookies can be accessed through JavaScript and sent to a server #238

baptx opened this issue Mar 19, 2020 · 1 comment
Labels
duplicate This issue or pull request already exists

Comments

@baptx
Copy link

baptx commented Mar 19, 2020
edited
Loading

Prerequisites

  • I performed a cursory search of the issue tracker to avoid opening a duplicate issue
  • This is not a support issue or a question
    • Support issues and questions are handled at /r/uMatrix
  • I tried to reproduce the issue when...
    • uMatrix is the only extension
    • uMatrix with default lists/settings
    • using a new, unmodified browser profile
  • I am running the latest version of uMatrix
  • I checked the documentation to understand that the issue I report is not a normal behavior
  • I used the logger to rule out that the issue is caused by my ruleset

Description

Blocked cookies can be accessed through JavaScript. If cookies are blocked, they should not be accessible by websites. The ability to block cookies sent to a server can be bypassed if the website is sending cookies through AJAX.
I noticed this problem when visiting the website https://www.jeanlouisdavid.com/ which only displayed a coronavirus popup notifier the first time you visit the website. After reloading the website, the popup was not displayed anymore because the website was able to read the cookie through JavaScript.

Related: gorhill/uMatrix#855

Steps to Reproduce

  1. Allow JavaScript and block cookies on https://www.w3schools.com/js/js_cookies.asp
  2. Click a button to set a cookie
  3. Click a button to display cookies

Ruleset

https-strict: behind-the-scene false
matrix-off: about-scheme true
matrix-off: behind-the-scene true
matrix-off: chrome-extension-scheme true
matrix-off: chrome-scheme true
matrix-off: moz-extension-scheme true
matrix-off: opera-scheme true
matrix-off: vivaldi-scheme true
matrix-off: wyciwyg-scheme true
noscript-spoof: * true
referrer-spoof: * true
referrer-spoof: behind-the-scene false
* * * block
* * css allow
* * frame block
* * image allow
* 1st-party * allow
* 1st-party frame allow
w3schools.com * cookie block
w3schools.com * css inherit
w3schools.com * frame inherit
w3schools.com * image inherit
w3schools.com 1st-party frame inherit

Supporting evidence

https://www.w3schools.com/js/js_cookies.asp

Your environment

  • uMatrix version: 1.4.0
  • Browser Name and version: Firefox 74.0
  • Operating System and version: Linux / Lubuntu 19.10
@baptx baptx changed the title blocked cookies can be accessed through JavaScript blocked cookies can be accessed through JavaScript and sent to a server Mar 19, 2020
@uBlock-user
Copy link
Contributor

Duplicate of #7

@uBlock-user uBlock-user marked this as a duplicate of #7 Mar 19, 2020
@uBlock-user uBlock-user added the duplicate This issue or pull request already exists label Mar 19, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
duplicate This issue or pull request already exists
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@baptx @uBlock-user