Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature request: prevent cookie modification #55

Open
znrt22 opened this issue Jan 25, 2019 · 2 comments
Open

Feature request: prevent cookie modification #55

znrt22 opened this issue Jan 25, 2019 · 2 comments
Labels
enhancement question wontfix

Comments

@znrt22
Copy link

znrt22 commented Jan 25, 2019

Hi,
It would be nice to be able to set cookies to read-only to prevent sites from changing their content.
Right now, protecting cookies from deletion doesn't seem to stop the site from resetting a cookie by changing its value, which kind of defeat the purpose.
@ysard
Copy link
Owner

ysard commented Jun 20, 2019

Hello, I apologize for the delay in responding, thank you for participating in the project; here are some of the answers that made me leave this question open during this time.

Restoring cookies after deletion is easier than restoring after modification. Indeed, this last requires to keep in memory the entirety of the cookie to be protected (not only its name, but its flags and especially its value).
I do not think CQM is intended to be a copy of the Firefox cookie store. In addition, storing information in several places (the cookie store and the CQM parameters) increases the risks of personal data leakage on the system in case of compromise. The values of cookies are even more sensitive than their name and the url of the parent site.

If Firefox gives me a way to get on the fly the previous state of the cookie that is about to be modified by the site, then I will come back to this idea that I consider admissible :)

Note: From my knowledge of APIs, I note that if an addon offers to preserve a cookie from subsequent changes, it is only a quick rewrite of an older version of the cookie just after the site has been able to make changes (and access them during this short period of time).
It is not a protection stricto-sensu but a bypass of changes made by a website on the data that belong to it.
This is already how the protection against deletion works and this may reduce the interest of the option in some cases.

@ysard ysard mentioned this issue Jun 21, 2019
Open
@znrt22
Copy link
Author

znrt22 commented Jun 27, 2019

Hello, thanks for the insight on the matter. That quick rewrite was indeed what I had in mind, rather than strictly denying modification to the website which would probably be a proper read-only definition, now that I think of it.
Actually, I am already doing that rewrite with CQM, albeit manually, by saving specific cookies in a .json and restoring them once I know the website made some undesired changes.

On a side note, is the protection against deletion supposed to prevent a cookie from being deleted even if the "isSession" flag has been set by the site ? That is actually what is bothering me and made me think about this idea.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement question wontfix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ysard @znrt22