Cookies leaking temporarily

[GittyHubish]

Prerequisites

• I performed a cursory search of the issue tracker to avoid opening a duplicate issue
  • Your issue may already be reported.
  • I also searched the existing issues at https://github.com/gorhill/uMatrix/issues
• This is not a support issue or a question
  • Support issues and questions are handled at /r/uMatrix
• I tried to reproduce the issue when...
  • uMatrix is the only extension
  • uMatrix with default lists/settings
  • using a new, unmodified browser profile
• I am running the latest version of uMatrix
• I checked the documentation to understand that the issue I report is not a normal behavior
• I used the logger to rule out that the issue is caused by my ruleset

Description

It used to be the case until a week (a few weeks ago?) that if you tried to log into any website with cookies blocked globally, you wouldn't be able to until you manually allowed them for the site (true for both normal and incognito windows). Now it is possible to log into most, if not all, websites for a couple of minutes until you get the notice that you're not logged in. Furthermore, you are able to stay logged in for what seems indefinitely using an Incognito window (which didn't use to be the case).

My understanding was that uMatrix allowed the cookies into the browser but not out of it. So, now somehow websites are allowed to read this cookies.

A specific URL where the issue occurs

Any page that requires a login, e.g. github.com.

Steps to Reproduce

On a regular tab:

1. Visit github.com and enter your details.
2. Login succesfully and do some stuff.
3. Wait a few minutes and voila you're disconnected.

On Incognito Mode:

1. Visit github.com and enter your details.
2. Login successfully and do some stuff.
3. Keep using the site until you manually logoff or close the window.

Supporting evidence

I don't really know which supporting evidence to post in this particular case, so the next screenshot is the best that I could think of:

This is specially weird since the logger shows the cookies as blocked.

Your environment

• uMatrix version: 1.3.14
• Browser Name and version: Google Beta 70.0.3538.67 (Official Build) beta (64-bit)
• Operating System and version: Microsoft Windows 8.1

[uBlock-user]

Cannot reproduce. As soon as I block github cookies and refresh the page, github logs me out and serves a version of the page for guests. Same for incognito mode.

[gorhill]

It used to be the case until a week (a few weeks ago?)

Version 1.3.14 was released in August, so nothing changed since then. Try with a stable release of Chrome, and also be aware that Chrome may not enable by default extensions such as uMatrix, see https://blog.chromium.org/2018/10/trustworthy-chrome-extensions-by-default.html:

Beginning in Chrome 70, users will have the choice to restrict extension host access to a custom list of sites, or to configure extensions to require a click to gain access to the current page.

Also, you must allow extensions explicitly for incognito mode.

[GittyHubish]

Are you using Chrome Beta? Because I'm actually answering from an Incognito tab.

Edit: Just tried the stable release and everything is working as expected. Then this is just a heads up since changes in the Beta channel tend to be final changes in the Stable channel.

[uBlock-user]

I tested on Chromium 70 and Chromium 72, both work as expected.

[GittyHubish]

I don't wanna reopen this is if people are not being able to reproduce. But I tried again after resetting both Chrome and uMatrix to the default options (and disabling cookies globally) and I can log into Facebook without problems (plus I'm commenting again with this setup).

[uBlock-user]

Disable any other extension that deals with cookies.

[gorhill]

As usual, it always comes down to: what does the logger say?

[GittyHubish]

Disable any other extension that deals with cookies.

Why would I ever use something else to deal with cookies in my browser? :P
In all seriousness tho, for this test there were no other extensions.

As usual, it always comes down to: what does the logger say?

Two screenshots. The first one is me logging into GitHub using an Incognito window and the second one me going into another page using the same tab:

[gorhill]

I am unable to reproduce such behavior with either Chromium 69 or Firefox Nightly: as soon as I block cookies, I am being logged out, and can't login. I don't have Chrome beta. Your screenshots do not show the most important part, which is the removal of the Cookie header -- identified by a red COOKIE entry in the logger:

[uBlock-user]

Why would I ever use something else to deal with cookies in my browser? :P

You haven't exactly mentioned which extensions you're current using aside from uMatrix and the issue you're experiencing can happen if there is another extension with cookie management capabilities undoing uMatrix's cookie block, hence my suggestion

[gorhill]

https://bugs.chromium.org/p/chromium/issues/detail?id=892637

Maybe related?

[GittyHubish]

Your screenshots do not show the most important part, which is the removal of the Cookie header -- identified by a red COOKIE entry in the logger:

Yeah. The entry is nowhere in the logger.

I was hoping a new release would fix the problem but today I got the new 71.0.3578.20 and the problem is still present.

---

Ok. Tried with Chrome Beta Portable (same version) from PortableApps.com and the issue is not present there. Absolutely weird...

[GittyHubish]

And now also happening on the stable channel: 70.0.3538.77.

[GittyHubish]

This is what happens when I open the GitHub login page and let it hang for about a minute or so, until the blue part appears in the logger:

[GittyHubish]

Now happening on Chrome Beta 72.0.3626.28, Chrome Beta Portable 72.0.3626.17, Opera 59.0.3173.0 Developer (based on Chromium 72.0.3626.14) and Chromium 73.0.3647.0 (downloaded from https://chromium.woolyss.com).

When doing the next (from https://bugs.chromium.org/p/chromium/issues/detail?id=892637); the test with the Cookie header fails, while the tests involving the User-agent go as expected:

1. Install Tampermonkey (https://chrome.google.com/webstore/detail/tampermonkey/dhdgffkkebhmkfjojejmpbldmpobfkfo)
2. Install the script from here (by entering this URL) http://test.tampermonkey.net/chrome.webRequest.onBeforeSendHeaders_issues.user.js
3. Go to http://test.tampermonkey.net/empty.html

[uBlock-user]

I'm able to reproduce this today on Chromium 73 on github, how unusual.

Added github.com * cookie block and yet I'm able to login and browse pages logged in.

Blocked cookies on google and I'm able to login yet, seems cookies are not getting blocked at all.

[gorhill]

As usual: does the logger shows COOKIE (uppercase important) header being removed?

[uBlock-user]

logger shows COOKIE (uppercase important) header being removed?

no uppercase, only lowercase appears in red.

[uBlock-user]

What does that mean ?

[uBlock-user]

@gorhill Can you reproduce on dev build of Chromium ?

[gorhill]

I can reproduce with Google Chrome 73.0.3642.0.

Found this: https://bugs.chromium.org/p/chromium/issues/detail?id=827582#c25

So reportedly the Chromium devs are removing abilities from the webRequest API, as per AdGuard's @ameshkov:

1. Some headers can be neither inspected nor modified. I've been able to identify the following cases:
2. onBeforeSendHeaders: referer, cookie, accept-*

[gorhill]

As per this comment later in the thread, extensions interested in the above headers should use extraHeaders flag.

[uBlock-user]

What's the reason behind this sudden removal ?

[uBlock-user]

https://groups.google.com/a/chromium.org/forum/#!topic/chromium-extensions/vYIaeezZwfQ

Removal includes Referer too, but that works

Referrer is no longer spoofed either...

[uBlock-user]

@gorhill Adding extraHeaders at https://github.com/gorhill/uMatrix/blob/master/src/js/traffic.js#L513 and https://github.com/gorhill/uMatrix/blob/master/src/js/traffic.js#L520 fixes this. I downloaded the github build and added it myself and tested. Working as expected.

PR opened anyway - gorhill/uMatrix#1008 please review

Referrer --

Cookie --

[NuclearMachine]

This has not been fixed.

Cookies are still not blocked (am using ungoogled-chromium 72.0 compiled from here, I also do not have any other extensions installed).

Please remove the cookies column from the Umatrix interface until this has been fixed, its misleading to your users not to mention the false sense of security.

[uBlock-user]

Cookies are still not blocked (am using ungoogled-chromium 72.0 compiled from here, I also do not have any other extensions installed).

Upgrade to Chromium 74 or above and it will work.

[gorhill]

This has not been fixed.

You have to make the case this has not been fixed -- provide all details for people to reproduce.

[NuclearMachine]

You have to make the case this has not been fixed -- provide all details for people to reproduce.

Steps to Reproduce

1. Download the ungoogled chromium 72.0 binary packages from here:
   https://ungoogled-software.github.io/ungoogled-chromium-binaries/releases/debian/stretch_amd64/72.0.3626.122-3.stretch1

2. Install the following .deb packages in order: ungoogled-chromium-common, ungoogled-chromium, ungoogled-chromium-l10n, ungoogled-chromium-shell, ungoogled-chromium-driver, ungoogled-chromium.changes

3. Now that you have ungoogled chromium installed, enable developer mode in chrome://extensions (Google has blocked ungoogled-chromium from the webstore for obvious reasons). Drag and drop the latest 1.4.0 Umatrix CRX file. Go to the Umatrix settings and enable delete blocked cookies.

4. Try blocking any website's cookies, lets say google.com. After blocking google.com's cookies via the Umatrix my rules tab. Open google.com and enter the chrome settings page, you could still see google.com's cookies stored even when blocked.

Your environment
uMatrix version: 1.4.0
Chromium Version 72.0.3626.122 (Official Build), running on Devuan ascii/2.0 (64-bit)

[NuclearMachine]

Upgrade to Chromium 74 or above and it will work.

I have not tested this in Chromium 74, (I'll try later), however, in the Github release page, it is written that cookies should be fixed for 72+. Therefore @gorhill should update the release page to "should be fixed for 74+".

[gwarser]

4. Try blocking any website's cookies, lets say google.com. After blocking google.com's cookies via the Umatrix my rules tab. Open google.com and enter the chrome settings page, you could still see google.com's cookies stored even when blocked.

Work as intended?

https://github.com/uBlockOrigin/uMatrix-issues/wiki/Cookies

Blacklisted cookies are not prevented by uMatrix from entering your browser. However they are prevented from leaving your browser[1], which is what really matters. Not blocking cookies before they enter your browser gives you the opportunity to be informed that a site tried to use cookies, and furthermore to inspect their contents if you wish.

[uBlock-user]

After blocking google.com's cookies via the Umatrix my rules tab. Open google.com and enter the chrome settings page, you could still see google.com's cookies stored even when blocked.

Only outgoing cookies are blocked, so by-design, not a bug.

[gorhill]

You need to look at the logger, to find out whether the COOKIE header is removed. Use this page for testing: http://raymondhill.net/httpsb/httpsb-test-cookie-1.php.

[cnleo]

Sorry to say it, but the problem is back.

Happend in (Screenshots from Chrome):
Chrome Version 78.0.3904.87 (Offizieller Build) (64-Bit)
Vivaldi | 2.8.1664.44 (Stable channel) (32-bit) [like Chrome/77.0.3865.121]

[uBlock-user]

@cnleo That's because you're on older version of the addon -- 1.3.16, get 1.4.0.