Open Bug 1473412 Opened 7 years ago Updated 1 year ago

Cannot delete cookies that do not have a domain, set by local file:-URLs

Categories

(WebExtensions :: General, defect, P3)

Product:
WebExtensions
Component:
General
Version:
60 Branch
Platform:
x86_64
Linux
Type:
defect

Tracking

(Not tracked)

People

(Reporter: ysard_git, Unassigned)

References

Details

(Whiteboard: [necko-triaged])

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0 Build ID: 20180621125625 Steps to reproduce: I am an extension developer who tried to build a cookie manager (https://github.com/ysard/cookie-quick-manager). - Go to http://www.whatarecookies.com/cookietest.asp or similar; this will create a cookie: { domain: "www.whatarecookies.com" expirationDate: 1530738610 firstPartyDomain: "whatarecookies.com" hostOnly: true httpOnly: false name: "dta" path: "/" secure: false session: false storeId: "firefox-default" value: "vcount%3D0%2Cprev%3D1530737410081" } - Save the webpage on the hard drive of the computer. - Open the .html file in the browser. - Try to get all cookies : browser.cookies.getAll({storeId: "firefox-default", firstPartyDomain: null}) - In the list of cookies you will find one or more cookies without a domain name. For my example: { domain: "" expirationDate: 1530738859 firstPartyDomain: "" hostOnly: true httpOnly: false name: "dta" path: "/home/Lex/Bureau/" secure: false session: false storeId: "firefox-default" value: "vcount%3D0%2Cprev%3D1530737659639" } - Try to delete it: var cookie = { firstPartyDomain: "" name: "dta" storeId: "firefox-default" url: "" }; browser.cookies.remove(cookie).then((cookie) => { console.log({"Removed:": cookie}); }); or with the "real" url: var cookie = { firstPartyDomain: "" name: "dta" storeId: "firefox-default" url: "http:///home/my_name/Bureau/" }; - Try to add it: browser.cookies.set(cookie); Actual results: When we try to delete the cookie, the promise returns "null", and the cookie is still in the store. When we try to add the cookie, we get an error object with the message "An unexpected error occurred". When we try to delete the cookie via about:preferences#privacy, the cookie is still here, after a refresh of the cookie list. Expected results: The cookie should at least be able to be removed from the cookie store. Thanks for the feedback.
Version: 61 Branch → 60 Branch
Summary: Cookies created from then a web page saved on the hard disk have no domain and can not be deleted. Neither the API nor Firefox itself. → Cookies created from then a web page saved on the hard disk have no domain and can not be deleted. Neither via the API nor Firefox itself.
For the necko folks: I think this makes sense to start with the last item under "Actual results" in the original report -- not being able to delete cookies without a domain from about:preferences. I suspect that if that can be addressed, deleting such cookies from the webextension API will get fixed at the same time.
Component: General → Networking: Cookies
Product: WebExtensions → Core
Summary: Cookies created from then a web page saved on the hard disk have no domain and can not be deleted. Neither via the API nor Firefox itself. → Cannot delete cookies that do not have a domain
Priority: -- → P2
Whiteboard: [necko-triaged]
Hello, I come to the news, since 3 months are there changes planned about this bug?
(In reply to ysard from comment #2) > Hello, I come to the news, since 3 months are there changes planned about > this bug? Hi reporter, I've tried to reproduce this with your addon. Please take a look at [1]. We need either a real domain or a url to get the host of the cookie, and then you can delete the cookie at [2]. So, the problem is that there is no cookie returns from the query function. Note that I've also tried to delete the cookies without a domain from about:preferences#privacy and it actually worked. If you still can't, please provide me the detailed steps for reproducing. Thanks. [1] https://searchfox.org/mozilla-central/rev/eac6295c397133b7346822ad31867197e30d7e94/toolkit/components/extensions/parent/ext-cookies.js#193-211 [2] https://searchfox.org/mozilla-central/rev/eac6295c397133b7346822ad31867197e30d7e94/toolkit/components/extensions/parent/ext-cookies.js#401-402
Flags: needinfo?(ysard_git)

First of all, I'm sorry for the response time I completely forgot this issue.

Then, actually I managed to delete these cookies from about:preferences#privacy, it is a reporting error and I'm sorry about that.

However, the problem of deleting from the web-ext cookies API seems very real.

Let's design this html page to save somewhere and open it in Firefox:

<!DOCTYPE html>
<html>
<head>
    <meta charset="utf-8">
</head>
<body>
    <p>hello world</p>
<script>
document.cookie = "username=John Doe; expires=Thu, 31 Dec 2031 12:00:00 UTC; path=/";
document.cookie = "useralias=JohnDoe";
</script>
</body>
</html>

it creates 2 cookies with empty domains whose description is as returned by browser.cookies.getAll():

domain: ""
expirationDate: 1956484800
firstPartyDomain: ""
hostOnly: true
httpOnly: false
name: "username"
path: "/"
sameSite: "no_restriction"
secure: false
session: false
storeId: "firefox-default"
value: "John Doe"

domain: ""
firstPartyDomain: ""
hostOnly: true
httpOnly: false
name: "useralias"
path: "/poc/"
sameSite: "no_restriction"
secure: false
session: true
storeId: "firefox-default"
value: "JohnDoe"

The API described on this page: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/cookies/remove
does not allow me to specify an unexpected property like "domain".

Here is the error:

"Error removing / saving cookie:": Error: "Type error for parameter details (Unexpected property" domain ") for cookies.remove."

It also does not allow me to specify an empty url to delete these famous cookies, let's take the following code:

let cookie = {
    firstPartyDomain: "",
    name: "username",
    storeId: "firefox-default",
    url: "http:///",
};
let cookie = {
    firstPartyDomain: "",
    name: "username",
    storeId: "firefox-default",
    url: "",
};

browser.cookies.remove(cookie).then((deleted_cookie) => {
    console.log({"Removed:": deleted_cookie});
});

Actual result from the console:

"Object { Removed: null }"

But as you said, and as the documentation says: "If a cookie matching the details parameter could not be found, the promise is fulfilled with null."

So, my question is: What value am I supposed to set to the "url" property for browser.cookie.remove() to find my cookie and agree to delete it?

Thanks.

Flags: needinfo?(ysard_git)
OS: Unspecified → Linux
Hardware: Unspecified → x86_64

To clarify a point:
I am also unable to delete these cookies from the devtools/storage tool.

Thanks.

document.cookie = "username=John Doe; expires=Thu, 31 Dec 2031 12:00:00 UTC; path=/";
document.cookie = "useralias=JohnDoe";

This operation should create 2 cookies with valid domain and firstPartyDomain values.
Is this page exposed via web-extension? or is it a normal http request?

Flags: needinfo?(ysard_git)

Not sure this is an actual firefox bug. I could delete locally created cookies by specifying an adjusted url:

function getCookieRemoveURL(cookie) {
    if (cookie.domain.length === 0)
        return `file://${cookie.path}`;
    const rawDomain = cookie.domain.startsWith(".") ? cookie.domain.substr(1) : cookie.domain;
    return (cookie.secure ? "https://" : "http://") + rawDomain + cookie.path;
}

This seems to be more a web-extension issue. Luca, do you mind to take a look?

Flags: needinfo?(lgreco)

(In reply to Andrea Marchesini [:baku] from comment #8)

This seems to be more a web-extension issue. Luca, do you mind to take a look?

Cookies created from file urls does have an empty host property internally (which becomes an empty domain property when the cookies API implementation translates from the representation used internally in firefox into the one expected from this API), and the cookies API requires the caller to set an url in the calls to browser.cookies.remove (along with name).

Currently these cookies created from file urls should be successfully removed by computing the file:// url (e.g. as suggested by Lusito in comment 7, but I haven't checked yet if the computed file url has to be different on the Windows platform), and I verified that this is actually the case.

I also quickly gave it a try on Chrome (to evaluate chrome compatibility issues related to this behavior, especially if we will agree to apply some changes to make it clearer than it is right now), but it seems that the cookies created the file urls are not being listed at all.

In my opinion a reasonable fix would be to compute the url that we expect internally and return it as the url property of the cookie details returned by the cookies API, this would allow the extensions to remove these cookies by just using the url got from the API itself.

I'm moving this issue to the WebExtensions::General component, and I'm clearing its priority to re-triage it as a WebExtensions API bug.

Component: Networking: Cookies → General
Flags: needinfo?(ysard_git)
Flags: needinfo?(lgreco)
Priority: P2 → --
Product: Core → WebExtensions
Priority: -- → P3
Severity: normal → S3

Hello there,
If you are unable to delete cookies.
You can try these steps
Open browser settings
Locate the security section
Access the cookies settings
Identify the cookies without domain
Then delete that
I hope this is helpful for you

Even if an extension has access to file:-URLs, it is unable to set such cookies because the implementation rejects anything other than http/https, at https://searchfox.org/mozilla-central/rev/2c61e59a48af27c100c2dd2756b5efad573dbc71/toolkit/components/extensions/parent/ext-cookies.js#142

The fact that cookies from file:/// does not have a domain is mentioned at bug 209964.

Status: UNCONFIRMED → NEW
Ever confirmed: true
See Also: → 209964
Summary: Cannot delete cookies that do not have a domain → Cannot delete cookies that do not have a domain, set by local file:-URLs
You need to log in before you can comment on or make changes to this bug.