forget-me-not: Cookie rules don't apply to all cookies on the domain

When I add a rule to Forget Me Not, it doesn’t seem to apply to all cookies from that domain. This is making it impossible to login to sites like Yahoo Mail.

Steps to reproduce:

  1. Clear the Forget Me Not log.
  2. Create a rule for *.yahoo.com. My rule is set to “Forget”
  3. Go to mail.yahoo.com
  4. Look at the Forget Me Not log.

What I expect to see are a couple of domains listed with cookies that are allowed. What I actually see is a cookie that was allowed from login.yahoo.com and a blocked cookie from yahoo.com AS. I suspect that the issue lies with the AS that shows up after the domain. I’ve also seen T, NID, and CGIC after domains, but I have no idea what they mean. I tried looking at the source code, but that didn’t shed any light on it either. What do those letters after the domain mean?

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Comments: 30 (15 by maintainers)

Most upvoted comments

same problem happend for me on LinkedIn, the server actually send separate Set-Cookie headers for every cookie but for some reason the parseSetCookieHeader function receive multiple cookies separed by line feeds like this:

KEY1=VAL1; Path=/\nKEY2=VAL2; Path=/; Domain=.www.linkedin.com\nlang=v=2&lang=en-us; Path=/; Domain=linkedin.com\nKEY3=\"VAL3\"; domain=.linkedin.com; Path=/; Expires=Sun, 07-Feb-2021 21:12:53 GMT\nKEY4=\"VAL4\"; domain=.www.linkedin.com; Path=/; Secure; Expires=Sun, 07-Feb-2021 21:12:53 GMT; HttpOnly\nKEY5=\"VAL4\"; Expires=Sat, 09 Feb 2019 09:33:06 GMT; domain=.linkedin.com; Path=/

this breaks the matching for the domain and also discard the rest of the cookies, for example the matched domain will be .www.linkedin.com\nlang instead of .www.linkedin.com, and KEY2 to KEY5 are not extracted either. i’m testing directly on the latest develop branch on Firefox Developer Edition 66.0b5, just modified the npm-run-all version to ^4.1.5 to fix this error:

npm ERR! code E404
npm ERR! 404 Not Found - GET https://registry.npmjs.org/event-stream/-/event-stream-3.3.6.tgz
npm ERR! 404 
npm ERR! 404  'event-stream@3.3.6' is not in the npm registry.
npm ERR! 404 Your package name is not valid, because 
npm ERR! 404  1. name can only contain URL-friendly characters
npm ERR! 404 It was specified as a dependency of 'forget-me-not-web-extension-builder'
npm ERR! 404 
npm ERR! 404 Note that you can also install from a
npm ERR! 404 tarball, folder, http url, or git url.

npm ERR! A complete log of this run can be found in:
+1
remitamine on Feb 8, 2019

So, my research says, that in a deprecated standard for the set-cookie header, it was allowed to set multiple cookies in one set-cookie header. This is not allowed anymore, but some gateways may do this to compress http headers in order to reduce data. Since on my end, yahoo sends me multiple set-cookie headers, instead of one, I can only assume, that your gateway is doing this.

Obviously, even tho the gateway should be fixed, I will have to add a fix for FMN as well (since others might have this issue). I will try to implement a fix for this for the next version, but maybe you can check your router if there is some kind of header compression in place for a quick fix.

+1
Lusito on Jan 5, 2019
Read more comments on GitHub
← Otter: mismatch the size of datasets
luv: Frequent segfaults in `push_fs_result` →