Greasemonkey: Feature Request: cookie api

Created on 7 Sep 2013  ·  8Comments  ·  Source: greasemonkey/greasemonkey

I propose a cookie api. The motivation is to remove the "NID" cookie at google.com to reduce tracking, while leaving the "PREF" cookie intact. The problem with document.cookie is that it is only shows the "PREF" cookie and nothing else, since the "NID" cookie belongs to ".google.com". Firefox also doesn't seem to support this functionality natively, and is only to disable on a per-domain basis.
Some api, possibly with restrictions to which domains can be accessed, will be helpful in this case.

picture simonzack

Most helpful comment

I've run into a few situations where I'd like to do cookie manipulation that document.cookie wasn't sufficient for, also. There's a lot of things to consider for how to do this well...

picture arantius on 4 Aug 2016
👍4

All 8 comments

The NID is not visible in document.cookie because it is httponly=true. I bet you can override it with your own dummy value though.

arantius picture arantius on 8 Sep 2013

I could override it on the current domain, but not on the google.com domain. So I believe that this can still be considered, since cookies are often used to track users.

simonzack picture simonzack on 8 Sep 2013

Can this issue be re-opened? Even if I were to override the cookie, there is, say, no way to list cookies on the current page. Userscript access to http cookies can solve this, say for example by using a GM_cookie() api.

simonzack picture simonzack on 12 Sep 2013

Of course it can in theory. But Greasemonkey's philosophy for some time now has been to embrace the forward progress the web itself has been making as a platform, to encourage usage of "HTML5" APIs and discourage custom APIs (grandfathering some in). A strong case would help.

(IMO sites don't use HttpOnly by accident, it is an intentionally implemented security feature. So the case would probably be hard to make. And nothing stops you from making a site specific extension if you need access to lower-level APIs and are willing to be Firefox only as a result.)

arantius picture arantius on 12 Sep 2013

Sorry for commenting in such old issue.

I bet you can override it with your own dummy value

I tried it and seems like it's not possible. While browser keeps some cookie with HttpOnly flag, you can't neither access nor overwrite it from JS.

A strong case would help

Not sure how strong such case is, but I need to remove cookie from userscript in order to avoid meaningless redirection at one specific site. And currently it's not possible because it is set by serverside with HttpOnly flag.

Kagami picture Kagami on 19 Mar 2016

I'll put up a weak example scenario. I'm scripting on a page on which there is a whole host of cookies. One cookie causes the entire website to render differently due to some weird design choice; the cookie is set by logging into a certain part of the website without the ability to logout anywhere. Given this cookie is set with an httponly flag I cannot fix using the standard document.cookie method. It would be nice to have a GM_cookie or something similar to be able to set/override/delete cookies that are otherwise protected via httponly.

bombledmonk picture bombledmonk on 4 Aug 2016
👍1

I've run into a few situations where I'd like to do cookie manipulation that document.cookie wasn't sufficient for, also. There's a lot of things to consider for how to do this well...

arantius picture arantius on 4 Aug 2016
👍4

I propose to look here (only at one example):
https://dxr.mozilla.org/mozilla-central/source/devtools/shared/gcli/commands/cookie.js
(nsICookieManager2)

janekptacijarabaci picture janekptacijarabaci on 4 Aug 2016
Was this page helpful?
0 / 5 - 0 ratings

Related issues

arantius picture arantius  ·  6Comments
darkred picture darkred  ·  5Comments
eradrix picture eradrix  ·  14Comments
kitor picture kitor  ·  8Comments
moham96 picture moham96  ·  7Comments