Block All Cookies in shields doesn't truly block all cookies

[srirambv]

Description

Block All Cookies in shields doesn't truly block all cookies

Steps to Reproduce

1. Start with a clean profile on 0.53.2 with default global settings
2. Visit a site and change Cookie setting to Block all Cookies in shields
3. Wait for the page to reload, click on the connection info, popup shows Cookies (x in use) (x is number of cookies in used, varies from site to site)
4. Open Settings->Privacy->Content Settings-> Cookies -> toggle to blocked
5. Reload the page from step 3 and click on the connection info, popup shows Cookies (0 in use)

Actual result:

Chrome vs Brave

Expected result:

Shields settings should override the global settings for Cookies.

Reproduces how often:

100% on all sites

Brave version (about:brave info)

0.52.3

Reproducible on current release:

N/A

Website problems only:

• Does the issue resolve itself when disabling Brave Shields?
• Is the issue reproducible on the latest version of Chrome?

Additional Information

#402 #226
cc: @bbondy @bridiver @diracdeltas

[bbondy]

Can reproduce on https://www.cnet.com/

[ltilve]

I have been digging into the issue, and on how all the cookies were being blocked and was a bit confused because all the functionality seemed that it should be working as expected.

Once the shield flag was changed and the view was reloaded, there were just a subset of the Cookies shown as (in use) on the connection details. Once the tab was closed and reopened all were blocked as they should. While all the header management for the cookies was seeming to be correctly working, the elements that were not blocked were duplicate, and had been set directly with a direct document.cookie JS call.

So I will be ensuring from the extension instead that it gets cleaned after enabling the Block All Cookies shield flag.

[bbondy]

I'm going to move this to 1.x because I think it is working as expected, but it just doesn't clear already existing cookies.

[diracdeltas]

I think this should block the releasable builds milestone since it's a privacy bug. Users who select 'block all cookies' from shields would expect it to not send any cookies.

[bbondy]

I think Yan wanted in Releasable builds milestone and not 1.0, so bumping it up there.

[ltilve]

So I have been investigating this a bit more, but haven't been able to get a fix for it. The problem seems to be happening with just the uncleaned cookies set as commented, for the case of etherscan.io on just on cflb.

However, as commented this is only affecting the tab reload happening called from the extension changing the setting (or manually reloading the tab). If the tab is closed and recreated, the bubble shows correctly just all the blocked cookies.

I had been trying but wasn't able to fix it by manually calling a js script from the extension to cleanup that tab content when the combo option was modified but couldn't manage to have it working. On the other hand, I was still digging on what settings/content/cookie flag could be doing differently, and how that could eventually have different behaviour on TabSpecificContentSettings.

[diracdeltas]

i think this should not have been auto-closed

[diracdeltas]

[probably related, but not a blocker] - appears that turning on the 'allow all cookies' switch doesn't allow all cookies either. STR:

1. go to https://www.whatismybrowser.com/detect/are-third-party-cookies-enabled
2. it should say 3p cookies are blocked
3. switch the cookie setting in shields to 'allow all'
4. the page reloads and still shows 3p cookies blocked