Unable to set-cookie with ;

[ryanbr]

Prerequisites

• This is NOT a YouTube, Facebook, Twitch or a shortener/hosting site report. These sites MUST be reported by clicking their respective links.
• I read and understand the policy about what is a valid filter issue.
• I verified that this issue is not a duplicate. (Use this button to find out.)
• I did not remove any of the default filter lists, or I have verified that the issue was not caused by removing any of the default lists.
• I did not enable additional filter lists, or I have verified that the issue still occurs without enabling additional filter lists.
• I do not have custom filters/rules, or I have verified that the issue still occurs without custom filters/rules.
• I am not using uBlock Origin along with other content blockers.
• I have verified that the web browser's built-in content blocker/tracking protection, network wide/DNS blocking, or my VPN is not causing the issue.
• I have verified that other extensions are not causing the issue.
• If this is about a breakage or detection, I have verified that it is caused by uBlock Origin and isn't a site issue.
• I did not answer truthfully to ALL the above checkboxes.

URL address of the web page

dach-shop24.de

Category

nuisance

Description

Trying to set-cookie to fix the cookie consent on dach-shop24.de for essential and external media only

Suggested rule:

! essential and external media only
dach-shop24.de##+js(trusted-set-cookie, datenschutz, 'a:4:{s:10:"essenziell";i:1;s:9:"statistik";s:1:"0";s:9:"marketing";s:1:"0";s:6:"medien";s:1:"1";}')

set-cookie stops on essenziell" in ignores the rest of the filter rule.

Other extensions used

N/A

Screenshot(s)

N/A

Configuration

N/A

[gwarser]

dach-shop24.de##+js(trusted-set-cookie, datenschutz, 'a%3A4%3A%7Bs%3A10%3A%22essenziell%22%3Bi%3A1%3Bs%3A9%3A%22statistik%22%3Bs%3A1%3A%220%22%3Bs%3A9%3A%22marketing%22%3Bs%3A1%3A%220%22%3Bs%3A6%3A%22medien%22%3Bs%3A1%3A%221%22%3B%7D')

---

With reload:

dach-shop24.de##+js(trusted-set-cookie, datenschutz, 'a%3A4%3A%7Bs%3A10%3A%22essenziell%22%3Bi%3A1%3Bs%3A9%3A%22statistik%22%3Bs%3A1%3A%220%22%3Bs%3A9%3A%22marketing%22%3Bs%3A1%3A%220%22%3Bs%3A6%3A%22medien%22%3Bs%3A1%3A%221%22%3B%7D',,, reload, 1)

---

; is a special character in cookie values. Use raw value, not what the dev tools shows in beautified form.

[gorhill]

Use raw value, not what the dev tools shows in beautified form.

For sake of convenience I think I will add detection of special characters in cookie name/value and encode with encodeURIComponent when detected.

[gorhill]

With reload

Right, I just tested the changes to automatically encode if needed and a reload was necessary for the cookie notice to go away.

[ryanbr]

Does this fix the option ; in the trusted-set-cookie example above?

[gorhill]

Yes, with the change, your original filter works, no need to encode as pointed out by @gwarser.

[JobcenterTycoon]

white.market##+js(trusted-set-cookie, cookie-consent, '{"required":true,"optional":false,"analytics":false}')

Doesn’t work as expected with uBlock Origin 1.56.1rc5 Firefox. Instead of

{"required":true,"optional":false,"analytics":false}

It set

%7B%22required%22%3Atrue%2C%22optional%22%3Afalse%2C%22analytics%22%3Afalse%7D

and this will make the filter failing.
Test site: https://white.market/

[gorhill]

As per RFC 6265 the characters ", should be encoded but apparently browsers don't care. I will prevent those characters from triggering encoding.

[stephenhawk8054]

I'm using 1.57.3b0. At this site, there's a newsletter popup when you first open: https://srajagopalan.substack.com/

I tried to set

srajagopalan.substack.com##+js(trusted-set-cookie, intro_popup_last_hidden_at, $currentDate$)

but it returns Wed%2C%2010%20Apr%202024%2007%3A49%3A18%20GMT.

When I use

srajagopalan.substack.com##+js(trusted-set-cookie, intro_popup_last_hidden_at, $currentISODate$)

it returns literal string $currentISODate$ (not the date as expected).

---

Would it be possible to have a vararg to determine when to encode the value? trusted-set-cookie is being used a lot, I'm afraid there could be more unseen bugs due to this change.

[gorhill]

$currentISODate$ is for set-local-storage-item only. RFC 7231 date is used for $currentDate$ in set-cookie.

I will exclude as a character requiring encoding since the browser does not seem to care about it.

[JobcenterTycoon]

@gorhill

Can’t set

hetzner.com##+js(set-cookie, __Secure-HO_Cookie_Consent_Declined, 1) firefox rejects the cookie.

Only a trusted set works

hetzner.com##+js(trusted-set-cookie, __Secure-HO_Cookie_Consent_Declined, 1)

[gorhill]

Because https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#attributes:

__Secure- prefix: Cookies with names starting with __Secure- (dash is part of the prefix) must be set with the secure flag from a secure page (HTTPS).

The trusted-set-cookie automatically add the secure flag.

---

gorhill/uBlock@b4d8750: ; Secure will be automatically used when cookie names starts with __Secure- or __Host-.