SeaMonkey allows blocked sites to set cookies

[bitwyse]

Hi.
(Before I report a formal bug I would like to know if anyone has the same problem, or has an solution. Haven't found anything here with a search.)

SeaMonkey 2.53
My default cookie settings are: Initial server only, Session only.
I have a number of sites with cookie permission explicitly blocked.
Sometimes this seems to work, but other times SeaMonkey allows the site to set cookies anyway.
First I refuse the site's cookie authorisation request, which is ignored.
Then I delete them with the option to block checked and the permissions show that this has been registered, but the site can immediately set them again - sometimes quite a number.
(I never noticed this problem with previous versions <= 2.49)
Regards

[therube]

Don't really know about such things, but might it be a http: vs https: issue?

Or might an extension be interfering in some way?
(Test in a new, clean Profile.)

Website where you've blocked & are finding cookies for?

[TPR75]

I have a number of sites with cookie permission explicitly blocked.
Sometimes this seems to work, but other times SeaMonkey allows the site to set cookies anyway.

In your signature there is information about "Cookie exterminator" extension, right?

How will SeaMonkey work without that extension? Will cookies be blocked as they should for you?

I'm using outdated Cookie Monster 1.3.4.8 but I've made some tweaks to make it work with SeaMonkey 2.53.x. I didn't saw bad behavior with blocked cookies when using this extension. You can test it in other/new/test profile... if you dare to download such file:
viewtopic.php?p=14942967#p14942967

[bitwyse]

Hi

Don't really know about such things, but might it be a http: vs https: issue?

I don't think so, but it's worth investigating.
The vast majority of sites I visit use https now, and you can't choose.
Wouldn't be an excuse for letting blocked cookies through though...

Or might an extension be interfering in some way?
(Test in a new, clean Profile.)

Someone else suggested that too.
Possible - I'll give it a try.

Website where you've blocked & are finding cookies for?

Quite a number.
One example (a clear one): https://www.medisite.fr
Another (but very complicated): https://particulier.edf.fr/fr/accueil.html (Electricité de France). I have complained to the CNIL (Commission Nationale d'Informatique et des Libertés).
- they ask for your consent but completely ignore your choice (refuse all and you still get over 30 cookies).
- if you block their cookies you can't log in.

[bitwyse]

Hi.

In your signature there is information about "Cookie exterminator" extension, right?
How will SeaMonkey work without that extension? Will cookies be blocked as they should for you?

Yeah. I'll try without it.
But I don't think it's that: Cookies exterminator deletes automatically cookies already deposed when you close the page for a site, it doesn't block them.

Thanks for your suggestions.

[TPR75]

One example (a clear one): https://www.medisite.fr

I tested it a little and:
1) if SeaMonkey is set to refuse/block all cookies then nothing is saved/written in user's profile (Menu -> Tools -> Data Manage -> "medisite.fr" domain is not present) regardless of my choices on pop-up; but website is not usable because after every click cookie pop-up will show themself,

2) if I'll temporarily allow cookies (Cookie Monster function) and I'll block everything on pop-up:
a) "Refuser" on all options -> click "Voir nos partenaires" button -> "Bloquer" for all -> "Enregistrer" -> "Enregistrer"
b) In Data Manage I can see some saved cookies; there must be something otherwise website will not "know" what were user's choices.

And it's for "medisite.fr" domain only. They're using services from other domains (host, telemetry, advertisement, Google etc.). If your SeaMonkey profile is set to allow then you need to worry for more than one domain. With Cookie Monster I have better control but it's not perfect (by default "reject all" and I must manually set acceptance).

If you're worrying about cookies/privacy then you should know something about "browser fingerprint":
https://en.wikipedia.org/wiki/Device_fingerprint

[bitwyse]

Don't really know about such things, but might it be a http: vs https: issue?

You were right after all.
With the help of the suggestions here I found a known bug on Bugzilla. The cookie blocking API is broken (and not likely to be fixed).
Before you could just delete cookies with the "block future cookies" option ticked and it would block them for
- http://somesite.com
- http://www.somesite.com
- https://www.somesite.com
etc
but now it doesn't.
The cookie blocker only adds http and you have to manually add the https separately - and since most sites use https now, it is a major problem.
I haven't yet tested whether this always works, but at first sight it seems to.

Good guess!

Website where you've blocked & are finding cookies for?

To my previous list (medisite and EDF) I add https://pagesjaunes.fr (Yellow Pages)
These are the ones I have tested so far.

[TPR75]

The cookie blocker only adds http and you have to manually add the https separately - and since most sites use https now, it is a major problem.

That's why I like Cookie Monster - one of its functions is "Apply Cookie Setting for both HTTP and HTTPS"...

[bitwyse]

I tested it a little and:
1) if SeaMonkey is set to refuse/block all cookies then nothing is saved/written in user's profile (Menu -> Tools -> Data Manage -> "medisite.fr" domain is not present) regardless of my choices on pop-up; but website is not usable because after every click cookie pop-up will show themself,

You can use uBlock to stop the popups, but if they come from Didomi you need Behind the Overlay (revival) to get rid of the mask and restore the vertical slider it hides.
I got this to install in SeaMonkey, but its icon isn't visible.

2) if I'll temporarily allow cookies (Cookie Monster function) and I'll block everything on pop-up:
a) "Refuser" on all options -> click "Voir nos partenaires" button -> "Bloquer" for all -> "Enregistrer" -> "Enregistrer"
b) In Data Manage I can see some saved cookies; there must be something otherwise website will not "know" what were user's choices.

Thanks. My global cookie policy is
- session cooies only
- NO third party cookies (initial server only).
That usully works OK.
But you mentioned "nos partenaires" - and sometimes that's a list which goes over the bottom of the page. WIth sites like that I refuse ALL cookies. Unless there's an option to "Refuse all" I can't be bothered to deny 25 partners individually) And sometimes they continue to plant others anyway.
Sure, the site needs one cookie which tells it you have refused it's cookies - but you can't select just one to allow (which one)?

And it's for "medisite.fr" domain only. They're using services from other domains (host, telemetry, advertisement, Google etc.).

The other cookies that you mentioned still come from medisite.
I'm allergic to Google and all their sites that I know are blocked at the IP level using Acrylic DNS. There's no way they can set cookies directly - my machine simply cannot communicate with them (in either direction with the firewall as well). That includes
googlesyndication.com
googleanalytics.com
googletagmanager.com
googletagservices.com
googleusercontent.com
(all the 1e100 sites as well)

If you're worrying about cookies/privacy then you should know something about "browser fingerprint":

Yeah I know about fingerprints.
I use Canvas Defender in Firefox to block those ones but it isn't available for SeaMonkey. (I must try again to adapt it.)
DO NOT use the inbuilt canvas fingerprint blocker in SeaMonkey: it isn't fully developed and it's bugged. It will change your UserAgent string. That's something I do myself sometimes - but not to a version of "-1" like it does!

I'm not too worried. My computer runs 24h/24 and at the end of each day there isn't a single cookie.

[bitwyse]

That's why I like Cookie Monster - one of its functions is "Apply Cookie Setting for both HTTP and HTTPS"...

OK thanks, I'll give it a try.

[TPR75]

That's why I like Cookie Monster - one of its functions is "Apply Cookie Setting for both HTTP and HTTPS"...

OK thanks, I'll give it a try.

If you really do then don't give up after first contact.

User must manually ad its icon to Address Bar and not start SeaMonkey with blank page (at least not open a website in "zero" blank tab).

[bitwyse]

That's why I like Cookie Monster - one of its functions is "Apply Cookie Setting for both HTTP and HTTPS"...

OK thanks, I'll give it a try.

If you really do then don't give up after first contact.
User must manually ad its icon to Address Bar and not start SeaMonkey with blank page (at least not open a website in "zero" blank tab).

Thanks for the tip.

That is the problem I am having with "Behind the Overlay". No icon appears and there isn't one in the panel to personnalise the menu bar; nor any entry in the Tools menu. It doesn't have an Options panel where you could set that either.

[TPR75]

That is the problem I am having with "Behind the Overlay". No icon appears and there isn't one in the panel to personnalise the menu bar; nor any entry in the Tools menu. It doesn't have an Options panel where you could set that either.

This "Behind the Overlay" extension?
https://addons.mozilla.org/pl/firefox/a ... e_overlay/
It will not work with SeaMonkey because it's WebExtension. Sure, it could look like it was installed but in fact it's not functional.

If you're using uBlock Origin (Legacy) then it should be possible to block overlays:
https://www.reddit.com/r/uBlockOrigin/c ... _overlays/
... but I personally didn't checked this - uBO is in my test profile only (for unofficial beta from WG9s).