mirror of
https://github.com/gorhill/uMatrix.git
synced 2024-06-02 18:34:52 +12:00
improve explanaition
rkoe
parent
3d19842475
commit
b7959cb0e1
42
Cookies.md
42
Cookies.md
|
|
@ -1,4 +1,17 @@
|
|||
uMatrix "blocks" cookies are somehow different than other cookie blockers. The explaination can be found in the "Delete blocked cookies." help text in the uMatrix-Dashboard:
|
||||
uMatrix mainly blocks outgoing connections/outgoing data; it does not block incoming data. It's important to understand this concept to understand uMatrix cookie-handling:
|
||||
|
||||
- All incoming cookies are accepted and stored (no matter if they are allowed or blocked by uMatrix).
|
||||
|
||||
So, you can see all received cookies in your browsers cookie-list. This also makes it possible for uMatrix to show which site wanted to set cookies and how many it wanted to set (which wouldn't be possible if uMatrix would "reject" all cookies).
|
||||
- But uMatrix prevents these cookies from leaving the browser.
|
||||
|
||||
So, if you block cookies by uMatrix, a server which has set a cookie cannot read the cookie again -- and so, the cookie is blocked.
|
||||
|
||||
- You can tell uMatrix to automatically delete "blocked" cookies (option "Delete blocked cookies"). Then, uMatrix will periodically (~every 2 minutes) delete all blocked cookies from the browser.
|
||||
|
||||
If you don't enable this option, "blocked" cookies may be stored in your browser for a long time.
|
||||
|
||||
An explaination can also be found in the "Delete blocked cookies." help text in the uMatrix-Dashboard:
|
||||
|
||||
> Blacklisted cookies are not prevented by uMatrix from entering your browser. However they are prevented from leaving your browser, which is what really matters. Not blocking cookies before they enter your browser gives you the opportunity to be informed that a site tried to use cookies, and furthermore to inspect their contents if you wish.
|
||||
|
||||
|
|
@ -6,18 +19,27 @@ uMatrix "blocks" cookies are somehow different than other cookie blockers. The e
|
|||
|
||||
> **Important note:** Extensions can make web requests during the course of their normal operation. These requests can result in cookies being created in the browser. If the hostname from where a cookie originate is not whitelisted, the cookie will be removed from the browser by uMatrix if this option is checked. So be sure that the hostname(s) with which an extension communicate is whitelisted.
|
||||
|
||||
So, if you "block" cookies via uMatrix, they are accepted at first (so uMatrix can inform you about the cookies, and you can view the cookies), but uMatrix prevents them from being read. These cookies can be automatically deleted by enabling the option "Delete blocked cookies.". Note that these cookies are currently deleted every ~2 minutes (for performance reasons, so that all cookies can be deleted at once and not every cookie needs to be deleted individually).
|
||||
----
|
||||
|
||||
Note that this kind of "cookie-read-blocking" can have some side-effects:
|
||||
Note that this kind of "cookie-blocking" can have some side-effects on 3rd-party-cookies:
|
||||
|
||||
- The cookies are not really blocked/rejected, but stored, and you can view them e.g. in your browsers cookie-list.
|
||||
- If you don't enable "Delete blocked cookies.", these "blocked" cookies may be stored in your browser for a long time.
|
||||
- 3rd-party-cookies are also stored, if the request (image/script/frame/...) to the 3rd-party-page is allowed (no matter if cookies are blocked or not).
|
||||
- If you allow cookies on a site (e.g. example.com), be aware that this site could then also read the example.com-3rd-party-cookies of other sites, no matter if you blocked these 3rd-party-cookies or not.
|
||||
- If you allow requests to 3rd-party-pages (e.g. allow 3rd-party-images, -scripts, -frames etc.), these sites can also send you cookies which are then stored in the browser (no matter if cookies are allowed or blocked by uMatrix). So, you'll also see these 3rd-party-cookies in your browsers cookie-list.
|
||||
|
||||
If you don't want to store 3rd-party-cookies and don't want that websites could read their cookies from 3rd-party-pages, you should disable 3rd-party-cookies in your browsers preferences.
|
||||
But of course, uMatrix blocks these cookies from being sent back to the server (unless you allowed it).
|
||||
|
||||
If you want to block cookies, so they are not stored at all (unless allowed), you should use an additional cookie-blocker-addon.
|
||||
- If you allow cookies for a site, the server of this site may also read it's own 3rd-party-cookies, which were set on other sites -- even if they were blocked.
|
||||
|
||||
Since this is tricky to understand, here's an example:
|
||||
|
||||
- Assuming, you have blocked all cookies with uMatrix, and allowed images from 3rd-party-pages.
|
||||
- Now, you visit somepage.example, which includes an image from socialnetwork.example.
|
||||
- socialnetwork.example sends the image to your browser, and adds a cookie.
|
||||
This (3rd-party-)cookie is stored in your browser, but not sent back to any server (since uMatrix blocks this).
|
||||
- Then, you go to socialnetwork.example, and allow cookies (e.g. because you want to log in).
|
||||
- socialnetwork.example can now read the (blocked 3rd-party-)cookie, which was set on somepage.example.
|
||||
|
||||
If you don't like this behaviour, it's probably best to disable 3rd-party-cookies in you browser preferences.
|
||||
|
||||
----
|
||||
|
||||
-------
|
||||
See also: https://github.com/gorhill/uMatrix/issues/252, https://github.com/gorhill/uMatrix/issues/316
|
||||
|
|
|
|||
Loading…
Reference in a new issue