Opened 7 years ago

Last modified 2 years ago

#8132 assigned defect

[CHROME] Cookies rewriting infinite loop w/ Keep MORE|MY opt-outs installed

Reported by: dtauerbach Owned by: dtauerbach
Priority: Medium Milestone:
Component: HTTPS Everywhere/EFF-HTTPS Everywhere Version:
Severity: Normal Keywords:
Cc: kjd Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


Forked from This is to track the issue of HTTPS Everywhere writing secure cookies and KMOO presumably re-writing insecure cookies, leading to an infinite loop. I do not believe that this is related to the core CPU issue in ticket 6613.

Child Tickets

Change History (5)

comment:1 Changed 7 years ago by dtauerbach

Owner: changed from pde to dtauerbach
Status: newassigned

comment:2 Changed 7 years ago by dtauerbach

Looking at the code, it seems KMOO uses "url" (with scheme) instead of "domain" to decide whether to regenerate a cookie:

If this extension used domain instead, then I think that would avoid the infinite loop we're seeing.

comment:3 Changed 7 years ago by dtauerbach

Actually I think the issue is that HTTPS Everywhere removes and regenerates cookies with secure flag set. KMOO catches the removal of the insecure cookie and creates another insecure cookie, which HTTPS E catches, removes and regenerates.

comment:4 Changed 7 years ago by dtauerbach


"As a special case, note that updating a cookie's properties is implemented as a two step process: the cookie to be updated is first removed entirely, generating a notification with "cause" of "overwrite" . Afterwards, a new cookie is written with the updated values, generating a second notification with "cause" "explicit". "

HTTPS Everywhere is calling chrome.cookies.set() and KMOO has an onChanged handler seeing that an (insecure) cookie is being deleted and trying to recreate it.

I think we need KMOO to change its behavior for this to work by checking for any valid version of a cookie before attempting to re-create it. I will point Mike West to this thread.

comment:5 Changed 2 years ago by teor

Severity: Normal

Set all open tickets without a severity to "Normal"

Note: See TracTickets for help on using tickets.