I propose a cookie api. The motivation is to remove the "NID" cookie at google.com to reduce tracking, while leaving the "PREF" cookie intact. The problem with document.cookie
is that it is only shows the "PREF" cookie and nothing else, since the "NID" cookie belongs to ".google.com". Firefox also doesn't seem to support this functionality natively, and is only to disable on a per-domain basis.
Some api, possibly with restrictions to which domains can be accessed, will be helpful in this case.
The NID is not visible in document.cookie because it is httponly=true. I bet you can override it with your own dummy value though.
I could override it on the current domain, but not on the google.com domain. So I believe that this can still be considered, since cookies are often used to track users.
Can this issue be re-opened? Even if I were to override the cookie, there is, say, no way to list cookies on the current page. Userscript access to http cookies can solve this, say for example by using a GM_cookie()
api.
Of course it can in theory. But Greasemonkey's philosophy for some time now has been to embrace the forward progress the web itself has been making as a platform, to encourage usage of "HTML5" APIs and discourage custom APIs (grandfathering some in). A strong case would help.
(IMO sites don't use HttpOnly by accident, it is an intentionally implemented security feature. So the case would probably be hard to make. And nothing stops you from making a site specific extension if you need access to lower-level APIs and are willing to be Firefox only as a result.)
Sorry for commenting in such old issue.
I bet you can override it with your own dummy value
I tried it and seems like it's not possible. While browser keeps some cookie with HttpOnly flag, you can't neither access nor overwrite it from JS.
A strong case would help
Not sure how strong such case is, but I need to remove cookie from userscript in order to avoid meaningless redirection at one specific site. And currently it's not possible because it is set by serverside with HttpOnly flag.
I'll put up a weak example scenario. I'm scripting on a page on which there is a whole host of cookies. One cookie causes the entire website to render differently due to some weird design choice; the cookie is set by logging into a certain part of the website without the ability to logout anywhere. Given this cookie is set with an httponly flag I cannot fix using the standard document.cookie method. It would be nice to have a GM_cookie or something similar to be able to set/override/delete cookies that are otherwise protected via httponly.
I've run into a few situations where I'd like to do cookie manipulation that document.cookie
wasn't sufficient for, also. There's a lot of things to consider for how to do this well...
I propose to look here (only at one example):
https://dxr.mozilla.org/mozilla-central/source/devtools/shared/gcli/commands/cookie.js
(nsICookieManager2)
Most helpful comment
I've run into a few situations where I'd like to do cookie manipulation that
document.cookie
wasn't sufficient for, also. There's a lot of things to consider for how to do this well...