'remove-cookie' scriptlet sometimes does not work

[andris86]

Prerequisites

• I verified that this is not a filter list issue. Report any issues with filter lists or broken website functionality in the uAssets issue tracker.
• This is NOT a YouTube, Facebook or Twitch report. These sites MUST be reported by clicking their respective links.
• This is not a support issue or a question. For support, questions, or help, visit /r/uBlockOrigin.
• I performed a cursory search of the issue tracker to avoid opening a duplicate issue.
• The issue is not present after disabling uBO in the browser.
• I checked the documentation to understand that the issue I am reporting is not normal behavior.

I tried to reproduce the issue when...

• uBO is the only extension.
• uBO uses default lists and settings.
• using a new, unmodified browser profile.

Description

remove-cookie scriptlet does not sometimes remove a cookie. At discovermagazine.com rule discovermagazine.com##+js(remove-cookie,kserv-session) does not work. Logger shows the scriptlet but it does not have any effect on the cookie kserv-session.

But on nautil.us this scriptlet works as expected. Rule nautil.us##+js(remove-cookie,arc) succesfully removes cookie called arc.

I checked on Brave, Edge and Firefox Nightly. Can reproduce this issue on all three browsers.

A specific URL where the issue occurs.

https://www.discovermagazine.com/mind/what-does-it-mean-to-be-an-ambivert

Steps to Reproduce

1. Add discovermagazine.com##+js(remove-cookie,kserv-session) rule to custom filter and add that filter to filter list or to user filters.
2. Open cookie list in browser devtools and put 'kserv-session' in filter so you can easily see what is happening with it.
3. Open discovermagazine.com. You can use article I linked or open any other article.
4. Logger shows that this scriptlet is correct and working but actually cookie called kserv-session was not removed. You can see in devtools that this cookie is still there.
5. Open other articles. This cookie still isn't removed.

Expected behavior

Cookie is removed.

Actual behavior

Cookie didn't get removed.

uBO version

1.58.0

Browser name and version

Brave Version 1.67.123 Chromium: 126.0.6478.126

Operating System and version

Windows 11 10.0.22631

[uBlock-user]

Despite the name, cookies are expired, not removed.

[stephenhawk8054]

kserv-session on that site is an HttpOnly cookie which cannot be removed by javascript

A cookie with the HttpOnly attribute can't be modified by JavaScript, for example using Document.cookie; it can only be modified when it reaches the server.

If you type document.cookie in the browser console, there's no kserv-session value.

[andris86]

I tried to remove AWSALBTG cookie using rule discovermagazine.com##+js(remove-cookie,AWSALBTG) but it didn't work and this cookie is not httponly.

[stephenhawk8054]

It depends on whether the site sets the cookie again after uBO removing it or not.

[D4niloMR]

When the modification of request headers is implemented, we should be able to remove kserv-session from the request header.

For AWSALBTG cookie, you can add discovermagazine.com##+js(remove-cookie, AWSALBTG, when, scroll)

[gorhill]

There is no guarantee the cookie is still removed after the scriptlet execute when the site keeps setting it -- there is no cookie-blocking API in the DOM. There is an experimental CookieChangeEvent but currently not available in Firefox -- so this may be used in the future when support is present for all browsers.