I'm currently writing a browser extension solely for firefox. This extension reads all cookies of the current browser session, and then is supposed to delete only certain cookies. I'm using the mozilla web extenstion cookie api for that.
Getting all cookies is relatively easy, which can be accomplished through using this with an empty object as an argument, like so: Browser.cookies.getAll({})
My problem is with deleting specific cookies.
As the doc states, I need to provide the name and the url of the cookie for the Browser.cookies.remove() function.
But the cookie objects I get from the .getAll() function don't have a url. They have a name, a domain and if they are http or https (and other infos which aren't relevant for this)
I can't recreate the url with that information because the domain is often just e.g. ".google.com", and after testing it, it seems that the Browser.cookies.remove() function doesn't support wildcards like "*.google.com".
To make sure I'm not testing a generally broken extension, I tried to delete cookies with their real url, which works great. But as soon as I don't know the exact url, there seems to be no way to delete them.
And yes, I have the correct permissions ("cookies","<all_urls>") and host_permissions ("<all_urls>").
Is this use case an absolute no go with this api, or why is it so hard to delete cookies without knowing their specific url?
(especially because the url must be present somewhere, otherwise the function could not check if it is correct...)
Finally, I found an answer to my question, and it was easier than I thought!
Here is an example of the chrome api for cookies, which is basically the same as the one from firefox. On line 84, they determine if the URL has a HTTP or HTTPS in it:
const protocol = cookie.secure ? 'https:' : 'http:';
And on line 90 they craft the final url with the protocol, the domain and the path:
const cookieUrl = `${protocol}//${cookie.domain}${cookie.path}`;
It is to note that from their description, I don't think the fields cookie.secure and cookie.httpOnly are meant to tell if the URL is HTTP or HTTPS. Apart from that, there is also no 100% guarantee that they are set correctly.
Therefore I'm just trying to delete the specific cookies with HTTPS in it's url first, and after that with HTTP in it. One of these deletion will always fail, but the Browser.cookies.remove() function just gives you a null object back if it couldn't delete the cookie, which can be just ignored.
The following is my final code, where currentCookie is the currently selected cookie in a foreach loop:
// Removes all HTTPS cookies
Browser.cookies.remove({
url: "https://"+currentCookie.domain+currentCookie.path,
name: currentCookie.name
}).then((cookie) => {
if (cookie) {
console.log(`Removed: ${cookie.name}`);
}
}).catch((error) => {
console.error("Error removing cookie:", error);
});
// Removes all HTTP cookies
Browser.cookies.remove({
url: "http://"+currentCookie.domain+currentCookie.path,
name: currentCookie.name
}).then((cookie) => {
if (cookie) {
console.log(`Removed: ${cookie.name}`);
}
}).catch((error) => {
console.error("Error removing cookie:", error);
});