Cookies exceptions whitelisting not working

[cafevincent]

Operating system: Windows 11
Browser version: 33.4.0.1
32-bit or 64-bit browser?: 64-bit
Problem URL: All
Browser theme (if not default): Dark Moon 2.7.2
Installed add-ons: 11 but all disabled
Installed plugins: (about:plugins): none

If possible, please include the output of help->troubleshooting information (as text):

Application Basics
------------------

Name: Pale Moon
Version: 33.4.0.1 (64-bit)
Build ID: 20241008161345
Update Channel: release
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Goanna/6.7 Firefox/102.0 PaleMoon/33.4.0.1
OS: Windows_NT 10.0
CPU Capabilities: SSE2 AVX AVX2
Safe Mode: false

Extensions
----------

Name: Add As Search Engine
Version: 1.0
Enabled: false
ID: {92FCD001-8329-489A-8FEA-10BC98E0435F}

Name: Auto Text Link
Version: 1.1.2
Enabled: false
ID: {b3f27d28-3472-485f-9a52-8edb46e684ee}

Name: Decentraleyes
Version: 1.4.3
Enabled: false
ID: jid1-BoFifL9Vbdl2zQ@jetpack

Name: Extended Statusbar
Version: 2.1.2
Enabled: false
ID: {daf44bf7-a45e-4450-979c-91cf07434c3d}

Name: I don't care about cookies
Version: 3.5.0
Enabled: false
ID: jid1-KKzOGWgsW3Ao4Q@jetpack

Name: PDF Viewer
Version: 2.3.240
Enabled: false
ID: pdf.js-seamonkey@lakora.us

Name: Searchbar like Findbar
Version: 2.0
Enabled: false
ID: searchbarlikefindbar@rmmaniac

Name: Statusbar Date & Time
Version: 1.0.010
Enabled: false
ID: {b06f550f-4b27-428e-8493-5f52523eaae3}

Name: Statusbar Organizer
Version: 2.1.0
Enabled: false
ID: {10205942-a0e8-4264-971a-5a0e21851af7}

Name: Swarth
Version: 1.1.0
Enabled: false
ID: swarth@franklindm

Name: uBlock Origin
Version: 1.16.6b1
Enabled: false
ID: uBlock0@raymondhill.net

Graphics
--------

Features
Compositing: Direct3D 11
GPU Accelerated Windows: 1/1 Direct3D 11 (OMTC)
Asynchronous Pan/Zoom: none
WebGL 1 Driver WSI Info: EGL_VENDOR: Google Inc. (adapter LUID: 000000000000c764) EGL_VERSION: 1.4 (ANGLE 2.1.0.) EGL_EXTENSIONS: EGL_EXT_create_context_robustness EGL_ANGLE_d3d_share_handle_client_buffer EGL_ANGLE_surface_d3d_texture_2d_share_handle EGL_ANGLE_query_surface_pointer EGL_ANGLE_window_fixed_size EGL_ANGLE_keyed_mutex EGL_ANGLE_surface_orientation EGL_ANGLE_direct_composition EGL_NV_post_sub_buffer EGL_KHR_create_context EGL_EXT_device_query EGL_KHR_image EGL_KHR_image_base EGL_KHR_gl_texture_2D_image EGL_KHR_gl_texture_cubemap_image EGL_KHR_gl_renderbuffer_image EGL_KHR_get_all_proc_addresses EGL_KHR_stream EGL_KHR_stream_consumer_gltexture EGL_NV_stream_consumer_gltexture_yuv EGL_ANGLE_flexible_surface_compatibility EGL_ANGLE_stream_producer_d3d_texture_nv12 EGL_EXTENSIONS(nullptr): EGL_EXT_client_extensions EGL_EXT_platform_base EGL_EXT_platform_device EGL_ANGLE_platform_angle EGL_ANGLE_platform_angle_d3d EGL_ANGLE_device_creation EGL_ANGLE_device_creation_d3d11 EGL_ANGLE_experimental_present_path EGL_KHR_client_get_all_proc_addresses
WebGL 1 Driver Renderer: Google Inc. -- ANGLE (NVIDIA GeForce RTX 4060 Direct3D11 vs_5_0 ps_5_0)
WebGL 1 Driver Version: OpenGL ES 2.0 (ANGLE 2.1.0.)
WebGL 1 Driver Extensions: GL_OES_element_index_uint GL_OES_packed_depth_stencil GL_OES_get_program_binary GL_OES_rgb8_rgba8 GL_EXT_texture_format_BGRA8888 GL_EXT_read_format_bgra GL_NV_pixel_buffer_object GL_OES_mapbuffer GL_EXT_map_buffer_range GL_EXT_color_buffer_half_float GL_OES_texture_half_float GL_OES_texture_half_float_linear GL_OES_texture_float GL_OES_texture_float_linear GL_EXT_texture_rg GL_EXT_texture_compression_dxt1 GL_ANGLE_texture_compression_dxt3 GL_ANGLE_texture_compression_dxt5 GL_OES_compressed_ETC1_RGB8_texture GL_EXT_sRGB GL_ANGLE_depth_texture GL_OES_depth32 GL_EXT_texture_storage GL_OES_texture_npot GL_EXT_draw_buffers GL_EXT_texture_filter_anisotropic GL_EXT_occlusion_query_boolean GL_NV_fence GL_EXT_disjoint_timer_query GL_EXT_robustness GL_EXT_blend_minmax GL_ANGLE_framebuffer_blit GL_ANGLE_framebuffer_multisample GL_ANGLE_instanced_arrays GL_ANGLE_pack_reverse_row_order GL_OES_standard_derivatives GL_EXT_shader_texture_lod GL_EXT_frag_depth GL_ANGLE_texture_usage GL_ANGLE_translated_shader_source GL_EXT_discard_framebuffer GL_EXT_debug_marker GL_OES_EGL_image GL_OES_EGL_image_external GL_NV_EGL_stream_consumer_external GL_EXT_unpack_subimage GL_NV_pack_subimage GL_OES_vertex_array_object GL_KHR_debug GL_ANGLE_lossy_etc_decode GL_CHROMIUM_bind_uniform_location GL_CHROMIUM_sync_query GL_CHROMIUM_copy_texture
WebGL 1 Extensions: ANGLE_instanced_arrays EXT_blend_minmax EXT_color_buffer_half_float EXT_frag_depth EXT_shader_texture_lod EXT_texture_filter_anisotropic EXT_disjoint_timer_query MOZ_debug_get OES_element_index_uint OES_standard_derivatives OES_texture_float OES_texture_float_linear OES_texture_half_float OES_texture_half_float_linear OES_vertex_array_object WEBGL_color_buffer_float WEBGL_compressed_texture_etc1 WEBGL_compressed_texture_s3tc WEBGL_debug_renderer_info WEBGL_debug_shaders WEBGL_depth_texture WEBGL_draw_buffers WEBGL_lose_context MOZ_WEBGL_lose_context MOZ_WEBGL_compressed_texture_s3tc MOZ_WEBGL_depth_texture
WebGL 2 Driver WSI Info: EGL_VENDOR: Google Inc. (adapter LUID: 000000000000c764) EGL_VERSION: 1.4 (ANGLE 2.1.0.) EGL_EXTENSIONS: EGL_EXT_create_context_robustness EGL_ANGLE_d3d_share_handle_client_buffer EGL_ANGLE_surface_d3d_texture_2d_share_handle EGL_ANGLE_query_surface_pointer EGL_ANGLE_window_fixed_size EGL_ANGLE_keyed_mutex EGL_ANGLE_surface_orientation EGL_ANGLE_direct_composition EGL_NV_post_sub_buffer EGL_KHR_create_context EGL_EXT_device_query EGL_KHR_image EGL_KHR_image_base EGL_KHR_gl_texture_2D_image EGL_KHR_gl_texture_cubemap_image EGL_KHR_gl_renderbuffer_image EGL_KHR_get_all_proc_addresses EGL_KHR_stream EGL_KHR_stream_consumer_gltexture EGL_NV_stream_consumer_gltexture_yuv EGL_ANGLE_flexible_surface_compatibility EGL_ANGLE_stream_producer_d3d_texture_nv12 EGL_EXTENSIONS(nullptr): EGL_EXT_client_extensions EGL_EXT_platform_base EGL_EXT_platform_device EGL_ANGLE_platform_angle EGL_ANGLE_platform_angle_d3d EGL_ANGLE_device_creation EGL_ANGLE_device_creation_d3d11 EGL_ANGLE_experimental_present_path EGL_KHR_client_get_all_proc_addresses
WebGL 2 Driver Renderer: Google Inc. -- ANGLE (NVIDIA GeForce RTX 4060 Direct3D11 vs_5_0 ps_5_0)
WebGL 2 Driver Version: OpenGL ES 3.0 (ANGLE 2.1.0.)
WebGL 2 Driver Extensions: GL_OES_element_index_uint GL_OES_packed_depth_stencil GL_OES_get_program_binary GL_OES_rgb8_rgba8 GL_EXT_texture_format_BGRA8888 GL_EXT_read_format_bgra GL_NV_pixel_buffer_object GL_OES_mapbuffer GL_EXT_map_buffer_range GL_EXT_color_buffer_half_float GL_OES_texture_half_float GL_OES_texture_half_float_linear GL_OES_texture_float GL_OES_texture_float_linear GL_EXT_texture_rg GL_EXT_texture_compression_dxt1 GL_ANGLE_texture_compression_dxt3 GL_ANGLE_texture_compression_dxt5 GL_OES_compressed_ETC1_RGB8_texture GL_EXT_sRGB GL_ANGLE_depth_texture GL_OES_depth32 GL_EXT_texture_storage GL_OES_texture_npot GL_EXT_draw_buffers GL_EXT_texture_filter_anisotropic GL_EXT_occlusion_query_boolean GL_NV_fence GL_EXT_disjoint_timer_query GL_EXT_robustness GL_EXT_blend_minmax GL_ANGLE_framebuffer_blit GL_ANGLE_framebuffer_multisample GL_ANGLE_instanced_arrays GL_ANGLE_pack_reverse_row_order GL_OES_standard_derivatives GL_EXT_shader_texture_lod GL_EXT_frag_depth GL_ANGLE_texture_usage GL_ANGLE_translated_shader_source GL_EXT_discard_framebuffer GL_EXT_debug_marker GL_OES_EGL_image GL_OES_EGL_image_external GL_OES_EGL_image_external_essl3 GL_NV_EGL_stream_consumer_external GL_EXT_unpack_subimage GL_NV_pack_subimage GL_EXT_color_buffer_float GL_OES_vertex_array_object GL_KHR_debug GL_ANGLE_lossy_etc_decode GL_CHROMIUM_bind_uniform_location GL_CHROMIUM_sync_query GL_CHROMIUM_copy_texture GL_EXT_texture_norm16
WebGL 2 Extensions: EXT_color_buffer_float EXT_texture_filter_anisotropic EXT_disjoint_timer_query MOZ_debug_get OES_texture_float_linear WEBGL_compressed_texture_etc WEBGL_compressed_texture_etc1 WEBGL_compressed_texture_s3tc WEBGL_debug_renderer_info WEBGL_debug_shaders WEBGL_lose_context MOZ_WEBGL_lose_context MOZ_WEBGL_compressed_texture_s3tc
Hardware H264 Decoding: Yes; Using D3D11 API
Audio Backend: wasapi
Direct2D: true
DirectWrite: true (10.0.26100.2161)
GPU #1
Active: Yes
Description: NVIDIA GeForce RTX 4060
Vendor ID: 0x10de
Device ID: 0x2882
Driver Version: 32.0.15.6590
Driver Date: 9-26-2024
Drivers: C:\WINDOWS\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_ea7f458f0e49497d\nvldumdx.dll,C:\WINDOWS\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_ea7f458f0e49497d\nvldumdx.dll,C:\WINDOWS\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_ea7f458f0e49497d\nvldumdx.dll,C:\WINDOWS\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_ea7f458f0e49497d\nvldumdx.dll C:\WINDOWS\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_ea7f458f0e49497d\nvldumd.dll,C:\WINDOWS\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_ea7f458f0e49497d\nvldumd.dll,C:\WINDOWS\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_ea7f458f0e49497d\nvldumd.dll,C:\WINDOWS\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_ea7f458f0e49497d\nvldumd.dll
Subsys ID: 00000000
RAM: 8188

Diagnostics
AzureCanvasAccelerated: 0
AzureCanvasBackend: direct2d 1.1
AzureContentBackend: direct2d 1.1
AzureFallbackCanvasBackend: cairo





Important Modified Preferences
------------------------------

accessibility.typeaheadfind.flashBar: 0
browser.cache.disk.capacity: 0
browser.cache.disk.smart_size.enabled: false
browser.cache.disk.smart_size.first_run: false
browser.cache.disk.smart_size.use_old_max: false
browser.download.folderList: 2
browser.download.importedFromSqlite: true
browser.places.smartBookmarksVersion: 4
browser.startup.homepage: https://www.tori.fi/recommerce/forsale/ ... 8.110091.2
browser.startup.homepage_override.buildID: 20241008161345
browser.startup.homepage_override.mstone: 6.7.0
dom.disable_window_status_change: true
extensions.lastAppVersion: 33.4.0.1
general.useragent.updates.lastupdated: 1730674238136
gfx.crash-guard.d3d11layers.appVersion: 33.4.0.1
gfx.crash-guard.d3d11layers.deviceID: 0x2882
gfx.crash-guard.d3d11layers.driverVersion: 32.0.15.6590
gfx.crash-guard.d3d11layers.feature-d2d: true
gfx.crash-guard.d3d11layers.feature-d3d11: true
gfx.crash-guard.status.d3d11layers: 2
gfx.crash-guard.status.d3d11video: 2
media.av1.enabled: true
network.cookie.cookieBehavior: 2
network.cookie.lifetimePolicy: 2
network.cookie.prefsMigrated: true
network.dns.disablePrefetch: true
places.database.lastMaintenance: 1730675836
places.history.enabled: false
places.history.expiration.transient_current_max_pages: 44111
privacy.clearOnShutdown.connectivityData: true
privacy.clearOnShutdown.offlineApps: true
privacy.clearOnShutdown.passwords: true
privacy.cpd.connectivityData: true
privacy.cpd.offlineApps: true
privacy.cpd.siteSettings: true
privacy.GPCheader.enabled: true
privacy.sanitize.migrateFx3Prefs: true
privacy.sanitize.sanitizeOnShutdown: true
services.sync.declinedEngines:
storage.vacuum.last.index: 0
storage.vacuum.last.places.sqlite: 1730675836
ui.osk.debug.keyboardDisplayReason: IKPOS: Touch screen not found.

Important Locked Preferences
----------------------------

Places Database
---------------

JavaScript
----------

Incremental GC: true

Accessibility
-------------

Activated: false
Prevent Accessibility: 1

Library Versions
----------------

NSPR
Expected minimum version: 4.35
Version in use: 4.35

NSS
Expected minimum version: 3.90.4
Version in use: 3.90.4

NSSSMIME
Expected minimum version: 3.90.4
Version in use: 3.90.4

NSSSSL
Expected minimum version: 3.90.4
Version in use: 3.90.4

NSSUTIL
Expected minimum version: 3.90.4
Version in use: 3.90.4

I found this browser because it seems to be the only way to refuse all cookies with a whitelist, except that I can't get it to work. I have "allow sites to store cookies and data" set to disabled, and only the sites I want to log in to set to "allow for session" in exceptions, like "imdb.com". I have plenty of sites in the whitelist, but none are saving any cookies so I can't log in anywhere, forcing me to use an other browser as a playground for those sites. I am desperate to figure this out. It does not matter if I have "always use private browsing mode" on or not, the cookies still refuse to appear.

[suzyne]

I don't have an answer, but instead an additional question related to this because I wonder what "exact address" means?



Does this mean identical in full, or is it just the base URL? In other browsers, I have noticed that a wildcard can be included for exceptions. But in Pale Moon it is not clear to me how it works. (And sorry, I haven't taken the time to experiment, to try and figure it out.) For example, if I add:

https://imdb.com/

as an Allow exception, does that include any data or cookies stored for:

https://m.imdb.com/

Or is that not how cookies work? I am wondering if this might be related to the original question of why a whitelist doesn't appear to be working?

[moonbat]

Does this mean identical in full, or is it just the base URL?

The former.

[suzyne]

When I sign into Outlook the URL of the login page is https://login.live.com/ but once I am in Outlook proper the web page is https://outlook.live.com/ so I wonder if both would need to be added as Allows so that I stay logged in when using a whitelist? Because if it is identical in full then https://live.com/ wouldn't be sufficient?

I think in Edge I put something like [*.]live.com and that covers everything.

[moonbat]

I went through my exception list and seems you're right, the base domain suffices. I only have one entry for live.com and google.com and have no problems signing into either.

[kreemoweet]

I have "allow sites to store cookies and data" set to disabled, and only the sites I want to log in to set to "allow for session" in exceptions, like "imdb.com". I have plenty of sites in the whitelist, but none are saving any cookies so I can't log in anywhere

Just allowing session cookies would not allow for preserving login information. By definition, session cookies are discarded when the browser is closed.
Automatic logins require persistent (non-session) cookies. Your logins with most websites will last for quite a while, even if you close the tab and/or
navigate away from the page, as long as you don't close your browser session.

[cafevincent]

I have "allow sites to store cookies and data" set to disabled, and only the sites I want to log in to set to "allow for session" in exceptions, like "imdb.com". I have plenty of sites in the whitelist, but none are saving any cookies so I can't log in anywhere

Just allowing session cookies would not allow for preserving login information. By definition, session cookies are discarded when the browser is closed.
Automatic logins require persistent (non-session) cookies. Your logins with most websites will last for quite a while, even if you close the tab and/or
navigate away from the page, as long as you don't close your browser session.

I don't want want persistent logins, just to be able to log in for a session. My cookies are not saved at all according to my whitelist which should be well configured as far as I can tell.

[BopBe]

I believe the protocol is needed as well for SSL webistes, e.g. https://imdb.com, otherwise if you only type the domain (imdb.com) in the cookie whitelist inputbox, it'll default to http (the non-secure variant) and it won't work.

[Goodydino]

Just allowing session cookies would not allow for preserving login information. By definition, session cookies are discarded when the browser is closed.
Automatic logins require persistent (non-session) cookies. Your logins with most websites will last for quite a while, even if you close the tab and/or
navigate away from the page, as long as you don't close your browser session.

Persistent cookies will last when the browser is shut down. It is just the session cookies that disappear when the browser closes.

[cafevincent]

I believe the protocol is needed as well for SSL webistes, e.g. https://imdb.com, otherwise if you only type the domain (imdb.com) in the cookie whitelist inputbox, it'll default to http (the non-secure variant) and it won't work.

Entering https://imdb.com did not resolve the issue. Cookies still missing.

[suzyne]

The idea of a "whitelist" where everything not on the list is cleared I have not tried in Pale Moon before.

Is this a valid set of options?



When I have it set this way, when I sign into IMDB, and then exit from Pale Moon and go back to the site I am logged out.

Because it doesn't work the way I would expect it to, I must not be understanding what it means to have Always use private browsing mode and Allow sites to store cookies and site data on at the same time, and how that interacts with the Exceptions?

[Moonchild]

"Always use private browsing mode" will not store anything permanently. It uses in-memory storage only. That is the whole point of private browsing -- it's for local data security, i.e. after you close the browser there won't be anything left indicating what you browsed to. That includes cookies. While you allow the cookies to be set in your session with these settings, i.e. it will not block them, it will not write them to your profile.

[cafevincent]

Oh I see. There is no function to block cookies from being saved, only an option to autodelete when closing. This is my problem. There seems to be no browser or no extension on the planet to refuse the cookies using a whitelist (or better yet: temporarily allow a tab to set cookies, wherever forwarded) to allow online back functionality etc. At least no solution that works. How do people handle security properly then? This amazes me.

[JayByrd]

Oh I see. There is no function to block cookies from being saved, only an option to autodelete when closing. This is my problem. There seems to be no browser or no extension on the planet to refuse the cookies using a whitelist (or better yet: temporarily allow a tab to set cookies, wherever forwarded) to allow online back functionality etc. At least no solution that works. How do people handle security properly then? This amazes me.

How about "Cookie Masters?" This extension does exactly what you claim to want... It even has the "temporarily allow" functionality you mention...

[back2themoon]

Better yet, Cookies Exterminator.

[back2themoon]

Is there a way (an extension, really) to selectively allow 3rd-party cookies? I gave Cookie Masters a try, but it didn't seem to detect and allow this.

The attempt was to allow disqus.com (= the 3rd-party) in this website. (efsyn.gr - example article with disqus comments section on bottom)

[Gemmaugr]

Is there a way (an extension, really) to selectively allow 3rd-party cookies? I gave Cookie Masters a try, but it didn't seem to detect and allow this.

The attempt was to allow disqus.com (= the 3rd-party) in this website. (efsyn.gr - example article with disqus comments section on bottom)

I use eMatrix (https://addons.palemoon.org/addon/ematrix/) for that. I have Disqus globally blocked, but allowed on some sites as an exception.

[back2themoon]

That's a good suggestion, thanks.

I thought setting that website to Allow would be enough (either in Permissions Manager or Cookies exceptions - same thing essentially), but I guess I was wrong. Perhaps these exceptions/permissions are not meant for 3rd-party cookies.

edit: I always used "Accept 3rd-party from visited" (which doesn't require the above exception) but perhaps it's time to make things stricter. And maybe "from visited" is opening a can of worms? (Google etc.)

[sunchild]

Private Browsing + Cookies would be the ideal setup for me. I'm pretty sure that a lot of people don't notice that the Keep Until part of it is greyed out. Maybe add a message saying that the cookies will be deleted when the browser is closed. Or even better, enable the Keep Until setting which is more intuitive and gives more control to the user.

[Moonchild]

Private Browsing + Cookies would be the ideal setup for me.

It's not possible. they are literally, by definition, in contradiction.
Private browsing mode is privacy for the local system. It does not make your web visits private to the outside world. Many people get this wrong. Private browsing will prevent anyone from finding out what you visited on your system by not storing anything locally. When you close a private browsing window, anything in that window's session will be thrown out because that is literally what using private browsing mode is.
Storing cookies outside of that window's session/on disk would obviously break local privacy as someone could see you have visited what you have in your private window by seeing the cookies left behind.