Cookies missing on very first request if website has service worker with fetch event handler #155
Description
Prerequisites
- I performed a cursory search of the issue tracker to avoid opening a duplicate issue
- Your issue may already be reported.
- I also searched the existing issues at https://github.com/gorhill/uMatrix/issues
- This is not a support issue or a question
- Support issues and questions are handled at /r/uMatrix
- I tried to reproduce the issue when...
- uMatrix is the only extension
- uMatrix with default lists/settings
- using a new, unmodified browser profile
- I am running the latest version of uMatrix
- I checked the documentation to understand that the issue I report is not a normal behavior
- I used the logger to rule out that the issue is caused by my ruleset
Description
If a website has a service worker with a non-trivial "fetch" event handler (i.e. it doesn't just do nothing but uses the Fetch API to return a response) then the very first request to a website is sent without any cookies. (For more details on service workers in general see the MDN docs Using Service Workers.)
I've tested with uMatrix 1.3.16 and 1.3.17rc0 on Firefox 66.0.5, Firefox 68.0b2 and Firefox Nightly.
A specific URL where the issue occurs
Steps to Reproduce
- Open https://www.computerbase.de/ to initialize the service worker and to get a "service-worker-init-date" cookie (any cookie would do)
- In the same tab, open any other website, for example https://www.google.com/
- In the same tab, open https://www.computerbase.de/ again
What I'd expect to happen: The GET request for https://www.computerbase.de/ should have the "service-worker-init-date" cookie set.
What actually happens: The GET request for https://www.computerbase.de/ is sent without any cookies (as can be seen in the "Network" tab of the Firefox developer tools).
Notice that if you now click on any local link (or reload the page) then the cookies are sent. It's just the very first request that is sent without cookies.
The issue goes away if I either uninstall/disable uMatrix or if I delete the "fetch" event handler from the computerbase.de service worker (I'm the admin of computerbase.de). It seems like the very first request is somehow treated in a special way and gets stripped of all cookies by uMatrix.
This issue affects the login cookies of computerbase.de and was reported to me in a private conversation by one of our users (nickname "Whistl0r") and then discussed in a little more detail here: https://www.computerbase.de/forum/threads/login-probleme-seit-14-mai-der-aktive-benutzer-hat-sich-geaendert.1872153/page-2
Ruleset
I have tested with a fresh Firefox profile and have not changed the default configuration of Firefox or uMatrix in any way. These are the contents of the "My rules" tab in the uMatrix settings:
https-strict: behind-the-scene false
matrix-off: about-scheme true
matrix-off: behind-the-scene true
matrix-off: chrome-extension-scheme true
matrix-off: chrome-scheme true
matrix-off: moz-extension-scheme true
matrix-off: opera-scheme true
matrix-off: vivaldi-scheme true
matrix-off: wyciwyg-scheme true
noscript-spoof: * true
referrer-spoof: * true
referrer-spoof: behind-the-scene false
* * * block
* * css allow
* * frame block
* * image allow
* 1st-party * allow
* 1st-party frame allow
Supporting evidence
Screenshot showing that there is no "Cookie" header when following the "Steps to Reproduce":
Screenshot showing that there is a "Cookie" header if you reload the page or click on any local link:
Your environment
- uMatrix version: 1.3.16 / 1.3.17rc0
- Browser Name and version: Firefox 66.0.5 / 68.0b2 / Nightly
- Operating System and version: Gentoo Linux (x86_64)