[support request] Unblockable cookie consent

[iam-py-test]

What do you need support with?

The issue is an unblocked cookie consent redirect on derstandard.de. The website uses a 302 redirect so I have been unable to find a solution.
This domain was found in uBlockOrigin/uAssets#8680

• Have you checked the wiki?

[iam-py-test]

The website uses a cookie to tell if the user has agreed, but there is no way to test for that & it is done on the server side

[krystian3w]

May need write someting like custom resource for scriptlets, but add to uBO avanced settings is on own risk.

JS Penguin ideas with guard:

https://github.com/NanoAdblocker/NanoFilters/blob/master/NanoFilters/NanoResources.txt#L283 nanop-click-elements-onready.js
https://github.com/NanoAdblocker/NanoFilters/blob/master/NanoFilters/NanoResources.txt#L307 nanop-click-elements-onload.js
https://github.com/NanoAdblocker/NanoFilters/blob/master/NanoFilters/NanoResources.txt#L330 nanop-easy-set-cookie.js
https://github.com/NanoAdblocker/NanoFilters/blob/master/NanoFilters/NanoResources.txt#L361 nanop-set-cookie.js

In the past this was scriplet to bake cookies: https://github.com/uBlock-user/uBO-Scriptlets/blob/master/scriptlets.js (possible found in history of commits uBlockO/uBO-Scriptlets@3d1f485#diff-43445a624a2a315ea751bb6ac30f2a3f1ddecbcf35a249af3d493d9fdcddb578).

[iam-py-test]

May need write someting like custom resource for scriptlets, but add to uBO avanced settings is on own risk.

JS Penguin ideas with guard:

https://github.com/NanoAdblocker/NanoFilters/blob/master/NanoFilters/NanoResources.txt#L283 nanop-click-elements-onready.js
https://github.com/NanoAdblocker/NanoFilters/blob/master/NanoFilters/NanoResources.txt#L307 nanop-click-elements-onload.js
https://github.com/NanoAdblocker/NanoFilters/blob/master/NanoFilters/NanoResources.txt#L330 nanop-easy-set-cookie.js
https://github.com/NanoAdblocker/NanoFilters/blob/master/NanoFilters/NanoResources.txt#L361 nanop-set-cookie.js

In the past this was scriplet to bake cookies: https://github.com/uBlock-user/uBO-Scriptlets/blob/master/scriptlets.js (possible found in history of commits uBlock-user/uBO-Scriptlets@3d1f485#diff-43445a624a2a315ea751bb6ac30f2a3f1ddecbcf35a249af3d493d9fdcddb578).

@krystian3w thanks.
I don't know much about scriptlets, but will try to implement this.
How would I have my list add the scriptlet, or would the user have to do something?

[krystian3w]

User must perform these steps:

• open uBO pop-up and panel settings
• enabled advanced settings ("I am advanced user")
• added cutom resource into userResourcesLocation
• save and now subscribe your project with scriptlet to click/bake needed cookies.

[iam-py-test]

I am a bit busy but will look into this later

[iam-py-test]

It works. Let me make a filter for it...

[iam-py-test]

Added a possible fix in 3855390
It works for me, but can you test?
You will have to install https://github.com/iam-py-test/my_filters_001/blob/main/anti-cookie%2Bsign%20up_extention.txt plus add my fix to the user scripts (fix here:https://github.com/iam-py-test/Assets-001/blob/main/script.js )

There is something weird where it only works when JavaScript & inline scripts are enabled on the page.
I tested on another device & once I allowed inline JS it worked

[krystian3w]

Austria maybe have similar pop-up 🇦🇹 (derstandard.at). But need a little other values.

On my device works with derstandard.de 🇩🇪.

Scriptlets need remove rules:
no-scripting: www.derstandard.de true

and filters like:
derstandard.*$script,inline-script
$script,domain=derstandard.*

(these block "CMP" script to load and second can block more - 3p requests to load js)

[iam-py-test]

I will look into the other domains tomorrow.

[iam-py-test]

@krystian3w it seems that the cookie-set is not applied. (maybe problem on my end)
Does the following get rid of the redirect:

www.derstandard.at##+js(clog,tester001)
www.derstandard.at##+js(cs,_sp_v1_consent,1!1:1:1:0:0:0)
www.derstandard.at##+js(cs,_sp_v1_opt,1:login|true:last_id|11:)
www.derstandard.at##+js(cs,tcfs,1)
www.derstandard.at##+js(cs,privacyWallReferrer,null)
www.derstandard.at##+js(cs,DSGVO_ZUSAGE_V1,true)
www.derstandard.at##+js(cs,MGUID,GUID=1f4bf0d8-85cb-4052-8b70-c869410e5d76&Timestamp=2021-06-24T12:05:23&DetectedVersion=&Version=&BIV=1&Hash=B65E2EAA40D38B8E398AD1556F1A3B00)
www.derstandard.at##+js(cs,consentUUID,4748711d-428a-4fef-b3e2-3247acb586ff)
www.derstandard.at##+js(cs,_sp_v1_uid,1:724:aa1735e1-bdbb-4189-8dd4-ad7b584c061e)
www.derstandard.at##+js(cs,_sp_v1_data,2:335457:1624536730:0:2:0:2:0:0:_:-1)
www.derstandard.at##+js(cs,_sp_v1_ss,1:H4sIAAAAAAAAAItWqo5RKimOUbLKK83J0YlRSkVil4AlqmtrlXSGk7JoYtTHkmIQiJEHYhjg1ofbwFgAuNVQ-YUBAAA%3D)
www.derstandard.at##+js(cs,_sp_v1_csv,null)
www.derstandard.at##+js(cs,_sp_v1_lt,1:)

[iam-py-test]

Do the filters work?

[krystian3w]

No works on derstandard.at or page is sensitive to disabled security.csp.enable | false.

I don't know if it might not be useful to have a scriptlet that checks the value of existing cookies as the current one doesn't overwrite nevertheless.

[iam-py-test]

Odd. Wonder if I can use $csp to disable their blocking

[iam-py-test]

Is www.derstandard.at$document,csp=script-src 'unsafe-inline' * fix the problem?
I am in the U.S. if that means anything.
I can get through if I just click the accept button though.
I can get aopr to work with or without the $csp, so maybe it is a problem with the cookie scriptlet

[iam-py-test]

I disabled csp via about:config & it still does not work.
I wonder why?

[krystian3w]

I disabled csp via about:config & it still does not work.

Firefox config with false for security.csp.enable exclude use fixes based on $csp / $inline-script, maybe too unable use new clog.js (I no checked code that your scriptlet).

If I undo this change "security.csp.enable" it still rather doesn't work, supposedly for using custom .user.js for Firefox interface I have to use:
pref("general.config.obscure_value", 0);
pref("general.config.sandbox_enabled", false);
break something?

[iam-py-test]

I disabled csp via about:config & it still does not work.

Firefox config with false for security.csp.enable exclude use fixes based on $csp / $inline-script, maybe too unable use new clog.js (I no checked code that your scriptlet).

If I undo this change "security.csp.enable" it still rather doesn't work, supposedly for using custom .user.js for Firefox interface I have to use:
pref("general.config.obscure_value", 0);
pref("general.config.sandbox_enabled", false);
break something?

Ok. Will test.
Also, the original domain is now redirecting me to its cookie consent.
Maybe they are detecting my ip and blocking it...

[krystian3w]

Try with any free VPN?

[iam-py-test]

Try with any free VPN?

Do you think TOR would work ok?

[iam-py-test]

Tried over TOR & it still did not work.
Wonder if they changed how their site works

[iam-py-test]

@krystian3w can you test the original domain?
It did not work for me (in both Firefox & TOR), but I want to confirm.
If so, do you think there is a permanent fix?

[krystian3w]

effect on origin - redirect derstandard.de/consent/tcf/international

Some cookie maybe was expired/banned as too "constant" value?

[iam-py-test]

effect on origin - redirect derstandard.de/consent/tcf/international

Some cookie maybe was expired/banned as too "constant" value?

If so, that means there is no permanent solution.
I guess this issue & both domains are can't fix

[krystian3w]

I agree.

[iam-py-test]

I am leaving it open just encase someone can solve it

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[krystian3w]

Maybe addressed in uBo cookies List...?

[iam-py-test]

I do not have time to look into this, but now that we have (trusted)-set-cookie, maybe.