Archive for the ‘cookie’ Category

No Comments

Web-extension compatibility in the cookieStore

Tuesday, January 9th, 2018

Since Firefox embraced the Web-extension API, life is easier for developers: extensions should be compatible with Chrome, Opera, Firefox, Edge, and Firefox Mobile.

So Firefox Android became my favorite mobile browser, because it’s the first mobile browser to support extensions. Well, there was a lab version of Opera Mobile (Presto), but that died even earlier then Presto died, unfortunately.

But it’s not all sunshine. There are quirks, and incompatibilities in webextensions. Of course you would say. And I’m talking about more then just the chrome/browser name-space differences.

Take cookies and cookiestores.

cookies.getAllCookieStores()

Browser vendors use different storeId’s, but do not really document it.

Chromium/Opera/Chrome storeId ‘s

  • “0” for default windows
  • “1” for private windows

Firefox uses different storeId’s

  • “firefox-default” for normal windows
  • “firefox-private” for private windows.

How to set a cookie

Here some examples to evade the cookie-wall of Volkskrant.nl newspaper by setting cookies.

For a default Firefox window

browser.cookies.set(
 { url: "https://www.volkskrant.nl",domain: ".volkskrant.nl", name: "nl_cookiewall_version", value:"1", storeId:"firefox-default"}
 );

For a Firefox private window

browser.cookies.set(
 { url: "https://www.volkskrant.nl",domain: ".volkskrant.nl", name: "nl_cookiewall_version", value:"1", storeId:"firefox-private"}
 );

For a Chromium/Opera/Chrome default window

chrome.cookies.set(
 { url: "https://www.volkskrant.nl",domain: ".volkskrant.nl", name: "nl_cookiewall_version", value:"1", storeId:"0"}
 );

For a Chromium/Opera/Chrome private window

chrome.cookies.set(
 { url: "https://www.volkskrant.nl",domain: ".volkskrant.nl", name: "nl_cookiewall_version", value:"1", storeId:"1"}
 );

 

 

No Comments

Third Party Cookie Privacy Issues

Thursday, October 16th, 2008

Intro

Cookie settings can be confusing sometimes. Most browsers offer a setting `Don’t accept third party cookies` (Firefox) or `Accept only cookies from the site I visit` (Opera 9.5), `Accept only cookies from the sites I visit` (Safari). Although stated a bit differently this setting seems to have the same functionality.

Not so!

I’m not going into Microsoft Explorer, because I think internet-users that do care about internet, security and privacy should leave Explorer aside. Microsoft’s privacy and security record is historically below par, as well as their support for open standards. And they don’t like internet: they don’t wanna connect people, they want people to use Microsoft products. Later more!

First of all the settings aren’t stated very well in all dialogs. Don’t accept means don’t send as well, both in Firefox and Opera and that’s a good thing, because sending (untrusted) cookies is the `bad` thing.

Default settings, same results

What’s the difference in these settings. Try it yourself. Open a Google page in another tab, login with your account or login to gmail, and refresh this page.


If you have accept all cookies selected, you will see a personalized Google page in the iframe, recognisable with your gmail-address somewhere on top. That’s the same in Firefox and Opera and Safari.

Advanced cookies settings, different results

Now try the other setting: Don’t accept third party cookies.

Reload the page, and the iframe will not show a personalized Google page. The same behaviour in Opera and Firefox, but Safari does show a personalized page.

That’s remarkable, I don’t expect browsers to send cookies to third party iframes, when you have explicitly forbidden them.

But now comes an interesting point. Click the search button in the iframe. Google will carry out the same search as before and Firefox will not show a personalized page, meaning it’s not sending a cookie, but Opera will! Opera is sending a cookie, although the cookie setting is Only accept cookies from the domain I visit.

Strange again? Yes and no.

Yes, because you would expect it won’t send a cookie to the different domain.
No, because clicking on the iframe means in a way visiting the iframe, so the iframe is not a different domain anymore.

It’s debatable which policy is best. I think Safari sucks here. The privacy mode doesn’t work here and the cookie setting doesn’t do what it should do.
I would choose Firefox’s way as best. If I want to visit an iframed Google page as a user I can do that in a new tab or window.

Conclusion

Bottom-line: Third part cookie settings are differently implemented by browser vendors, that’s confusing. Cookies are to easely send to third parties, even with advanced security settings.

Does the strict settings have a side-effect for redirects. I’m not sure. What do you think?