Flash Cookies

General discussion about web technology.
egis
Posts: 1
Joined: Wed Aug 12, 2009 4:28 pm

Flash Cookies

Post by egis » Thu Aug 13, 2009 9:49 pm

Hi...I am wondering if NoScript addresses Flash Cookies? thanks

EGIS
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2

User avatar
Foam Head
Senior Member
Posts: 57
Joined: Sun May 03, 2009 5:35 pm

Re: Flash Cookies

Post by Foam Head » Thu Aug 13, 2009 10:26 pm

NoScript can control whether or not a Flash application runs (NoScript Options | Plugins | Forbid Adobe Flash), but once the Flash application runs, it is beyond NoScript's reach.

If you want to run Flash applications and manage the data Flash stores locally, you can use Flash settings, a dedicated AddOn, or a manual remover like Flash Cookie Remover.

-Foam
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)

Grumpy Old Lady
Senior Member
Posts: 240
Joined: Fri Jul 03, 2009 7:20 am

Re: Flash Cookies

Post by Grumpy Old Lady » Fri Aug 14, 2009 11:33 am

Foam Head wrote:
a dedicated AddOn,

URL for this?
or a manual remover like Flash Cookie Remover.


Not useful in this case with an OP using OS X
Mozilla/5.0 (X11; U; Linux i686; en-AU; rv:1.9.0.13) Gecko/2009080315 Ubuntu/9.04 (jaunty) Firefox/3.0.13

Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: Flash Cookies

Post by Alan Baxter » Fri Aug 14, 2009 2:07 pm

Grumpy Old Lady wrote:
Foam Head wrote: a dedicated AddOn,

URL for this?

I use BetterPrivacy.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2

Grumpy Old Lady
Senior Member
Posts: 240
Joined: Fri Jul 03, 2009 7:20 am

Re: Flash Cookies

Post by Grumpy Old Lady » Fri Aug 14, 2009 3:29 pm

Alan Baxter wrote:I use BetterPrivacy.


Thanks Alan Baxter.
If an OS X - or any system at all - user simply wants to prevent any Flash cookies setting, there is the simple method of changing the permissions on the Macromedia directory or sub directory to read-only. Or what about ditching the directory and replacing it with a symbolic link to /dev/null.
Works for spam, so I can't see why not any other unwanted files.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2

Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: Flash Cookies

Post by Alan Baxter » Fri Aug 14, 2009 3:39 pm

Not allowing Flash to create and use temporary files can break some sites. Usability is enhanced if they are removed when you're done instead.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2

Grumpy Old Lady
Senior Member
Posts: 240
Joined: Fri Jul 03, 2009 7:20 am

Re: Flash Cookies

Post by Grumpy Old Lady » Fri Aug 14, 2009 6:50 pm

Alan Baxter wrote:Not allowing Flash to create and use temporary files can break some sites.

Of course mileage may vary :-) but I'd feel bad not sharing what I know.
I had the #SharedObjects write protected in OS X for a couple of years without noticing any access problems to sites. But then I've never been a big user of Flash content. With my flaky connection, I end up sniffing out and downloading any flash video that's worth watching because it certainly doesn't stream too well to here.
I may just send the sol stuff on the Ubuntu system to /dev/null as a test for a while; I don't have to think about cleaning anything up on this XP because of the very efficient CCleaner
http://www.ccleaner.com/

I think that may have just about covered Flash cookies ;-)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2

al_9x
Master Bug Buster
Posts: 931
Joined: Thu Mar 19, 2009 4:52 pm

Re: Flash Cookies

Post by al_9x » Fri Aug 14, 2009 7:34 pm

The best Fx extension I know for dealing with flash cookies is Objection 0.4.0b1 (not the earlier versions, but it doesn't run on Fx35)
  1. It exposes hidden flash settings without having to load the flash settings manager online
  2. It can delete flash cookies (LSOs) manually and automatically
  3. It can delete flash history manually and automatically. Even when cookies are disabled (amount of space websites can use) flash still logs every domain where a flash object is loaded creating a kind of hidden history that's unknown to the browser and can't be cleared from it.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20

luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

Re: Flash Cookies

Post by luntrus » Fri Aug 14, 2009 10:27 pm

Hi users of NS,

One third of all Internet users deletes cookies once a month, this being a great concern to advertisers that more an more tend to use Flash Cookies to further continue monitoring their visitors.
According to researchers ( http://papers.ssrn.com/sol3/papers.cfm? ... id=1446862 )
more than half of all top 100 sites now uses Flash Cookies, without users knowing this and/or without users explicit consent.
From 100 tested sites only 4 admitted they used this form of tracking.
Flash Cookies or Super Cookies aren't only unknown to the general user, they can only be managed through an Adobe website, re: http://www.macromedia.com/support/docum ... ger07.html

Some websites use the Flash cookie to restore/revive normal cookies that users have deleted.
They use the HTTP and the Flash cookie with the same data values, to use the Flash version to back up the normal HTTP variety. When the user removes his or her or its HTTP cookie, the Flash cookie values are placed into a new HTTP cookie to continue the user tracking, and this will mean business as usual.

Various major website use these sneak techniques, as mentioned researchers have found out.

Firefox
"A better integration between browser and Flash cookie handling will help users to self-protect their privacy by blocking these Flash or so-called Super cookies", as researchers say.
To make browser tools more effective users should know they have Flash cookies on their hard disk. "Revealing their presence, the reason why they are being used and information how to check them, could be primary steps to stop the privacy dangers of Flash cookies as such."

For Firefox users there is a add-on that can be used as a plug-in to block Flash cookies, known as Better Privacy. Better Privacy: https://addons.mozilla.org/en-US/firefox/addon/6623
However because of compatibility issues (Better Privacy versus DrWeb's av-link-checker for instance)
luntrus now also uses the superior add-on Objection mentioned by al_9x to remove LSOs, see the link there.
After download and install of this add-on settings of it can be found via the Tools drop-down menu,
so go to Tools - then Objection etc. and there make your preferred settings or delete the Flash Cookies there
that you want to remove... Read about objection here:
http://lifehacker.com/399504/objection- ... sh-cookies
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1) Gecko/20090806 Namoroka/3.6a1

Grumpy Old Lady
Senior Member
Posts: 240
Joined: Fri Jul 03, 2009 7:20 am

Re: Flash Cookies

Post by Grumpy Old Lady » Sat Aug 15, 2009 7:01 am

Amazing, gents! Heaps of information and links.
I vote this thread gets saved in Web.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2

Grumpy Old Lady
Senior Member
Posts: 240
Joined: Fri Jul 03, 2009 7:20 am

Re: Flash Cookies

Post by Grumpy Old Lady » Sat Aug 15, 2009 8:12 am

NOTE FOR Fx 3.5.x USERS

Objections extension installation will be blocked by the Extensions Manager - reason given is incompatibility with 3.5.x.
I overrode the compatibility flag to test it and found the straightforward settings UI alone makes it worthwhile - - because I have found in the past that updates to Flash have silently reset some options - and I believe that the obligatory visit to the Adobe settings site is designed to be difficult to put users off changing the default settings.

So, from my days of testing the move from 2.x to 3.x, I recalled the extension Nightly Tester Tools is a convenient way to override compatibility flags for extensions.
https://addons.mozilla.org/en-US/firefo ... sions/6543
Always remember that - in the words of the warning from the developer's site:
http://www.oxymoronical.com/web/firefox/nightly
Don’t forget that forcing an incompatible extension to install is risky. There are many cases where Firefox will stop working completely or behave incorrectly because an incompatible extension is being forced to work where the author never intended.

However, if a user is brave enough and wants the function of an extension before AMO has declared it compatible, a copy of Nightly Tester Tools is a good quick override interface.
I'd recommend that novices first install Nightly Tester Tools - leave all settings at the defaults - then install whatever extension needs compatibility checks overridden - then disable Nightly Tester Tools, because the user may want to have AMO checks for other installations and too there are some unsafe toggles that a novice may touch in error.
I'm confident that if used this way, Nightly Tester Tools is more of a help to the novice than harm.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2

Grumpy Old Lady
Senior Member
Posts: 240
Joined: Fri Jul 03, 2009 7:20 am

Re: Flash Cookies

Post by Grumpy Old Lady » Mon Aug 17, 2009 9:34 am

Alan Baxter wrote:Not allowing Flash to create and use temporary files can break some sites. Usability is enhanced if they are removed when you're done instead.

Since the boards are wonderfully quiet, I used my NS time to try a few different Flash servings on this machine with any writing to the ~/.macromedia/Flash_Player/#SharedObjects directory redirected to nowhere.

youtube: works
several blogs with embedded flash frames: work
http://amanita-design.net/samorost-1/ works
abc.net.au/iview no - needs a token to know it's serving to Australian ips
theonion videos no - needs to serve you quantserve ads
http://www.bbc.co.uk/iplayer/radio/ works, site tells you it can't complete an adobe script and gives you the option to quit the script - radio plays ok.
For the bbc iplayer video servings, the results I got with a uk proxy were mixed. I suspect that it may have worked without needing a flash cookie, if the slow proxy hadn't mucked the test up.

Couldn't think of any other examples, except I ran through a few online news sites and all the flash offerings that weren't tied to ads appeared to work. I wouldn't use a bank that used flash for storing customer details much less authentication! Is there one?

It appears that if you set zero storage for all sites in the global settings, to try to prevent sites setting Flash cookies in the first place, the site sets a cookie in its own virtual storage - in the macromedia.com directory in the Flash_Player directory that also holds #SharedObjects - at least the information is not text readable but appears to function in the same way as cookies, these are not just site settings in a strict sense. I haven't been able to find a Flash Player setting to prevent these persistent directories being established. And if the site that wants to use cookies can't write to/redirect from #SharedObjects, it refuses access.
Given all that, I think I'll forget about watching the settings with any third party app, since Adobe won't allow me to opt-in, and I'll go with the delete after use method. I've made a delete job for both directories to run at startup.
I think the Fx addons are probably overkill, or at least an unnecessary browser addition, given that the plugin settings don't actually appear to do much to prevent cookies from being set while the browser's running. The job of cleaning up after Adobe is more naturally one for a general system cleaner, or the dedicated admin job such as that linked to in the second post here.
I'm guessing that the EULA has somewhere my approval for Adobe to use what part of my storage it wants as its own personal space to share with sites as it pleases.
Another good reason to block Flash. Thanks NS!
Mozilla/5.0 (X11; U; Linux i686; en-AU; rv:1.9.1.2) Gecko/20090803 Ubuntu/9.04 (jaunty) Shiretoko/3.5.2

Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: Flash Cookies

Post by Alan Baxter » Mon Aug 17, 2009 4:01 pm

Grumpy Old Lady wrote:
Alan Baxter wrote:Not allowing Flash to create and use temporary files can break some sites. Usability is enhanced if they are removed when you're done instead.

Oh my goodness, I was right about something? I was just repeating what I read in Adobe suppport. :mrgreen:

Since the boards are wonderfully quiet, I used my NS time to try a few different Flash servings on this machine with any writing to the ~/.macromedia/Flash_Player/#SharedObjects directory redirected to nowhere.

Thank you for checking these out. Very informative, especially the sites you visited. :)
I kept busy evaluating the Add Bookmark Here 2 extension instead. A good replacement for OpenBook.

I've made a delete job for both directories to run at startup.
I think the Fx addons are probably overkill, or at least an unnecessary browser addition, given that the plugin settings don't actually appear to do much to prevent cookies from being set while the browser's running. The job of cleaning up after Adobe is more naturally one for a general system cleaner, or the dedicated admin job such as that linked to in the second post here.

I like your solution and your logic for using it. Seems perfect for you. But as far as I know, Flash is only used by my browser, so there is some logic to cleaning out Flash storage everytime I do a browser restart, just like I do with most cookies. I restart Firefox at least once or twice a day for testing or extension updates, but sometimes the computer doesn't get rebooted for several days. I've configured Better Privacy to Delete Flash cookies only on Firefox exit. I also had it delete the empty cookie folders so I could easily use Windows Explorer to verify Better Privacy was working. I especially like the setting to "Also delete Flashplayer default cookie" and its warning that the settings cookie also tracks every Flash site I've visited. (I'm usually pretty careful about where I go, but I still don't see any reason to leave a list behind.) I appreciate all the work the Objection and BetterPrivacy developers have put into it.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2

Grumpy Old Lady
Senior Member
Posts: 240
Joined: Fri Jul 03, 2009 7:20 am

Re: Flash Cookies

Post by Grumpy Old Lady » Mon Aug 17, 2009 4:46 pm

Nobody gets the chance to be wrong for long around here ;-)
I enjoy the anarchy.
Would you like to consider moving this thread to Web?
It does have a couple of NS mentions but lots of web interest.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2

Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: Flash Cookies

Post by Alan Baxter » Tue Aug 18, 2009 4:22 am

So moved.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2

Post Reply