Third party cookies to block..

Talk about internet security, computer security, personal security, your social security number...
Post Reply
luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

Third party cookies to block..

Post by luntrus » Sun Jul 19, 2009 11:32 pm

Hi forum members,

This vulnerability had still had not been patched: https://bugzilla.mozilla.org/show_bug.cgi?id=158463
before this was solved when the third party cookie blocking was brought into the browser.
Because that’s where bad cookies came sneaking in from before that protection.. ..Just changed the behavior so it only allows cookies for what’s actually shown in the location bar, not any weirdness from frames or iframes or redirects. This extension could also have done the job: https://addons.mozilla.org/firefox/2497/
What is/was the preferred way to do this with NoScript?

luntrus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/531.0 (KHTML, like Gecko) Iron/3.0.189.0 Safari/531.0

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Third party cookies to block..

Post by Tom T. » Mon Jul 20, 2009 2:35 am

I *know* I must be missing *something*, because it seems too easy. On my old, unimproved Fx 2.20, Tools/Options/Privacy/Cookies > check "Accept cookies from sites", then in "Exceptions", you build a blocklist as they're presented, or add your own lists, etc. (I made a great list by searching through Yahoo's privacy pages and finding the name of every ad agency they do business with. Given Yahoo's size, I think that's every ad agency on the planet.) Doubleclick.com, .net, .uk.com, are all in this list, so my understanding is that no cookie with doubleclick.x in the domain name is ever going to be allowed, regardless of whether it presents itself as first party via some devious iFrame, which are blocked in NS anyway, and rarely allowed except when the iframe is from a trusted domain.

I would try to test this by going to Doubleclick's site directly, but it's also in my Adblock (original) list, so the browser won't connect there. Adblock beat Hosts to it, because it's also in my Hosts file as redirecting to 0.0.0.0 (after discussion about the downsides of redirecting to localhost). I know not everyone approves of using Hosts in this fashion, but it's not my intention to use it for an adblocker, but as another line of defense as a malware blocker.

So between Fx cookie blocking, Adblock Original, and Hosts, it seems to me that if Doubleclick wants to serve me a cookie, they're going to have to hand-carry it to my front door. I hope it's oatmeal -- they're my favorite. No chocolate chips, please.

If I'm wrong and there's a way through all of these defenses, I'd certainly appreciate someone letting me know.

Regards,
Tom
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3339
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Third party cookies to block..

Post by GµårÐïåñ » Mon Jul 20, 2009 5:21 am

You are not missing anything. Its the same thing I have said a million times. If anyone takes the time to take some basic protective steps and show some vigilance, they will be fine. You have done that and hence why you don't see most of these stuff, I have never been affected by any of these myself either and that's because I don't "set it and forget it", I work at it, that's all it takes.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1

Grumpy Old Lady
Senior Member
Posts: 240
Joined: Fri Jul 03, 2009 7:20 am

Re: Third party cookies to block..

Post by Grumpy Old Lady » Mon Jul 20, 2009 8:04 am

Hi luntrus,

I set the available Fx controls to block 3rd party cookies and to accept all other cookies for the session. I whitelist a couple for basic functionality, but generally if a site won't work without cookies I go somewhere else - - there's nothing that can't be done by some other site without cookies except banking and similar government stuff, and I do that on a separate nix machine with a lot of process observation.
NS blocks iframes for trusted sites, and I guess that Giorgio will have anticipated any other scripting methods for getting around these present controls. He is the acknowledged scripting master of the world ;-)
For the rest of it, I dump all cache cookies and history at each session and I run CCleaner on an audit schedule to tidy up any other Win cookie repositories.
Privacy isn't a big problem in my home setup because this machine isn't used for vital net use.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1

User avatar
therube
Ambassador
Posts: 7469
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Third party cookies to block..

Post by therube » Mon Jul 20, 2009 2:20 pm

If by virtue of blocking <IFRAME> would those cookies have been blocked?
If so, then that would be what NoScript would do for you in this respect.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.22) Gecko/20090605 SeaMonkey/1.1.17

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Third party cookies to block..

Post by Tom T. » Tue Jul 21, 2009 2:45 am

therube wrote:If by virtue of blocking <IFRAME> would those cookies have been blocked?
If so, then that would be what NoScript would do for you in this respect.

If I understood the OP and the links correctly, nasty sites were working around iFrame blocking like so: puppies.com redirects to doubleclick.net, which redirects back to puppies.com. DoubleClick is now a "first party", and can place a first-party cookie, despite <IFRAME> blocking and despite merely setting a default to block third-party cookies. (This is similar to what the notorious Phorm was doing to make itself a first party.)

It's my understanding that the "forbid META redirection" and anti-XSS measures in NS would prevent this scenario, but I could be mistaken.
In the meantime, simply blocking the undesired domains like Doubleclick, as described in multiple methods in my previous post, seems to be effective in locking them out regardless of what fancy side steps they take. You don't want them, put them in Adblock and Hosts, and they ain't gettin' in regardless.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard

Post Reply