InformAction Forums

Hi forum members,

This vulnerability had still had not been patched: https://bugzilla.mozilla.org/show_bug.cgi?id=158463
before this was solved when the third party cookie blocking was brought into the browser.
Because that’s where bad cookies came sneaking in from before that protection.. ..Just changed the behavior so it only allows cookies for what’s actually shown in the location bar, not any weirdness from frames or iframes or redirects. This extension could also have done the job: https://addons.mozilla.org/firefox/2497/
What is/was the preferred way to do this with NoScript?

luntrus

I *know* I must be missing *something*, because it seems too easy. On my old, unimproved Fx 2.20, Tools/Options/Privacy/Cookies > check "Accept cookies from sites", then in "Exceptions", you build a blocklist as they're presented, or add your own lists, etc. (I made a great list by searching through Yahoo's privacy pages and finding the name of every ad agency they do business with. Given Yahoo's size, I think that's every ad agency on the planet.) Doubleclick.com, .net, .uk.com, are all in this list, so my understanding is that no cookie with doubleclick.x in the domain name is ever going to be allowed, regardless of whether it presents itself as first party via some devious iFrame, which are blocked in NS anyway, and rarely allowed except when the iframe is from a trusted domain.

I would try to test this by going to Doubleclick's site directly, but it's also in my Adblock (original) list, so the browser won't connect there. Adblock beat Hosts to it, because it's also in my Hosts file as redirecting to 0.0.0.0 (after discussion about the downsides of redirecting to localhost). I know not everyone approves of using Hosts in this fashion, but it's not my intention to use it for an adblocker, but as another line of defense as a malware blocker.

So between Fx cookie blocking, Adblock Original, and Hosts, it seems to me that if Doubleclick wants to serve me a cookie, they're going to have to hand-carry it to my front door. I hope it's oatmeal -- they're my favorite. No chocolate chips, please.

If I'm wrong and there's a way through all of these defenses, I'd certainly appreciate someone letting me know.

Regards,
Tom

You are not missing anything. Its the same thing I have said a million times. If anyone takes the time to take some basic protective steps and show some vigilance, they will be fine. You have done that and hence why you don't see most of these stuff, I have never been affected by any of these myself either and that's because I don't "set it and forget it", I work at it, that's all it takes.

Hi luntrus,

I set the available Fx controls to block 3rd party cookies and to accept all other cookies for the session. I whitelist a couple for basic functionality, but generally if a site won't work without cookies I go somewhere else - - there's nothing that can't be done by some other site without cookies except banking and similar government stuff, and I do that on a separate nix machine with a lot of process observation.
NS blocks iframes for trusted sites, and I guess that Giorgio will have anticipated any other scripting methods for getting around these present controls. He is the acknowledged scripting master of the world ;-)
For the rest of it, I dump all cache cookies and history at each session and I run CCleaner on an audit schedule to tidy up any other Win cookie repositories.
Privacy isn't a big problem in my home setup because this machine isn't used for vital net use.

If by virtue of blocking <IFRAME> would those cookies have been blocked?
If so, then that would be what NoScript would do for you in this respect.

therube wrote:If by virtue of blocking <IFRAME> would those cookies have been blocked?
If so, then that would be what NoScript would do for you in this respect.

If I understood the OP and the links correctly, nasty sites were working around iFrame blocking like so: puppies.com redirects to doubleclick.net, which redirects back to puppies.com. DoubleClick is now a "first party", and can place a first-party cookie, despite <IFRAME> blocking and despite merely setting a default to block third-party cookies. (This is similar to what the notorious Phorm was doing to make itself a first party.)

It's my understanding that the "forbid META redirection" and anti-XSS measures in NS would prevent this scenario, but I could be mistaken.
In the meantime, simply blocking the undesired domains like Doubleclick, as described in multiple methods in my previous post, seems to be effective in locking them out regardless of what fancy side steps they take. You don't want them, put them in Adblock and Hosts, and they ain't gettin' in regardless.