Cookies

[overblue]

I have been using NS for a while and every time i use it i get 3 cookies on all domains.
popunder=yes; popundr=yes; setover18=1
I can't remove them and they are only present when i enable NS.

[barbaz]

OOB NoScript doesn't do that. (EDIT now I'm not so sure... see below)
What site did you install NS from?
In any case, remove it and install again from https://addons.mozilla.org/addon/noscript/ or http://noscript.net/getit#devel, then scan your whole system for malware.

[overblue]

I got it from the first link...

[therube]

How are you determining that the cookies are appearing?

If you disable all other extensions, maybe Plugins too, except for NoScript, do you still get the cookies?

As a test, if you create a new Profile & only install NoScript into it, do you still get the cookies?

[overblue]

How are you determining that the cookies are appearing?

Code: Select all

document.cookie

variable

If you disable all other extensions, maybe Plugins too, except for NoScript, do you still get the cookies?

yes

As a test, if you create a new Profile & only install NoScript into it, do you still get the cookies?

yes, i thougth the code doing it was this but i commented it out and restarted firefox. And i got the same cookies

Code: Select all

value of "noscript.surrogate.popunder.replacement" in noscript.js pastebin qjMnPSkS

[Thrawn]

Just to be clear, this isn't happening for the rest of us.

Have you scanned your system for malware?

[overblue]

Just to be clear, this isn't happening for the rest of us.

Have you scanned your system for malware?

I made a scan with avast and now i running clamav but nothing yet...

[barbaz]

Whoa. It's true. This does happen.
On *this page*, using Firebug (not logged in):

Code: Select all

>>> document.cookie
"style_cookie=printonly; popunder=yes; popundr=yes; setover18=1"

But I can't reproduce it anywhere else (yet), and those cookies don't show up in Advanced Cookie Manager or Data Manager...

Update: It is the popunder surrogate doing this, and it should only happen on pages that are completely script-allowed. So it's nothing to be worried about.

[overblue]

Whoa. It's true. This does happen.
On *this page*, using Firebug (not logged in):

Code: Select all

>>> document.cookie
"style_cookie=printonly; popunder=yes; popundr=yes; setover18=1"

But I can't reproduce it anywhere else (yet), and those cookies don't show up in Advanced Cookie Manager or Data Manager...

Update: It is the popunder surrogate doing this, and it should only happen on pages that are completely script-allowed. So it's nothing to be worried about.

the style_cookie=printonly is specific to this forum ( maybe phpbb in general). by completely script-allowed do you mean trusting all scripts even external ones? i don't have any page where i completely allow scripts it's always blocking some ggl/face/twitter widget.

Code: Select all

pref("noscript.surrogate.popunder.sources", "@^http:\\/\\/[\\w\\-\\.]+\.[a-z]+ wyciwyg:");
pref("noscript.surrogate.popunder.replacement", "function posted on pastebin");
pref("noscript.surrogate.popunder.exceptions", ".meebo.com");

so the sources value is the regex expression to find the replacement is the code it will replace it with, right?

[barbaz]

by completely script-allowed do you mean trusting all scripts even external ones?

At least that's the behavior I'm getting.

so the sources value is the regex expression to find the replacement is the code it will replace it with, right?

see http://hackademix.net/2011/09/29/script ... reference/

[overblue]

by completely script-allowed do you mean trusting all scripts even external ones?

At least that's the behavior I'm getting.

so the sources value is the regex expression to find the replacement is the code it will replace it with, right?

see http://hackademix.net/2011/09/29/script ... reference/

thanks for the link, the noscript.surrogate.popunder.sources is not right i think. I replaced the replacement code with an alert on about:config and i'm getting the alert on every page where i allow atleast one source for JS

[Giorgio Maone]

The code is correct.
It gets execute on any non-https page, because the popunder scripts in the wild are extremely polymorphic, often inlined and therefore that's no way to know in advance whether a page will execute them.
If the pseudo-cookies (which, BTW, are never sent to the server side because are made visible only to client-side JavaScript through fake accessors) bother you, just disable the popunder surrogate or limit it to a blacklist of yours.

[overblue]

The code is correct.
It gets execute on any non-https page, because the popunder scripts in the wild are extremely polymorphic, often inlined and therefore that's no way to know in advance whether a page will execute them.
If the pseudo-cookies (which, BTW, are never sent to the server side because are made visible only to client-side JavaScript through fake accessors) bother you, just disable the popunder surrogate or limit it to a blacklist of yours.

yeah i know it's only on the client side, i wasn't sure about the code i could have some malware but if it is normal behavior, i'm okay with it.