Home
Latest images
Search
Register
Log inBypassing the intent of blocking "third-party" cookies
Page 1 of 1
Bypassing the intent of blocking "third-party" cookies
andry Mon Oct 11, 2010 11:59 pm
[Aside: I'm not sure anyone cares, particularly because the "block third party cookies" option tends to break legitimate web sites. But I'll document it just in case 
]
Major browsers tend to have an option to block "third-party" cookies. The main intent of this is to disable tracking cookies used by iframe'd ads.
It turns out that you can bypass this intent by abusing "HTML5 Local Storage". This modern browser facility is present in (at least) Firefox 3.5, Safari 4 and even the normally-lagging IE8. Chrome 4 Beta has it too, making it well supported across all browsers and a more tempting target.
In concept, HTML5 Local Storage is very similar to cookies. On a per-origin basis, there is a set of disk-persisted name / value pairs.
With a simple test, it's easy to show that the HTML5 Local Storage feature is not affected by the third-party cookie setting. I believe this holds across all the above browsers. A simple test page that gets / sets a name / value pair from within a third-party iframe may be located here:
http://scary.beasts.org/misc/iframe_storage.html
(This page also tests for a similar situation with HTML5 Web Database, but that is so far a less supported standard).
What's interesting is that all these browsers did remember to disable these persisted databases in their various private modes.
]Major browsers tend to have an option to block "third-party" cookies. The main intent of this is to disable tracking cookies used by iframe'd ads.
It turns out that you can bypass this intent by abusing "HTML5 Local Storage". This modern browser facility is present in (at least) Firefox 3.5, Safari 4 and even the normally-lagging IE8. Chrome 4 Beta has it too, making it well supported across all browsers and a more tempting target.
In concept, HTML5 Local Storage is very similar to cookies. On a per-origin basis, there is a set of disk-persisted name / value pairs.
With a simple test, it's easy to show that the HTML5 Local Storage feature is not affected by the third-party cookie setting. I believe this holds across all the above browsers. A simple test page that gets / sets a name / value pair from within a third-party iframe may be located here:
http://scary.beasts.org/misc/iframe_storage.html
(This page also tests for a similar situation with HTML5 Web Database, but that is so far a less supported standard).
What's interesting is that all these browsers did remember to disable these persisted databases in their various private modes.
andry- Moderator
- Posts : 467
Join date : 2010-05-07
Similar topics» Bypassing Browser Memory Protections
» Does Google use cookies?
» Types of cookies
» Windows XP: The Trojan Blocking OS?
» Blocking Alert Effects
» Does Google use cookies?
» Types of cookies
» Windows XP: The Trojan Blocking OS?
» Blocking Alert Effects
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum|
|
|