There is a known issue where webkit browsers throw you a login popup with https sites under certain conditions. I notice it if my cookie is no longer valid.
I have an extension that accesses your Google sites but this login prompt thing is a bear to overcome. I can login to Goog's sites via perl/php and libcurl, save the needed cookies to a text file and go forward.
Can Safari extensions and XHR do the same? Can I save a cookie and its data to either memory or a variable? Can I use the cookie data in said variable in an XHR request? This would potentially overcome my problem.
Related
I store some info in cookies in my Javascript code. I have had no problem to set and read them from local drive until Firefox Quantum installed.
Now it seems that the cookies are set (been checked among the cookies), but cannot be read if I open the html file. The document.cookie.length value is always zero. Yet if I set the cookies and refresh the browser (or open the file again not closing the first file) the cookies can be read.
So far Firefox stored and read cookies all right using file:///, but this twist is new for me. Some setting has to be changed, I guess.
Can anybody tell me a solution, how to allow to read the cookies again from local drive?
Thank you.
Firefox Quantum (as with Google Chrome and others) has disabled storing cookies for local files due to security issues and other problems. The HTML5 web storage commands are taking over what used to be done with cookies for both server and local web pages. See "https://www.w3schools.com/html/html5_webstorage.asp"
The issue:
I have used github project of Ofir Dagan: Storing cross domain local storage.
It implements html5 local storage:
https://github.com/ofirdagan/cross-domain-local-storage
The problem:
Safari doesn't allow third party cookies by default (other browsers allow it).
Safari privacy preferences are:
The default is: "Allow from websites I visit".
I read about these settings:
Always Block - Block all first-party cookies and block all third-party cookies.
Allow from Current Website Only - Allow all first-party cookies and block all third-party cookies.
Allow from Websites I Visit - Allow all first-party cookies and block all third-party cookies unless that third party was a first party at one time (based on current cookies and browsing history).
Always Allow - Allow all first-party cookies and allow all third-party cookies.
Solution I have tried:
Local Storage with an iframe (pixel) - I think it's no longer works on Safari - Is there any workaround to set third party cookie in Iframe for safari?
I think that there is a way to share local storage between first party and third party sites on Safari. (Facebook.com and Booking.com share data between different domains).
I succeeded to achieve it by removing the API and writing it by myself, But I don't want to remove the API and implement it by myself (hope that there is a small fix in order to support Safari):
Iframe.html:
window.addEventListener('cors_event', function(event) {
if(event.event_id === 'my_cors_message'){
if (event.data.options.funcName == "SetItem") {
localStorage.setItem(event.data.options.key, event.data.options.value);
}
else if (event.data.options.funcName == "GetItem") {
return localStorage.getItem(event.data.options.key);
}
}
});
MainPage:
<iframe id="target" src="iframe.html" frameborder="1"></iframe>
<script>
var target = document .getElementById('target');
target.onload = function(){
target.contentWindow.postMessage('set', '*')
}
</script>
So does someone know how can I achieve it by changing some API logic to support Safari?
Any help appreciated!
As noted by the Cross-Storage library documentation:
Notes on Safari 7+ (OSX, iOS)
All cross-domain local storage access is disabled by default with Safari 7+. This is a result of the "Block cookies and other website data" privacy setting being set to "From third parties and advertisers". Any cross-storage client code will not crash, however, it will only have access to a sandboxed, isolated local storage instance. As such, none of the data previously set by other origins will be accessible. If an option, one could fall back to using root cookies for those user agents, or requesting the data from a server-side store.
It seems that the recent updates to the Safari browser (Prevent cross-site tracking) blocks any cookies from being generated when the Matomo domain doesn't match the website it's being loaded from.
This breaks the use of iFrames for Matomo that require cookies to be set (For example the logme feature)
There doesn't seem to be any way to fix this with headers (Eg using CSP or CORS configurations).
current workarounds exist that I've found:
Disable the "Prevent cross-site tracking" setting in the Privacy settings
Redirect the visitor to the page outside of an iFrame to set the cookie - after this the iFrame can load as long as the CORS configuration is correct and the browser isn't completely blocking the iFrame from loading.
I'm not sure how many users are using iFrames that would require cookies to be set, but they would be impacted if any of their users use Safari.
You may try Store.JS. As per the docs:
store.js exposes a simple API for cross browser local storage
I am working on a very old web application(only for intranet usage). In the code, the developer is obtaining the logged in account via this
var wshNetwork = new ActiveXObject("WScript.Network");
document.getElementById('userId').value = wshNetwork.UserName;
This works only in IE. How can I get the logged in account in Firefox/chrome?
I have looked in to other thread (ex: Finding the currently logged in user from a Firefox extension) but that's only for extension.
Are there any other ways to get the domain logged in username in Firefox/Chrome?
No, this is severely security-sensitive information - the main attack vector for compromising your computer. In IE it also only works for trusted websites such as localhost, or with special configuration for the local network - never on internet without additional configuration. Sandboxed JS will never be able to access this information - extensions are considered elevated.
This is something that I would do on server side. Providing you're using IIS, I would set the page to be using only Windows Authentication, read the current user on server side, and send it back to client via hidden field or javascript variable.
I am able to see session cookies in Firefox 3.6 by going to
Tools->Options->Privacy->Remove Individual Cookies
How do I see those same session cookies in IE (6/7/8)?
Tools->Internet Options->Browsing
history Settings->View files
only contains persistent cookies
Also how do I access them programmatically? In Firefox I use the nsICookieManager interface to read the session cookies, does IE contain an equivalent interface?
Cookies set with the HTTPOnly attribute will not be visible to Javascript (e.g. via the document.cookie accessor). In IE8, 9, and 10, hit F12 to open the Developer Tools. Click Cache > View Cookie Information to see persistent and session cookies that apply to the current domain.
This feature is not present in the IE11 version of the tools, which would mean that your choices are 1> Watch outbound Cookie headers in Fiddler or on the Network tab, or 2> Write a plugin that calls the InternetGetCookieEx API with the appropriate flag to include HTTPOnly cookies.
Type into adress-bar:
javascript:alert(document.cookie)
to see the cookies that are currently readable by javascript.
Regarding to the read/write of session-cookies:
Why do you need to do it using javascript? usually session-cookies are needed to have an relation to serverside stored data, so you need to manage the cookies from serverside, no matter what browser there may be.
F12-> Network Tab -> Enable Network Capture Traffic Capturing - > Details Tab -> Request Header Tab.
I have a URI here in which a simple document.cookie query through the console is resulting in three cookies being displayed. I verified this with trivial code such as the following as well:
var cookies = document.cookie.split(';');
console.log(cookies.length);
The variable cookies does indeed come out to the number 3. Web Developer on the other hand is indicating that a grand total of 8 cookies are in use.
I'm slightly confused to believe which is inaccurate. I believe the best solution might involve just reiterating the code above without the influence of Firebug. However, I was wondering if someone might suggest a more clever alternative to decipher which tool is giving me the inaccurate information.
One reason might be that the other 5 cookies are HTTPONLY:
http://msdn.microsoft.com/en-us/library/ms533046.aspx
If the HttpOnly attribute is included
in the response header, the cookie is
still sent when the user browses to a
Web site in the valid domain. The
cookie cannot be accessed through
script in Internet Explorer 6 SP1,
even by the Web site that set the
cookie in the first place. This means
that even if a cross-site scripting
bug exists, and the user is tricked
into clicking a link that exploits
this bug, Windows Internet Explorer
does not send the cookie to a third
party. The information is safe.
Firefox also respects this flag (as of v2.0.0.5).
I'm pretty sure the web developer toolbar shows cookies for domain and sub-domains.
So it will show cookies for
abc.xyz.com
xyz.com
whether you are on a page of either domain