Brave Shields are set to block all cookies browser-wide. I have granted cookie permissions to the specific handful of sites I need them for.
But specific Brave extension (Feedbro, a multi-use local feed reader) requires Brave to allow cookies in order to access my Instagram cookies to fetch Instagram posts. Allowing cookies on Instagram itself doesn't matter.
The issue seems to be that with Brave set by default (browser wide) to block cookies, the extension can't access the allowed Instagram site cookies. And extension pages chrome-extension://mefgmmbdailogpfhwrjsbrnjfmnpnmdfa seem to have no way of setting specific Brave Shield controls for them. The only settings adjustment I've found that gets this working is to change "Block Cookies" in brave://settings/shields from "All" to "Cross-site". But of course that allows all 1st party cookies now on every site, browser-wide.
How can I allow just this extension and its page to have full cookie access? I tried adding an exception rule like ##||chrome-extension^ or the specific extension URL but no luck.
I seem to have figured it out.
Go to the Brave cookie settings page at brave://settings/cookies
Under the "Sites that can always use cookies" list, I manually added these entries, allowing 3rd party cookies too:
[*.]mefgmmbdailogpfhfblcnnjfmnpnmdfa
chrome-extension://mefgmmbdailogpfhfblcnnjfmnpnmdfa/
Those are the Chrome extension IDs for my extension (Feedbro) but you can add the ID for whichever extension you like. The IDs for Chrome extensions can be found by right-click on the extension icon in the toolbar > Manage Extension.
Related
I'm about to implement cookie consent for a website. As I understand it, cookie consent means that you shall not use cookies before you have received a consent from the user.
How can I know that a user have accepted cookies or not without storing this information in a cookie?
I'm assuming you mean the GDPR. Your understanding of it is incomplete: cookies that are necessary to deliver the site's functionality are allowed without consent. A cookie that merely stores consent is thus allowed, even if the user rejected other cookies.
I am not a lawyer, not legal advice, etc.
I sugest you set a cookie only if the user has accepted cookies. If this cookie is set dont ask again. Otherwise show the cookie consent banner again and again on every new site they visit as if they were new visitors.
What i find strange is that even big german sites like Stern.de, Focus.de, Spiegel,de and even the computer magazine heise.de are setting loads of cookies before they show the consent banner.
Even more strange is that while Stern.de and Focus.de also offer a complicate "Adjust" button (users usuarly dont click them because adjusting cookie preferences on every site is nerve wrecking), Spiegel.de and Heise.de dont even offer this. They just offer "Accept" or pay for a ad free version.
If you click on "Adjust" instead of "Accept" on the first sites they just close the consent banner.
So all the sites dont show a button to easily denie or delete cookies even i thought it has to be as easy to deny as to accept. Im not a lawyer too and this is no legal advice but if they all do it this way i guess this must be legal in Germany even it doesnt make any sence at all. Cookies are set no matter what the visitor does. The big question seems to be what es necessary? Are google Analytics und Adsense and others necessary to finance the server and keep the site online? Necessary cookies are allowed.
Writing this, there is an article in another big news site (that also sets loads of cookies before showing the consent banner and also just offers accept or pay buttons) saying someone had to pay €100 for not asking the visitor for his permission before even loading google fonts not even talking about analytics: https://t3n.de/news/google-fonts-illegal-urteil-dsgvo-1447698/
https://stackoverflow.com/q/70967060/12668719
Analytics Is there a setting on Google Analytics to suppress use of cookies for users who have not yet given consent
Adsense How To Make Adsense Load When Cookie Consent Given?
Check this open source solutionfor the EU cookie law compliance:
https://cookieconsent.osano.com/
The easiest and most effective way is to show a pop-up banner that explains which kind of cookies you want to store and provide an option to allow/disallow each cookie. When clicking Save, you have to handle which cookies were allowed and load them accordingly. Everything can be done in JS.
I'm not sure if this is the right stack to ask this in so if not please let me know!
I am trying to get a handle on what cookies are used on a site and what they are for. When I initially did a cookie scan I noticed a cookie names NID which was set by google.
I have tried to research this cookie and can see it is used by Google for advertising purposes.
But I am confused about why and where this is being set, the site I am looking at does not use advertising anywhere, although it does use embedded YouTube videos.
Can anyone shed any light on when and why this cookie is set?
according to Google
Most Google users will have a preferences cookie called ‘NID’ in their browsers. A browser sends this cookie with requests to Google’s sites. The NID cookie contains a unique ID Google uses to remember your preferences and other information, such as your preferred language (e.g. English), how many search results you wish to have shown per page (e.g. 10 or 20), and whether or not you wish to have Google’s SafeSearch filter turned on.
For me, the cookie was hammered incessantly by the url https://www.google.com/s2/favicons?domain=example.org Which was being used by CookieBro & FeedBro RSS feeder browser addons for retrieving icons associated with various domains. The cookie can be dropped by either an addon or by google itself.
I used cookie log via cookiebro addon for firefox & chrome to detect these cookies in realtime, its one of a kind. However I did not realize it was cookiebro dropping them until the next step below.
To see what background connection is occuring when these cookies are placed, enter the following firefox url: about:cache?storage=disk&context= and you will see when and where the google url being connected to.
It is said this cookie is for targeting & ADS and the google's settings are integrated to make the cookie inconvenient to delete for Google users.
I work for an e-commerce site. Part of what we do is to offer customized items to some clients. Recently some non-technical management promised that we could incorporate our check-out process into one such client's website. The only way we've figured out how to do this is by using an iframe (I know, I don't like it either). The issue is that most customers of this site are unable to check out because we use cookies to determine which custom items to display. Browsers are recognizing our cookies as third party and almost everybody has third party cookies turned off, as they should. I'm going to be shocked if the answer is yes, but is there any workaround for this? ie can the site hosting our iframe somehow supply the necessary cookie?
Try an invisible, interstitial page.
Essentially the hosting site would issue a redirect to a site within your domain, which is then free to set cookies (because at this point is is actually the first party). Then your site immediately redirects back to the hosting site. At this point your newly-created cookies will be invisible to the hosting site but visible to your iFramed page henceforth.
Unfortunately the hosting site will have to do this every time a cookie is to be updated but the double-redirect can happen so quickly they'll hardly notice. Hopefully your system only needs the cookies to be set once.
Instead of using a cookie, pass the information in the each url request as name/value pairs.
It is a bit of a pain to add the name/value to every url...I know...oh well...it will work.
I'm going to be shocked if the answer is yes, but is there any workaround for this? ie can the site hosting our iframe somehow supply the necessary cookie?
Your iframed page itself, which is the third party in this scenario, could send a P3P Cookie Policy header – some browsers then accept third-party cookies by default, whereas others (mainly Safari) will not be convinced to do so at all if not by the user manipulating the default settings themselves.
What you could also do, is pass the session id not (only) by cookie, but as a GET or POST parameter as well – f.e. under PHP this can be done quite easily by configuring the session options. You should consider if that’s worth the slightly increased risk of session stealing.
The interstitial page solution should work but it might be a lot of trouble for your hosting site, so here's another solution that will allow you to work cookieless.
Write an HttpModule that responds to the BeginRequest event, reads the querystring, and inserts corresponding cookie headers into the Context.HttpRequest object (Note: you can't use AddCookie, you have to use AddHeader, because cookies added by a module directly are disposed of before they hit your application proper). That way the hosting site can simply issue a request (within the iFrame) that contains the necessary value in the querystring, the module will convert it into a cookie (that only exists in memory, not on the wire), and your application will be deceived into thinking that there's a cookie there. No code changes required, you just need to add the module in web.config.
This only works if you are using IIS 7.0+ in integrated pipeline mode. If you're on an earlier version of IIS or if you have to run in classic mode, you'll need an ISAPI filter instead.
Ryan , John
For the Chrome v80 update with SameSite flags, want to set the samesite=none;secure for the site hosting our iframe and somehow supply the necessary samesite=none;secure cookie. We have apache 2.2 and tomcat 6 setup, so would appreciate a solution and advice on how to make it work. Currently with flag enabled the iFrame is not punching out successfully.
Thanks
I've just discovered Evercookie project on Github.
Evercookie is a Javascript API that produces extremely persistent cookies in a browser. Its goal is to identify a client even after they've removed standard cookies, Flash cookies (Local Shared Objects or LSOs), and others.
This is accomplished by storing the cookie data as many browser storage mechanisms as possible. If cookie data is removed from any of the storage mechanisms, evercookie aggressively re-creates it in each mechanism as long as one is still intact.
If the LSO mechanism is available, Evercookie may even propagate cookies between different browsers on the same client machine!
I tested it online, on this example page. I clicked "Create evercookie" button, I deleted all browsing data and I refreshed the page. The cookies that were deleted by deleting browsing data returned again there.
Where is the browser security in this thing? Is this secured?
If you want to disable Flash based cookies, use Adobe's "Global Storage Settings" panel here:
http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager03.html
Perform all of these Steps:
Uncheck "Allow 3rd Party Flash Content to store data on your computer"
Check "Never ask again" (a non-obvious, but important step)
Click the 2nd to last tab: "Website Storage Settings"
Delete all existing data
Chrome bundles its own Flash plugin on Windows and Mac OS X. The settings and disk storage are separate from the plugin packaged directly by Adobe, so you may need to perform the above steps twice if you use Chrome. On the plus side, the separate storage location prevents Flash from being used to synchronize cookies to or from Chrome and other browsers.
I recommend testing with my personal site:
http://noc.to
The "Zombie Cookie" section can show you exactly how cookies are being restored and help you determine if the above steps (or any tools you use) are working.
In order to create an Evercookie, all you need is:
The ability to run JavaScript (or other active content, like Flash and perhaps Java); and
The ability to access the various client-side locations where copies of the cookie data are stored.
Totally disabling access to all storage mechanisms would render most of them useless; for most of them, their whole reason for being is to allow a script to use them. So the only even remotely feasible option is restricting access by domain. I'm not sure what browsers (if any) allow that kind of granularity, though. Most can allow or block JS as a whole from certain domains, but as for what features a given domain's scripts can use...? I'm not seeing that ability in Chrome 26 or IE 10, at least.
Well, it doesn't seem to work that well.
Created the everCookie
Closed the window
Empty all elements of Firefox cache (just by going to delete recent history anc check everything except site preferences)
Closed the window
Came back to the page
Finally realized it wasn't stored
What is strange is that I dind't explicitely removed Flash cookies in Flash Website Storage Settings panel. Maybe it's integrated into Firefox. Or I may have disabled them.
I think there's several other ways to store cookies and trace you. Facebook is already tracking you all over the web, even when disconnected. Google too (do you use Chrome?). Moreover, with IPv4 addresses, we certainly can find you back (why not just after you've emptied your cache!). We also can find you back while logging back on any site, and make a link with your previous sessions.
I suggest:
Using Firefox, even it's slower than Chrome, it's still more respectful of privacy
Removing the whole Internet cache on window close (sorry you'll have to log again on your preferred sites)
Check third-party cookie options
Use browser addons with care
Check Flash & Silverlight cookie options
Avoid website reputation checking (provided that you can recognize a fishing attempt)
Use private browsing mode when you don't want to share your digital lives
I am working on a website that generates traffic for partner sites. When a partner site's logo is clicked on our site we open the partner site in a page that contains our basic header and the partner site within an iframe. Earlier we were simply opening the partner site in new window. All cool so far.
Most partner sites use google analytics to track the traffic that we send them and soon after we started opening sites within iframe our partners reported that google analytics does not track data anymore (or tracks just a fraction of data).
I have done my fair share of homework/research on googleverse and found the know issue with google analytics or cookies in general across domains and iframes.
I am trying to resolve this issue and the only solution that has been referenced is the use of P3P headers.
First, where do the P3P headers go? In my sites pages or the partner sites pages. Since we have many partner sites (big and small) it wont be practical if the solution is to put tags in each of these sites. I can easily have them added to the page that contains the iframe.
Among the various p3p header generators is there a reliable one that you recommend?
Is there any way around this issue? I really need to open the sites in iframes and obviously the partner sites really need to track the traffic.
Thank you for the help.
Unfortunately, both you and the partner site needs to set the headers.
Alternatives:
If you do not want the partner site to set headers, one option is to lower the security level (in IE) or grant access to 3rd party cookies (in FF) in the browser settings. Every client has to do this, so this may not be an attractive solution.
Use localStorage (HTML5 thingy - browsers that support localStorage allow access to both the site and the iFrame's content that is stored in localStorage). This may not be feasible in the short term as it requires both you and your partner site to implement saving/reading information to/from localStorage and not every browser supports it (older IE browsers especially).
To add a basic policy header (ideally you should generate your own policy which is straight forward - check item#2 below)
in php add this line:
<?php header('P3P: CP="CAO PSA OUR"'); ?>
in ASP.Net:
HttpContext.Current.Response.AddHeader("p3p", "CP=\"CAO PSA OUR\"");
in HTML pages:
<meta http-equiv="P3P" content='CP="CAO PSA OUR"'>
Regarding your other concerns:
1) P3P headers refer to the HTTP header that delivers something called a compact policy to the browser. Without such a policy in place, IE (most notably) and other browsers will block access to 3rd party cookies (a term used to refer to iFrame's cookies) to protect user's privacy concerns.
As far as Google Analytics goes, both your site and the partner site still needs to configure cross domain tracking as outlined in their documentation.
2) You can use this basic policy header (which is enough to fix iFrame's cookies):
P3P: CP="CAO PSA OUR"
or generate your own. If you're not sure what those terms mean, see this.
To generate such policy, you can use online editors such as p3pedit.com or IBM's tool which present a set of questions and allow you to present answers. This makes it easy for you to quickly generate such policy. You can generate the policy XML, compact policy and more.
3) You can try the two alternatives mentioned above.
Steps to add the policy to your entire site
Generate a compact policy (using one of the tools mentioned earlier) or use the basic policy
In IIS, right-click the desired page, directory, or site, and then click Properties.
On the HTTP Headers tab, click Add.
In the Custom Header Name field, type P3P.
In the Custom Header Value field, enter your Compact P3P Policy (or the basic one from above) and then click OK.
In Apache, a mod_header line like this will do:
Header append P3P "CP=\"CAO PSA OUR\""
Hope ths helps.