So I just put an old project on github. It was in PHP and had some cookie magic so that when
you "invert" the colors it would stay through the site. I saved a rendered HTML version of the the site for github and I also switched all the cookie magic to jquery.cookie so that it would work without a server-side component
There's a link to the site below.
http://reggi.github.io/csi-bp
So it seems that github pages set cookies on a page-level and they don't seem to transfer between pages. Is this the case? I'm curious as to what I'm missing.
I know they just switched the domain from github.com to github.io for cookie / security purposes, but I didn't know that it was going to result in this.
It could be a side effect of the newest security measure from GitHub (April 18th):
"Content Security Policy"
Content Security Policy is a new HTTP header that provides a solid safety net against XSS attacks.
It does this by blocking inline scripts and limiting the domains that other scripts can be loaded from.
Related
In fact i have a django web app that i host in continous deployment. When i try to open this app in chrome i have a warning red page which notice that the site is fraudulent and in addition i have to enabled the chrome advance protection to be protect of malicious site. In the show more button i can access the site by clicking on open the insecure site. Trying to open the site in edge browser i didn't see any kind of warning and the site open successfully. By this point i think that it's something relative to the security settings of chrome.
bellow is the error:
*fraudulent website
Attackers at xxxxxxxxxxx might trick you into doing something dangerous, like installing software or revealing your personal information (for example, passwords, phone numbers, or credit cards). know more
To use Chrome's highest level of security, enable enhanced protection
Recently, Google's "Safe Browsing" feature detected phishing from bluecamp.azurewebsites.net. Phishing sites pretend to be other sites to trick you.
*
You can report a detection issue or, if you understand the risks to your security, access this unsafe site.
Then i navigate to the security settings of chrome and disabled the protection settings to without security and by this point the site log without the previous error. The issue is i have to deploy the site and no matter the browser, the site should open without any kind of error. I was also thinking that it's something relative to my django apps secret key and i generate another using the django apps secret key generator but no change.Any kind of hand to solve this problem will be thankfull.
I have an issue with Woocommerce on my site when I enable AWS Cloudfront CDN to speed up the site.
The site is hosted on an AWS EC2 Bitnami instance. No parts of the site are hosted in S3.
When Cloudfront is enabled and I add a product to the cart then press the “Proceed To Checkout” button from the shopping-cart, nothing happens, the browser just loads the shopping-cart page again. If I disable Cloudfront in the AWS for WordPress plugin then it works as expected and opens the checkout page. This happens in all browsers.
Also, if I update the quantity to add extra options then the shopping-cart page reloads with a message of "Your basket is empty". The cart icon still has a "1" against it, and when I press it the shopping-cart page comes back witht the item in place, but I have the same issue when pressing the “Proceed To Checkout” button.
Looking at the developer tools in the browser there are no indicators of any errors. This seems to be some caching or cookie issue.
I have a a Cloudfront policy that has Origin, Access-Control-Request-Method and Access-Control-Request-Headers whitelisted in headers to resolve CORS issues with font files This works as expected and the fonts load correctly, before this was in place font icons would not display and I'd get lots of 404 errors.
Following some answers from this Cloudfront + Woocommerce - cart not updating SO post I tried whitelisting all cookies, and whitelisting jsut wp_woocommerce_session_* which I added while debugging this issue. Neither of these options made any difference.
The only way I can get it to work is by disabling Cloudfront. The site is slow to load without it though and SEO results are compromised.
Any idea what settings I need to change in order to get this to work?
In the end I ditched the official AWS plugin, and used another (free) AWS CDN specific plugin that did all the configuration and worked out of the box.
I'm not sure if this is the right stack to ask this in so if not please let me know!
I am trying to get a handle on what cookies are used on a site and what they are for. When I initially did a cookie scan I noticed a cookie names NID which was set by google.
I have tried to research this cookie and can see it is used by Google for advertising purposes.
But I am confused about why and where this is being set, the site I am looking at does not use advertising anywhere, although it does use embedded YouTube videos.
Can anyone shed any light on when and why this cookie is set?
according to Google
Most Google users will have a preferences cookie called ‘NID’ in their browsers. A browser sends this cookie with requests to Google’s sites. The NID cookie contains a unique ID Google uses to remember your preferences and other information, such as your preferred language (e.g. English), how many search results you wish to have shown per page (e.g. 10 or 20), and whether or not you wish to have Google’s SafeSearch filter turned on.
For me, the cookie was hammered incessantly by the url https://www.google.com/s2/favicons?domain=example.org Which was being used by CookieBro & FeedBro RSS feeder browser addons for retrieving icons associated with various domains. The cookie can be dropped by either an addon or by google itself.
I used cookie log via cookiebro addon for firefox & chrome to detect these cookies in realtime, its one of a kind. However I did not realize it was cookiebro dropping them until the next step below.
To see what background connection is occuring when these cookies are placed, enter the following firefox url: about:cache?storage=disk&context= and you will see when and where the google url being connected to.
It is said this cookie is for targeting & ADS and the google's settings are integrated to make the cookie inconvenient to delete for Google users.
I work for an e-commerce site. Part of what we do is to offer customized items to some clients. Recently some non-technical management promised that we could incorporate our check-out process into one such client's website. The only way we've figured out how to do this is by using an iframe (I know, I don't like it either). The issue is that most customers of this site are unable to check out because we use cookies to determine which custom items to display. Browsers are recognizing our cookies as third party and almost everybody has third party cookies turned off, as they should. I'm going to be shocked if the answer is yes, but is there any workaround for this? ie can the site hosting our iframe somehow supply the necessary cookie?
Try an invisible, interstitial page.
Essentially the hosting site would issue a redirect to a site within your domain, which is then free to set cookies (because at this point is is actually the first party). Then your site immediately redirects back to the hosting site. At this point your newly-created cookies will be invisible to the hosting site but visible to your iFramed page henceforth.
Unfortunately the hosting site will have to do this every time a cookie is to be updated but the double-redirect can happen so quickly they'll hardly notice. Hopefully your system only needs the cookies to be set once.
Instead of using a cookie, pass the information in the each url request as name/value pairs.
It is a bit of a pain to add the name/value to every url...I know...oh well...it will work.
I'm going to be shocked if the answer is yes, but is there any workaround for this? ie can the site hosting our iframe somehow supply the necessary cookie?
Your iframed page itself, which is the third party in this scenario, could send a P3P Cookie Policy header – some browsers then accept third-party cookies by default, whereas others (mainly Safari) will not be convinced to do so at all if not by the user manipulating the default settings themselves.
What you could also do, is pass the session id not (only) by cookie, but as a GET or POST parameter as well – f.e. under PHP this can be done quite easily by configuring the session options. You should consider if that’s worth the slightly increased risk of session stealing.
The interstitial page solution should work but it might be a lot of trouble for your hosting site, so here's another solution that will allow you to work cookieless.
Write an HttpModule that responds to the BeginRequest event, reads the querystring, and inserts corresponding cookie headers into the Context.HttpRequest object (Note: you can't use AddCookie, you have to use AddHeader, because cookies added by a module directly are disposed of before they hit your application proper). That way the hosting site can simply issue a request (within the iFrame) that contains the necessary value in the querystring, the module will convert it into a cookie (that only exists in memory, not on the wire), and your application will be deceived into thinking that there's a cookie there. No code changes required, you just need to add the module in web.config.
This only works if you are using IIS 7.0+ in integrated pipeline mode. If you're on an earlier version of IIS or if you have to run in classic mode, you'll need an ISAPI filter instead.
Ryan , John
For the Chrome v80 update with SameSite flags, want to set the samesite=none;secure for the site hosting our iframe and somehow supply the necessary samesite=none;secure cookie. We have apache 2.2 and tomcat 6 setup, so would appreciate a solution and advice on how to make it work. Currently with flag enabled the iFrame is not punching out successfully.
Thanks
I am working on a website that generates traffic for partner sites. When a partner site's logo is clicked on our site we open the partner site in a page that contains our basic header and the partner site within an iframe. Earlier we were simply opening the partner site in new window. All cool so far.
Most partner sites use google analytics to track the traffic that we send them and soon after we started opening sites within iframe our partners reported that google analytics does not track data anymore (or tracks just a fraction of data).
I have done my fair share of homework/research on googleverse and found the know issue with google analytics or cookies in general across domains and iframes.
I am trying to resolve this issue and the only solution that has been referenced is the use of P3P headers.
First, where do the P3P headers go? In my sites pages or the partner sites pages. Since we have many partner sites (big and small) it wont be practical if the solution is to put tags in each of these sites. I can easily have them added to the page that contains the iframe.
Among the various p3p header generators is there a reliable one that you recommend?
Is there any way around this issue? I really need to open the sites in iframes and obviously the partner sites really need to track the traffic.
Thank you for the help.
Unfortunately, both you and the partner site needs to set the headers.
Alternatives:
If you do not want the partner site to set headers, one option is to lower the security level (in IE) or grant access to 3rd party cookies (in FF) in the browser settings. Every client has to do this, so this may not be an attractive solution.
Use localStorage (HTML5 thingy - browsers that support localStorage allow access to both the site and the iFrame's content that is stored in localStorage). This may not be feasible in the short term as it requires both you and your partner site to implement saving/reading information to/from localStorage and not every browser supports it (older IE browsers especially).
To add a basic policy header (ideally you should generate your own policy which is straight forward - check item#2 below)
in php add this line:
<?php header('P3P: CP="CAO PSA OUR"'); ?>
in ASP.Net:
HttpContext.Current.Response.AddHeader("p3p", "CP=\"CAO PSA OUR\"");
in HTML pages:
<meta http-equiv="P3P" content='CP="CAO PSA OUR"'>
Regarding your other concerns:
1) P3P headers refer to the HTTP header that delivers something called a compact policy to the browser. Without such a policy in place, IE (most notably) and other browsers will block access to 3rd party cookies (a term used to refer to iFrame's cookies) to protect user's privacy concerns.
As far as Google Analytics goes, both your site and the partner site still needs to configure cross domain tracking as outlined in their documentation.
2) You can use this basic policy header (which is enough to fix iFrame's cookies):
P3P: CP="CAO PSA OUR"
or generate your own. If you're not sure what those terms mean, see this.
To generate such policy, you can use online editors such as p3pedit.com or IBM's tool which present a set of questions and allow you to present answers. This makes it easy for you to quickly generate such policy. You can generate the policy XML, compact policy and more.
3) You can try the two alternatives mentioned above.
Steps to add the policy to your entire site
Generate a compact policy (using one of the tools mentioned earlier) or use the basic policy
In IIS, right-click the desired page, directory, or site, and then click Properties.
On the HTTP Headers tab, click Add.
In the Custom Header Name field, type P3P.
In the Custom Header Value field, enter your Compact P3P Policy (or the basic one from above) and then click OK.
In Apache, a mod_header line like this will do:
Header append P3P "CP=\"CAO PSA OUR\""
Hope ths helps.