MozillaZine

FF44 third party cookies

Discussion of general topics about Mozilla Firefox
Scarlettrunner20

User avatar
 
Posts: 1016
Joined: February 13th, 2003, 5:06 pm

Post Posted February 12th, 2016, 2:44 am

Frank Lion wrote:
Scarlettrunner20 wrote: Page source has nothing to do with this problem

Through the fog of your mind, could you at least try to read just two words correctly? Page Info is not Page source.

All these years and you sti

Try to focus. It was you who asked for this -

. Mozilla could have fixed it - partial fix at least - by setting a mechanism (button maybe?) that the user could hit if a site refused to honor (after say 10 tries at the most) the user's choice for cookies and that button would force the user's choice on the errant site

...and me who told you how that already existed using Page Info > Permissions, where you can block all cookies from an individual site forever. If you don't like what it does then don't ask for it or use it.


I have several cracked ribs and an injured back. Sorry if I typed the wrong word.

I can also block all cookies from Fx Options but NOT in real time so neither is acceptable. They are passive ways AFTER THE FACT.

Frank Lion

User avatar
 
Posts: 20841
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom

Post Posted February 12th, 2016, 5:18 am

Scarlettrunner20 wrote:I have several cracked ribs ...

...you've been reading through some of your old posts again, eh?

Scarlettrunner20 wrote:I can also block all cookies from Fx Options but NOT in real time

Think outside the box and block them all by default and then allow just the ones you want. If people had not made assumptions then I would have gone into more detail on that.

Scarlettrunner20 wrote:ssive ways AFTER THE FACT.

There is no AFTER THE FACT. Within nanoseconds of visiting a website your IP and device details are recorded in the logs (don't forget I have websites, so none of this is theory). The initial cookie/s just takes these details, also often the page you are visiting, and adds a unique identifier (Client or User) to those details. That's it. Thus, that cookie can be deleted/blocked AFTER THE FACT and the site will still have your IP and device details, but can do nothing with that original cookie because it contained, er, nothing. Unless blocked from doing so, once deleted all the site can do is to reissue another cookie with a brand new Unique Identifier and so on...

The 'danger' with 1st party cookies is not with the initial cookies, but with the persistence of them across different sessions, which is how a tracking history/user profile is built up. So, it doesn't matter if they are deleted before/during/after they are set just so long as they are deleted and not allowed to persist, i.e. -

Delete initial cookie 5 minutes later = No AFTER THE FACT
Delete cookie 3 months down the line = AFTER THE FACT

In either case, the site will still have your IP and device details. Incidentally, my websites set no cookies as I allow no ads at all. However, law enforcement agencies could still compel me to hand over the visitor IP/device logs (which is why I routinely delete the logs)

Quick novice Cookie 'How To' -

In Options/Preferences -
#1. Block Third Party Cookies. (be aware that some bank sites do require these to be enabled)
#2. Set Cookies to 'Allow for Session'/'Expire when I close..'
#3. Set Private Data/Custom Settings to clear Cookies and optionally Cache, on Exit. (use, if required, Ctrl + Shift + Delete during session.)
#4. Use Page Info (Ctrl + i) to adjust cookie permissions for individual sites, if so required.

There can be more to it than that, but do the above and you can set this stuff, forget about it and the world will not end. Good to know if you use multiple profiles/different browsers/have better things to do.

***

Whatever else you do, just don't ever get into this position :) -

Scarlettrunner20 wrote:The badly coded sites try upwards to 100 times (that is a LOT of clicking and yes I have actually counted that many clicks on a few sites) to get you to accept their cookies.....

....I have never given in though....I have clicked until my fingers were half numb but the sites always finally give up trying to set cookies.
Metal Lion latest SeaMonkey & Thunderbird Themes - Sea Monkey and Silver Sea Monkey
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)

polidobj

User avatar
 
Posts: 3147
Joined: March 31st, 2004, 9:10 am
Location: Maryland USA - im in ur tinderbox, crashtesting ur firefox

Post Posted February 15th, 2016, 7:34 am

Frank Lion wrote:#4. Use Page Info (Ctrl + i) to adjust cookie permissions for individual sites, if so required.
The problem is this is likely not enough. I block all cookies and allow the ones I need to login to sites. This was easy when you could get Firefox to ask when setting cookies. Then you could get the proper allow exceptions. I tried to login to meetup.com but couldn't figure out how to get it to work in FF44. I had to use FF43 to find the correct exceptions I needed. The cookies were set for meetup.com, but they were being set by http://www.meetup.com and https://secure.meetup.com.

Is there an extension that would help me figure out the proper exceptions I need?
Brian J Polidoro - Today's bugs brought to you by Raid. :P
Windows7 - Firefox user since ~Feb 2002

Frank Lion

User avatar
 
Posts: 20841
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom

Post Posted February 15th, 2016, 10:26 am

polidobj wrote: I tried to login to meetup.com but couldn't figure out how to get it to work in FF44.

The trick here is to keep an eye on the addressbar. To demonstrate (I don't have an account at 'meetup') I'll be using here and Ebay -

First, I changed my settings to block all cookies.

#1. Visit mozillazine > Ctrl + i > Permissions > cookies to allow for session.
#2. Try login here > no https on addressbar > Login successful.

#3. Visit Ebay > Ctrl + i > Permissions > cookies to allow for session.
#4. Try login Ebay > https and signin address on addressbar > Ctrl + i > Permissions > cookies to allow for session.* > Login successful.

* Usually you need to refresh the login page, so it understands that things have changed.

Only has to be done once and is then remembered. Incidentally, most proper password logins on websites will be https.

You can use extensions, if you prefer, but even the dev notes for them tend to read as long as 'War and Peace'. Some also don't work if you block all cookies by default, like SDC, etc.

I'm not saying it was a great idea for Mozilla to remove the 'Ask' stuff (I would have left it) All I'm saying is that users can, if they want to, work around that on a default setup, without needing extensions. Obviously, there will be exceptional needs that do, as there are with everything.
Metal Lion latest SeaMonkey & Thunderbird Themes - Sea Monkey and Silver Sea Monkey
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)

glnz

User avatar
 
Posts: 30
Joined: August 11th, 2007, 10:52 am

Post Posted February 21st, 2016, 5:54 am

Mozilla - have you gone out of your mind?

How can you get rid of "ask me every time" to block cookies? This is an essential feature. This is the number 1 reason why I adopted FF and stuck with it for -- what? -- ten years.

And you didn't even tell us.

Who are you now? I thought privacy and concern for the user rather than the abuser was core to your mission. This is why I have responded to your campaigns and contributed three years now.

Don't write here about workarounds - you have nothing that works like "ask me every time".

So now I am flooded by cookies - no way to control anything at the level needed.

You are now the same as Google Chrome.

How can you do this?
Last edited by LIMPET235 on February 21st, 2016, 6:06 am, edited 1 time in total.
Reason: Removed the un-necessary bolded text.
glnz

LIMPET235
Moderator

User avatar
 
Posts: 39292
Joined: October 19th, 2007, 1:53 am
Location: The South Coast of N.S.W. Oz.

Post Posted February 21st, 2016, 6:09 am

"We" cannot do anything in/with Firefox.
We are just a user-to-user help site.
---------------------------------------------------------------------->>>

&, You might want to read this entire thread for a few tips.


Go complain to "them."
Help > Submit feedback.
Ancient Amateur Astronomer
Win-7-HP/Intel® DualCore-2.0GHz/500G HDD/4 Gig Ram/550Watt PSU/350WattUPS/Firefox-20.0-62.0-70.0/T-bird-2.0.0.24/SnagIt-v10.0.1/MWP-7.12.
W.M.Y.C.
(Always choose the "Custom" Install.)

frg
 
Posts: 997
Joined: December 15th, 2015, 1:20 pm

Post Posted February 21st, 2016, 6:33 am

Well I am quite sure that thanks to the open and transparent nature of the Mozilla project this option won't come back. All further attempts to restore it are a waste of time.

The discussions on the official channels remind me of the old wrong-way driver traffic warning joke:

What only one driver driving the wrong way? No I see hundreds of them!

I backed out the change in my private Seamonkey build and hope that somebody comes up with an extension for it.

FRG

glnz

User avatar
 
Posts: 30
Joined: August 11th, 2007, 10:52 am

Post Posted February 21st, 2016, 6:40 am

How do I get back the earlier Firefox? I think it was still working in FF 43.

This is really bad.
glnz

frg
 
Posts: 997
Joined: December 15th, 2015, 1:20 pm

Post Posted February 21st, 2016, 6:49 am

Yes it was removed starting with FF 44. You can find the latest 43.x version here:

https://archive.mozilla.org/pub/firefox ... es/43.0.4/

You need to disable automatic updates for this to work. The usual reminder that 44.x fixes a few security bugs and using an older version will expose you to the dangers of the internet.

The latest ESR still contains the option but this is only a temporary solution too. ESR 45 is on the way soon.

https://archive.mozilla.org/pub/firefox ... 38.6.1esr/

FRG

Frank Lion

User avatar
 
Posts: 20841
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom

Post Posted February 21st, 2016, 7:09 am

frg4711 wrote:I backed out the change in my private Seamonkey build and hope that somebody comes up with an extension for it.

Unlikely, as they ripped out the back end for it.

However, no great problem. When I was helping above - viewtopic.php?p=14512145#p14512145 I blocked all cookies to test (usually I allow 1st party for session, block 3rd party, clear cookies and cache on exit) - works fine and I was surprised how little difference it made to sites.

Obviously I use Ctrl + i for individual site cookie permissions where I need to login, etc (Youtube also needs 1st cookies for session permission or you don't see the comments) and it all went fine with the exception of the Daily Mail site and GMail, which I easily worked around.

So...I'm keeping the block all cookies setting from now on.
Metal Lion latest SeaMonkey & Thunderbird Themes - Sea Monkey and Silver Sea Monkey
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)

frg
 
Posts: 997
Joined: December 15th, 2015, 1:20 pm

Post Posted February 21st, 2016, 7:13 am

>> Unlikely, as they ripped out the back end for it.

I think with a cookie observer it can be done. The cookie would only be visible for a short time this way.

FRG

glnz

User avatar
 
Posts: 30
Joined: August 11th, 2007, 10:52 am

Post Posted February 21st, 2016, 7:01 pm

Frank Lion and frg -

Sorry, but what do you mean by ctrl + i ? When I try that, I get a side bar for bookmarks.
glnz

Frank Lion

User avatar
 
Posts: 20841
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom

Post Posted February 21st, 2016, 9:15 pm

glnz wrote:Sorry, but what do you mean by ctrl + i ? When I try that, I get a side bar for bookmarks.

On Firefox 47 and earlier, plus SeaMonkey, Ctrl + I is the hotkey for Page Info. You can also find it by right clicking on any webpage and it's on the context menu there. Another, less well known, method of locating is this -

This next bit may help you or not, but it's little known. You can also set individual site settings by the following method - click the identity box at the left end of the addressbar (where the site favicon used to be) then click the right arrow on the popup that appears and finally 'More Information'. There you can set all sorts of preferences for an individual site and you only have to do it once.


Anyway - Page Info > Permissions > Cookies and you can allow/block/just session for individual sites. Maybe not ideal, but it wasn't my idea to get rid of the other stuff.
Metal Lion latest SeaMonkey & Thunderbird Themes - Sea Monkey and Silver Sea Monkey
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)

Drumbrake

User avatar
 
Posts: 1177
Joined: February 14th, 2011, 2:34 am

Post Posted February 22nd, 2016, 9:10 am

Frank Lion wrote:
Regarding your scaremongering silent JS stuff, you really think I don't have these computers and routers being continually scanned and would not know immediately of any JS exploits, really? Really? 12 years I've waited, where are they?

Take up your JS concerns with the browser makers who have it enabled by default.

Well, for some reason you are apparently taking this the wrong way, not much I can do about it other than emphasizing I'm not trying to look smarter here or proving you wrong for any special reason: what prompted my original reply was that you actually stated that with “JS enabled, a very basic adblocker and a short hostfile” you never or rarely see ads and furthermore you don't think there is an underlying javascript abuse issue worth worrying about, or noticeable enough that it could eventually be a sensible choice blocking JS - or, more correctly IMHO, curb it with NoScript .

As for the ads thing, nothing I can do but say once again that if I had to follow such guidelines, I'd be seeing ads everywhere: I have a hostfile that keeps constantly growing, I use lots of custom filters with my adblockers, have JS managed with NoScript, and yet I still see ads popping here and there.

Then you go on labeling general concerns (which I would call “awareness”) about security as “fearmongering” , which of course I completely disagree with.

Would you call this https://blog.mozilla.org/security/2015/ ... -the-wild/ just "fearmongering" ?

The vulnerability comes from the interaction of the mechanism that enforces JavaScript context separation (the “same origin policy”) and Firefox’s PDF Viewer(...)
The files it was looking for were surprisingly developer focused for an exploit launched on a general audience news site, though of course we don’t know where else the malicious ad might have been deployed. On Windows the exploit looked for subversion, s3browser, and Filezilla configurations files, .purple and Psi+ account information, and site configuration files from eight different popular FTP clients. On Linux the exploit goes after the usual global configuration files like /etc/passwd, and then in all the user directories it can access it looks for .bash_history, .mysql_history, .pgsql_history, .ssh configuration files and keys, configuration files for remina, Filezilla, and Psi+, text files with “pass” and “access” in the names, and any shell scripts. Mac users are not targeted by this particular exploit but would not be immune should someone create a different payload. [Update: we’ve now seen variants that do have a Mac section, looking for much the same kinds of files as on Linux.]
The exploit leaves no trace it has been run on the local machine. If you use Firefox on Windows or Linux it would be prudent to change any passwords and keys found in the above-mentioned files if you use the associated programs. People who use ad-blocking software may have been protected from this exploit depending on the software and specific filters being used.



How do you know for sure in this case , that you haven't been targeted?

Then how about the well-known router attacks via CSRF vulnerabilities? Like this one:

http://arstechnica.com/security/2014/03 ... s-changes/

It is also sounds somehow contradictory to me first giving the general advice to don't bother with such issues, then state that you have your routers and systems “routinely scanned” : the average user doesn't do that, which makes even more important for them to use adblockers and manage JS.

Then again,
I'm not trying to look smarter here or proving you wrong for any special reason

we're just discussing things here.

Frank Lion

User avatar
 
Posts: 20841
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom

Post Posted February 22nd, 2016, 10:02 am

Drumbrake wrote:we're just discussing things here.

Nope, you're discussing things here, meanwhile I've been discussing cookies, which is the subject of this thread.

Meantime, you've latched onto what I mentioned about my experiences with JS. That's your choice, but doesn't mean I want to discuss it.

Frank Lion wrote:All I can do is to write the truth and people can make of it what they will and the truth is that I've had JavaScript enabled ever since 2004 and never had a problem.

Hardly unique as that is default in browsers. The elephant in the room is where are all those supposedly inevitably compromised JS users hiding?


What do you want from me? I not saying it is the only way, I not advising anyone to do the same. I'm saying that is my personal experience of JS stuff for over 10 years. You want me to lie and pretend that's not what has happened?

Again, why tackle me on this, when millions of other people are doing exactly the same, if only because JS is enabled by default?



..you are apparently taking this the wrong way, not much I can do about it other than emphasizing I'm not trying to look smarter here or proving you wrong for any special reason

We're cool, you should know by now my writing style on public forums. :)
Metal Lion latest SeaMonkey & Thunderbird Themes - Sea Monkey and Silver Sea Monkey
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)

Return to Firefox General


Who is online

Users browsing this forum: Bing [Bot] and 5 guests