Tuesday, December 22, 2009

Bypassing the intent of blocking "third-party" cookies

[Aside: I'm not sure anyone cares, particularly because the "block third party cookies" option tends to break legitimate web sites. But I'll document it just in case :)]

Major browsers tend to have an option to block "third-party" cookies. The main intent of this is to disable tracking cookies used by iframe'd ads.

It turns out that you can bypass this intent by abusing "HTML5 Local Storage". This modern browser facility is present in (at least) Firefox 3.5, Safari 4 and even the normally-lagging IE8. Chrome 4 Beta has it too, making it well supported across all browsers and a more tempting target.

In concept, HTML5 Local Storage is very similar to cookies. On a per-origin basis, there is a set of disk-persisted name / value pairs.

With a simple test, it's easy to show that the HTML5 Local Storage feature is not affected by the third-party cookie setting. I believe this holds across all the above browsers. A simple test page that gets / sets a name / value pair from within a third-party iframe may be located here:

http://scary.beasts.org/misc/iframe_storage.html

(This page also tests for a similar situation with HTML5 Web Database, but that is so far a less supported standard).

What's interesting is that all these browsers did remember to disable these persisted databases in their various private modes.

5 comments:

Denis said...

Does not Firefox 3.5 ask the user if he allows the use of LocalStorage?

Jeff Johnson said...

Note that there's a 3+ year old bug in WebKit that allows Netscape-style plugins such as Flash to set third-party cookies. See my bug report and the older bug report linked therein.

Chris said...

@Denis: I've not seen such a dialog on any of the browsers. I just blew away my .mozilla directory and retried and still no dialog.

@Jeff: ugh plugins :) There's also Flash cookies which tend to ignore all policies of the host browser anyway.

H9565 said...

It's really unclear to me whether third-party cookie blocking has a security model. It might be more of a privacy feature targeted at non-adaptive "adversaries."

Anonymous said...

http://www.grc.com/cookies
specially check the "Cookie Forensics" and "Cookie Contexts" that deal with third-party cookies

http://code.google.com/p/chromium/issues/detail?id=16658