noscript icon indicating copy to clipboard operation
noscript copied to clipboard

Published 20 hours ago verified publisher icon hackademix

Cookie seems not correctly managed even with all scripts marked reliable

Open MdeLv opened this issue 3 years ago • 3 comments

It happens very rarely but is always disturbing: not being able to accept cookies because of a scrip issue.

To be able to order some products on a web site, technical cookies must be accepted. With FF, I had at least two times the problem.

To workaround, I had to manually delete the cookie of the website. So I suspect a bad cookies management.

It looks like the script(s), although all marked as reliable within noscript, didn't manage to see that basic technical cookies were accepted, and it keeped on asking again and again the same request.

How can I be sure that noscript is or is not responsible for that kind of problem? (script and cookie relation...) Is there some detailed noscript logs file to find out ? (never looked for that before...)

Thanks

MdeLv avatar Aug 09 '22 17:08 MdeLv

NoScript's script blocking should not mess with cookies if not indirectly (when they're set from JavaScript only, which is a discouraged practice nowadays because they couldn't be flagged as https-only).

However a similar problem happened to me just yesterday, and it turned out to be Firefox's own "Enhanced Tracking Protection" feature, which I needed to disable in order to interact correctly with a website.

hackademix avatar Aug 09 '22 17:08 hackademix

Thanks for your under 3 mn so fast answer!

It's quite good to know that FF has strict protections...

However, do you recommend to disable this FF "Enhanced Tracking Protection" and stick to noscript+ghostery only?

Can you pls. elaborate about "cookies set from JavaScript only, which is a discouraged practice nowadays because they couldn't be flagged as https-only"? Is there a reference document that explains good practices to beginner or bad developpers or webmasters?

MdeLv avatar Aug 09 '22 17:08 MdeLv

Sorry, in the hurry I wrote "https-only" instead of http-only - also because... HTTPS everywhere ;) References:

  • https://owasp.org/www-community/HttpOnly
  • https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies

Regarding Fx's built-in anti-tracking, I use that on top of NoScript. And it's also good to have it enabled if you are a developer and want to "see" what other Fx users see.

hackademix avatar Aug 09 '22 18:08 hackademix