Firefox Hacks [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

Firefox Hacks [Electronic resources] - نسخه متنی

Nigel McFarlane

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
ارسال به دوستان
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات
توضیحات
افزودن یادداشت جدید






Hack 52. Stomp on Cookies

Track, trap, configure, kill, create, and
otherwise diddle with HTTP cookies.

HTTP is a stateless protocol, meaning that
each
web request made by the browser is independent of all other requests.
This greatly preserves the user's privacy.
Cookies
are an enhancement to the HTTP standard that introduces tracking
information that web browsers and servers can share. That tracking
information consists of (usually) a single HTTP header line that goes
back and forth between the User Agent (browser) and the server. They
include a small amount of access-control information based on URLs
and expiry dates. This hack explains how to manipulate cookies from
the browser side, once they're generated.

Cookies are based on a vendor specification written by Netscape
Corporation (you can view that specification at http://wp.netscape.com/newsref/std/cookie_specl).
Since then, cookies have been more formally defined in RFC 2109. The
name cookie derives from the intended use of the
header data: the supply of an opaque token useful only for session
identification (from magic cookie).

Particularly in Netscape 4.x and earlier, the number of cookies that
browsers would maintain per site was limited to 20. That limit no
longer applies, even though one cookie per site is usually enough.

Cookies offer no
security at all. Never put any user
details in a cookie; never expose any server information in a cookie;
never use cookies to preserve important data
across HTTP requests. Quality browsers go to great lengths to prevent
cookies sent from one web server from being viewed by web pages from
other servers.


5.10.1. Using the Cookie Manager


To Open Firefox's
Cookie Manager, start with the Options
Dialog Box, click Privacy and expand the Cookies item that appears in
the right pane. Click on Exceptions to view a blacklist of sites that
you don't want to create cookies for you.
Alternatively, select View Cookies to manage the currently stored
cookies. The Cookie Manager won't let you modify
cookies in place; you can only delete them or ban sites from using
them.

The options variously reported as "Keep Cookies
until I close Firefox" or "Allow
for Session" mean the same thing: the cookies will
not be written to a file on disk. When they are written, cookies
appear in the human-readable file cookies.txt,
stored in the user profile.

To delete lots of cookies at once, open the View Cookies dialog box
and use Windows-style mouse-selection techniques. Left-click to
highlight one cookie, and then Shift-left-click to highlight another
cookie that marks the end of a set to be deleted. The resulting block
of highlighted cookies can then all be deleted by clicking the Delete
button. Similarly, you can select noncontiguous cookies with
Control-left-click (Command-left-click on Macintosh).


5.10.2. Using Cookie Extensions


There are at least two extensions available for manipulating cookies.

5.10.2.1 View Cookies extension


To locate the
View Cookies extension, open the
Extension Manager and go to the end of the All list of extensions.
It's also available at http://www.bitstorm.org/extensions/. This
extension discreetly adds an additional tab to the
ToolsPage Info dialog box that allows you to view details
of the current web page. Figure 5-8 shows this tab
after it's been selected and after the sole existing
cookie has also been clicked.


Figure 5-8. The Cookies tab added by the View Cookies extension

h5


You can find the
Add & Edit Cookies
extension at http://addneditcookies.mozdev.org/. At the
time of writing, it's brand new to Firefox, and
where View Cookies is discreetly minimal, Add & Edit Cookies does
everything you could ever want. In particular, you can change cookies
live while the browser is running, and you're not
restricted to changing cookies relevant to the currently displayed
web page. You can also filter cookies by site.

Once installed, choose ToolsCookie Editor to start up this
extension. The windows can be poorly sized when they first appear; to
fix that, just drag the bottom-right corner with the mouse until
they're big enough. They'll stay
resized while the current profile exists.

Figure 5-9 shows the editing delights that Add
& Edit Cookies provides.


Figure 5-9. The main window of the Add & Edit Cookies extension


5.10.3. Scripting Cookies


The oldest interface to the
cookie
system is via JavaScript. The document.cookie
property allows you to set, alter, or remove any cookies local to the
current URL or domain. The days are nearly gone where this property
needs to be touched:

Servers should generally be the source of all cookies if security is
to be as robust as possible.

Data from the user should be delivered in HTTP GET
or POST requests, or by other formal means, such
as SOAP or XMLHttpRequest, not in cookies.

The cookie property is confusing to use.


This last point bears brief description. In
ECMAScript terms,
the [[Get]] and [[Put]]
operations on the cookie property are both
unusual. If you assign anything to the property, the
[[Get]] operation treats it as a single cookie and
adds it to the cookie database. If you use the
property's value in an expression, the
[[Put]] operation provides a report (as a string)
of all cookies relevant to the current page.

In short, just don't do it. Note that a secure web
page or a secure extension has access to all the cookies in the
browser. A hostile extension could share that information between
conspiring web sites. This is a form of identity trading, although
you are guaranteed anonymity at all web sites, provided that you
never supply personal details.


/ 164