98 Matching Annotations
  1. Feb 2024
  2. Oct 2023
  3. Sep 2023
  4. Aug 2023
  5. Jul 2023
  6. Mar 2023
    1. You'll notice that for the app/routes/jokes/$jokeId.tsx route in addition to Cache-Control we've also set Vary header to Cookie. This is because we're returning something that's specific to the user who is logged in. So we want the cache to associated to that particular Cookie value and not shared with different users, so the browser and CDN will not deliver the cached value if the cookie is different from the cached response's cookie.
  7. Feb 2023
  8. Dec 2022
  9. Nov 2022
  10. Oct 2022
  11. Jan 2022
  12. Oct 2021
    1. while with server/externalFetch there is no direct way to pass cookie headers from the original request to the external one
    2. With httponly you only prevent to read the cookie with js, but its still possible to make requests in the name of the user.
    3. They are on client-side, but (usually) they are HTTPOnly. Now if they are part of session, any client-side script is able to access them, and I just don't like introducing vulnerabilities knowingly. As I said above, I found a workaround that works for me and you may have different opinion from me on how much this is a risk.
    4. Right now I am working around this issue by having an internal [...api].js, then call fetch for that endpoint (which automatically passes on cookies) and from there hit the actual external endpoint. It works, there is no risk of leaking anything, but imo shouldn't be necessary.
    5. Sure you can abuse session but I don't like that since there is the risk of exposing credentials to client side code.
  13. Jun 2021
    1. In short: storing the token in HttpOnly cookies mitigates XSS being used to get the token, but opens you up to CSRF, while the reverse is true for storing the token in localStorage.
    2. I started off really wanting to use HttpOnly cookies
    1. A cookie is associated with a domain. If this domain is the same as the domain of the page you are on, the cookie is called a first-party cookie. If the domain is different, it is a third-party cookie. While the server hosting a web page sets first-party cookies, the page may contain images or other components stored on servers in other domains (for example, ad banners), which may set third-party cookies. These are mainly used for advertising and tracking across the web.
    1. I don't know how much workaround is it, but for now I'm using this approach:

      Looks like a catch-all api/[...route] internal endpoint that proxies to the real external API server.

    2. This way I'm able to pass cookie back and forth, so this code kind of works:
    3. 'set-cookie': response.headers.get('set-cookie')
    4. That said, third party cookies are subject to privacy concerns and are blocked by both browser extensions and even by some browsers themselves, so they shouldn't be relied upon.
    5. If you do need to passthrough your mydomain.com cookies to a thirdparty.com domain, you can technically already do that now by implementing it as an endpoint and calling fetch('/my-endpoint')
    1. I've been thinking more about how to best do this. The preferred way might be to use the same domain and have an application load balancer like nginx split traffic on the URL path (e.g. /api). This is for two reasons. Firstly, you might not necessarily want to cookie the primary/apex domain and have the cookie shared across all subdomains. You also might not want to do CORS because preflight requests add latency and CORS adds complication.
  14. May 2021
  15. Dec 2020
  16. May 2020
    1. They collect very little data so their "export" feature is very simplistic: just an in-browser JSON dump of localStorage and cookies.

      Browser Data

      We use data on your browser to offer features on this website. We do not store this data, but we can offer a view of your browser data at any time.

      View Browser Data

    1. This kind of cookie-based data collection happens elsewhere on the internet. Giant companies use it as a way to assess where their users go as they surf the web, which can then be tied into providing better targeted advertising.
    2. For instance, Google’s reCaptcha cookie follows the same logic of the Facebook “like” button when it’s embedded in other websites—it gives that site some social media functionality, but it also lets Facebook know that you’re there.
    3. one of the ways that Google determines whether you’re a malicious user or not is whether you already have a Google cookie installed on your browser.
    1. In particular, if you set this parameter to true, our solution creates a technical cookie on iubenda.com (domain) which is used when the cookie on the local domain is not found.
    1. Importance of declaring the cookie domain: When you clean up the cookies (like in the example above for on_reject) is important to set the domain that this cookies belongs. In some cases this external scripts could add the cookie on your subdomain or your base domain. In out case we found that some cookies are generated on panel.preyproject.com or .panel.preyproject or just preyproject.com.
    1. A real-world example of this would be an e-commerce site that allows users to “hold” items in their cart while they’re using the site or for the duration of a session. In this scenario, the technical cookies are both necessary for the functioning of the purchasing service and are explicitly requested by the user when they indicate that they would like to add the item to the cart. Do note, however, that these session-based technical cookies are not tracking cookies.

      I'm not sure I agree with this:

      [the technical cookies] are explicitly requested by the user when they indicate that they would like to add the item to the cart.

      The only thing they requested was that the item be held in a cart for them. They didn't explicitly request that cookies be used to store information about items in the cart. They most likely don't understand all of the options for how to store data like this, and certainly wouldn't know or expect specifically that cookies be used for this.

      In fact, localStorage could be used instead. If it's a single-page app, then even that would be necessary; it could all be kept in page-local variables until they checked out (all on the same page); such that reloading the page would cause the cart data held in those variables to be lost.

    1. Implementing prior blocking and asynchronous re-activation Our prior blocking option prevents the installation of non-exempt cookies before user consent is obtained (as required by EU law) and asynchronously activates (without reloading the page) the scripts after the user consents.To use, you must first enable this feature: simply select the “Prior blocking and asynchronous re-activation” checkbox above before copy and pasting the code snippet into the HEAD as mentioned in the preceding paragraph.
  17. Apr 2020
    1. Allows you to autodetect and limit prior-blocking and cookie consent requests only to users from the EU – where this is a legal requirement – while running cookies scripts normally in regions where you are still legally allowed to do so.
    2. Enables the blocking of scripts and their reactivation only after having collected user consent. If false, the blocked scripts are always reactivated regardless of whether or not consent has been provided (useful for testing purposes, or when you’re working on your project locally and don’t want pageviews to be counted). We strongly advise against setting "priorConsent":false if you need to comply with EU legislation. Please note that if the prior blocking setting has been disabled server side (via the checkbox on the flow page), this parameter will be ineffective whether it’s set to true or false.
    1. Strictly necessary (id 1). Purposes included:Backup saving and managementHosting and backend infrastructureManaging landing and invitation pagesPlatform services and hostingSPAM protectionTraffic optimization and distributionInfrastructure monitoringHandling payments
  18. Mar 2020
    1. If other third-party tools guarantee not to use cookies, perhaps by providing specific configuration options, they too can be considered to be exempt from prior blocking. This is the case namely with YouTube, which provides a specific feature to prevent the user from being tracked through cookies.
    2. This depends on the legal jurisdiction applicable to your site. In Europe, you’re legally required to block cookie scripts until user consent is obtained. All cookies must be blocked except for those that are exempt.
    3. Technical cookies, preference, session and optimization cookies
    1. stored in a first-party cookie, which means that users will be requested to give their consent again after deleting browser cookies or switching to another device or browser
    2. First-party cookies are the lifeblood of every website, enabling businesses to remember key pieces of information about users and to collect analytics data. Third-party cookies are the bread and butter of AdTech, allowing publishers to monetize their websites, and brands to run advertising and marketing campaigns.
    1. The exemption to the consent requirement only clearly applies to non-tracking technical cookies strictly necessary for the functioning of services that were expressly requested by the user. A real-world example of this would be an e-commerce site that allows users to “hold” items in their cart while they’re using the site or for the duration of a session. In this scenario, the technical cookies are both necessary for the functioning of the purchasing service and are explicitly requested by the user when they indicate that they would like to add the item to the cart.
    1. When you visit your favorite online store, you expect the items you add to your shopping cart to still be in your shopping cart when you check out. Cookies make that happen. If you opted out of those cookies, you would, in essence, be opting out of the very reason you went to that site in the first place. Asking a customer if they want to allow cookies to make their shopping cart work would be like asking them if they want the thread to keep their shirt together.
    2. In fact, some are essential for the proper functioning of a website. The EU understands this and makes an exception for cookies that are "strictly necessary" to fulfill the services requested by your site visitors.
    1. If you want to disable Google Analytics-tracking for this site, please click here: [delete_cookies]. The cookie which enabled tracking on Google Analytics is immediately removed.

      This is incomplete. The button is missing.

    1. You can also disable the use of cookies via your browser, but please note that our website may no longer work properly.

      And an example of a button to delete cookies

    1. This tool will allow you to create a customised cookieless Google Map that does not use privacy-invasive cookies.
    1. Google uses cookies like NID and SID to help customize ads on Google properties, like Google Search. For example, we use such cookies to remember your most recent searches, your previous interactions with an advertiser’s ads or search results, and your visits to an advertiser’s website. This helps us to show you customized ads on Google.
    2. Most Google users will have a preferences cookie called ‘NID’ in their browsers. A browser sends this cookie with requests to Google’s sites. The NID cookie contains a unique ID Google uses to remember your preferences and other information, such as your preferred language (e.g. English), how many search results you wish to have shown per page (e.g. 10 or 20), and whether or not you wish to have Google’s SafeSearch filter turned on.

      They seem to claim (or hope that their description will make you think) that ‘NID’ is only used for storing preferences, but if you read further down, you see that it's also used for targeting.

      These should be separate cookies since they have separate purposes, and since under GPDR we have to get separate consent for each purpose of cookie.

    1. Vimeo’s embeddable video player uses first-party cookies that we consider essential to the video player experience. We do not use third-party analytics or advertising cookies when our video player appears on a third-party website.
    1. YouTube’s privacy-enhanced mode basically means they do not store visitor’s information if you have a YouTube video on your website, unless they actually click on the video to view it.
    1. Many people see tracking cookies as an invasion of privacy since they allow a site to build up profiles on users without their consent.
    2. YouTube's default setting is to leave privacy-enhanced mode off. This allows them to place a tracking cookie on any computer that a viewer uses to visit your webpage.
    1. The problem is that even if the visitor is not watching the video or interacting with it, in any capacity, YouTube still collects and stores data on them. Not cool.This is done using cookies that are placed on the user’s browser the moment they load a webpage with a YouTube video embedded in it. These cookies are used to track users, serve targeted ads (Google’s bread and butter), and add info to user’s profile. Yes, they have profiles on everyone.
    1. Default YouTube video embeds set cookies on user systems as soon as they open web pages with embedded YouTube videos. Google may use the cookie to deliver targeted advertisement, add information to the user's profile, or track the user.
    1. an additional reCAPTCHA-specific cookie will be added to the user's browser

      It appears to actually set a non-reCAPTCHA-specific cookie:

      NID — This cookie is set by DoubleClick (which is owned by Google) to help build a profile of your interests and show you relevant ads on other sites. The main purpose of this cookie is: Targeting/Advertising. (cookiepedia)

    1. While we recognise that analytics can provide you with useful information, they are not part of the functionality that the user requests when they use your online service – for example, if you didn’t have analytics running, the user could still be able to access your service. This is why analytics cookies aren’t strictly necessary and so require consent.
    1. select an origin

      It's interesting that under my site's origin it lists cookies for other domains. Are these considered 3rd-party cookies or 1st-party cookies written by a 3rd-party script? How is it allowed to set them on my site? Presumably because I loaded a script from their origin.

      Loading scripts from other origins allows them to set cookies on which domains? Only their origin? And which cookies can they read?

    1. Also note that the first two opt out tools are currently cookie-based and prevent Oracle from using, sharing, or selling your personal information for interest-based advertising on the browser on which they are installed. As a result, the opt out will only function if your browser is set to accept third-party cookies and may not function where cookies are sometimes automatically disabled or removed (e.g., certain mobile devices and operating systems). If you delete cookies, change your browser settings, switch browsers or computers, or use another operating system, you will need to opt out again. Oracle does not use persistent, unique identifiers to revive a previously opted-out profile or deleted cookie.
    1. Much like the cookies you eat are an asset to humankind, HTTP cookies are an asset to the internet. They help personalize the web experience and make things like online shopping and logging into accounts so much easier and more efficient.
    1. Cross-Domain Cookie Library This library is intended for cases where you have scripts running on different domains (i.e. domain-a.com, domain-b.com) that need to be able to set/share a cookie value across those domains. A few example use cases would be a third-party script that wants to set/share a user identifier across both domains, or a company that wants to track if a user signed up for a newsletter across both their main website and blog that resides on a different TLD. This library also offers a way of writing data to a cookie from a third-party script
  19. Dec 2019
  20. Oct 2018
  21. May 2018
  22. Apr 2018
    1. A purpose that is vague or general, such as for instance ‘Improving users’ experience’, ‘marketing purposes’, or ‘future research’ will – without further detail – usually not meet the criteria of being ‘specific’”.[

      I see a lot of cookie notices that give vague reasons like "improving user experience". Specifically disallowed by GDPR?

  23. Oct 2017
    1. Weusecookiestoprovideyouwithabetterservice.Carryonbrowsingifyou’rehappywiththis,orfindouthowtomanagecookies.’

      ¿Podría haber un formato para determinar los permisos y datos que requiere una cookie, similar a como lo hacen las aplicaciones móviles que indican qué permisos requieren del usuario antes de instalarse? ¿Cómo puede ser esto extendido a aplicaciones de escritorio?

    2. However,evenwhenconsensuallyinstalled,usersrarelyunderstandhowspywareworksandoftenforgetaboutitspresence.[50]Cookiesarethemostpervasiveform.Theyarebitsofdatastoredondevicesandsenttobrowsersbywebsitesthatarevisitedorthroughtechniqueslike‘devicefingerprinting’,whichenableswatchingsubjectswhodeleteordonotstorecookies.[51]Theyareusednotonlyformonitoringdigitalactionsbutalsofortrackingpreferredlanguage,login,andotherpersonalsettingssuchassearchpreferencesandfortargetingadvertisingandtrackingnumbersofvisitstosites.[52]Digitaltracespickedupbycookieshavealsobeenrepurposedbysecurityagencies,suchastheNSA’sutilizationofGoogle’sadvertisingcookiestotracktargets.
  24. Feb 2016
    1. When not setting an explicit domain for a cookie, the default in most browsers is to only send the cookie when the domain matches exactly. However, Internet Explorer violates the RFC, and will send it to all subdomains as well.
  25. Dec 2015
    1. It is important to note that the path attribute does not protect against unauthorized reading of the cookie from a different path. It can be easily bypassed using the DOM, for example by creating a hidden iframe element with the path of the cookie, then accessing this iframe's contentDocument.cookie property. The only way to protect the cookie is by using a different domain or subdomain, due to the same origin policy.