Hacker News new | more | comments | ask | show | jobs | submit login
Who Left Open The Cookie Jar? (wholeftopenthecookiejar.eu)
412 points by pmoriarty 6 months ago | hide | past | web | favorite | 138 comments



This WontFix made me sad [0]:

> Yes, this is accurate - extensions cannot intercept requests from PDFium. PDFium, in Chrome, is (partially) implemented as a component extension, and extension requests cannot be monitored or manipulated by other extensions. The behavior of protecting component extension requests is critical for security reasons, and we are unlikely to change it.

Ug, not exactly sure what triggers PDFium vs PDF download, but this is especially bad if I could load a PDF in an iframe and get around any of your ad blocking. I also question why it's considered an extension at the user level. Anything installed and enabled by default should be considered part of the core browser and not an extension (regardless of the mechanisms, such as the extension one, they are implemented with). I understand the levels of separation and implementation difficulty fixing this entails, I really do, but the practicalities of your on-by-default PDF renderer making web requests different than a web page is too bad to ignore.

This goes to show that you can not count on extensions to filter web requests in your browser. You must do it at the network level or have a dedicated browser for it (e.g. Tor Browser). Unfortunately it's often extensions that have all the contextual information needed to make the decisions you want.

0 - https://bugs.chromium.org/p/chromium/issues/detail?id=824705...


Reading that bug, it sounds like it was fixed in https://chromium.googlesource.com/chromium/src/+/51cd319fd6a... and the bug status is just incorrect?


That appears to be for blocking JS (and opt-in only via disabling JS on the site hosting the PDF). I am unfamiliar w/ the internals of PDFs (especially concerning JS invocation), but can you request an image from a third party site without scripting? Also, what if I want the PDF's features to work and I just want to filter web requests like I do every other page out there (e.g. to remove the referrer header)?

That web requests in PDF content types are not subject to the same approach as web requests in HTML content types is the problem. Disabling all JS is a blunt instrument akin to telling someone that being able to disable JS for other webpages is as good as more nuanced ad block extension.


You seem to be in favour of some JS running but not other JS - how can software tell the difference? What do you mean by "nuanced ad block extension"? Do they just have a massive blacklist of bad actors to block?


> You seem to be in favour of some JS running but not other JS

No, sorry if I was unclear. What I'm in favor of is my extensions being able to handle/filter web requests on PDFs the same as they do for webpages, irrespective of JS settings. JS is only under discussion here because of the linked commit and I'm saying that's not good enough.


Ok, anyway I agree with that completely, which is why I disabled PDFs opening automatically and have to click to open (via a standlone reader, not browser plugin). It's basically the same situation as the bad old days of having Flash load automatically and it making whatever requests it wants...


However, you probably don't want your Cloud-to-Butt extension reading/modifying requests made by your password-manager extension - which is how I understood the NOFIX comment.


The bug still seems to be present. You can use the testing on our website: navigate a Chrome browser with an ad-blocking extension to e.g. https://wholeftopenthecookiejar.eu/data/extensions/AdBlock/c... and click pdf-iframe-submitForm. If the result shows cookies, it has not been fixed.


That's not what the fix was. Disable JS on the site, that should prevent the pdf running JS as well. (although it might prevent the pdf loading in the first place...). As kodablah pointed out, it's not a useful fix.

edit to clarify: sorry I thought you thought that fix was trying to fix the bug, but you weren't, so this comment doesn't make much sense.


One can imagine building a hierarchy of permissions so some extensions can have higher privileges over others. One more step in the slow march of browsers taking on more functionality of an OS.


Not-so-tounge-in-cheek corollary: software with a sufficiently rich and desirable attack surface will evolve to become indistinguishable from an OS.


"Every program attempts to expand until it can read mail. Those programs which cannot so expand are replaced by ones which can." -- jwz


I don’t get this quote. Why is mail reading considered an obvious forward step for a program? That fad seemed to die with the browser Mozilla (or SeaMonkey these days, if it still exists).


Heh - for the record, that quote is from the guy who's responsible for open-sourcing Netscape into Mozilla, and is from around about that time/era...

These days I wonder if the functional equivalent is expanding to include a Slack-bot?


Facebook expanded until it could send and receive facebook walled garden mail (fb messages).

iOS has iMessage.

Instagram and tinder and snapchat all support the basic concept of “mail”.

In fact, I wonder how many apps I have installed that don’t have some concept of an “inbox” or “messages”. Taskrabbit, Uber, GrubHub - all do “mail” in the modern, unfederated sense of the term.

(email started out unfederated, then we got uucp and smtp, now we are back to unfederated, centralized messaging.)


He also wrote an email client for Netscape.


Email and usenet client - which was the only client that ever got message threading right...


Consider firefox hello -- it died, but it was something they tried to implement/popularize.


I guess it's back from the days when "internet suites" (a huge monolithic app with browser, email, IRC, etc) were still a thing.

Seems like at least one of them is still going: https://www.seamonkey-project.org


This reminds me of super-topmost: https://blogs.msdn.microsoft.com/oldnewthing/20110310-00/?p=...

"What if two extensions did this?"


Sounds unnecessarily complicated. Allowing extensions to lower select requests of their own to "standard browsing context" would be sufficient. You're not trying to control extensions, just third party content they render.


A hierarchy is not sufficient.

As mentioned in the issue, only a subset of requests made by the component extension should be possible to intercept.


In Firefox, add-ons aren't allowed to modify built-in pages either, like settings pages. At least they do seem to work on PDFs.


The main reason why the issue isn't present in Firefox is because their PDF reader (PDF.js) does not have an API to trigger requests (it does execute JS included within the PDF though)


It depends. Extensions cannot modify or do anything with the content of a PDF tab (I wanted to make a PDF dark mode extension). I wish there were special permissions for that.


> Ug, not exactly sure what triggers PDFium vs PDF download, [..]

A combination of MIME types on the server and which application the browser is configured to use for a given extension.


It's determined by the "Content-Disposition" header in the response. If the header says it's an "attachment" then the browser will trigger a download, otherwise it's displayed inline.



Thanks for the correction !


I use Safari 11 as my primary browser. This is promising:

> Safari’s Intelligent Tracking Prevention managed to mitigate all third-party cookies to a tracking domain, apart from redirects. However, we found that future completeness can be undermined by having this option disabled for even a short interval. Third-party cookies set in this interval by tracking domains, which otherwise would have been prevented, will still be included in cross-site requests after enabling the option again, identical to the results when the option is disabled. Luckily, this option is enabled by default, so future completeness can only be affected through explicit disabling by the user.

I'd also like to know whether that applies to iOS, but the paper didn't perform any mobile browser testing.

That said, every so often I view my stored cookies and I'm always shocked at the number of domains that I've never heard of that have stashed cookies. :-(


I never wanted to "waste money" on a mac, but I feel like Apple takes user privacy seriously, and I'm genuinely considering making the switch from Windows just to support that practice. I dunno, maybe that's silly, but it seems like the whole world stopped caring about user security and privacy, and this is refreshing to see fairly consistently.


Warm feelings aside, security experts are typically more objective than Apple's keynote bullet points.

The key thing to remember is that there is no privacy without security. Factually speaking, ChromeOS is far more secure than either Windows or macOS. https://www.cnet.com/news/how-google-chromebooks-became-the-...


> there is no privacy without security

This is factually incorrect. You can have privacy without security, and you can have security without privacy. Security keeps things safe, privacy keeps things hidden.

Also, ChromeOS devices ship with a rootkit called the Play Store. There are also hundreds of apps on the play store that install malware on Android devices. You may not need to install an anti-virus, but you may also very easily install what looks like a fun game, and then find your funds being drained from your bank account.


> This is factually incorrect. You can have privacy without security, and you can have security without privacy. Security keeps things safe, privacy keeps things hidden.

Uh that's not factually incorrect. You can definitely have security without privacy, but not the other way around. Without security that means your privacy can't be protected.


The fact that your privacy isn't secured doesn't automatically mean that it is automatically compromised, does it? I mean, sure, maybe you assume it is for any real purpose, but that doesn't mean your privacy is actually compromised.

For example, my first iPhone, I didn't have a password (I think -- maybe that was my first ipad). It was insecure, but I'm reasonably sure that everything on there was private (in that more physical sense; I have no idea about internal security of those first generations of iphone/ipad).

A weaker claim that is probably true might be: you cannot guarantee your privacy without security. That you cannot have privacy seems like too strong of a claim?


I think it's bit of a nitpick, but the iPad was under physical security.

I do agree with you though. Privacy is having your information to yourself. You don't need security for that, just that everyone else keep their nose to them self. But if you want to guarantee your privacy, you need some form of security.


If you knew my kids, you might not say that my iDevices are always under the best of physical security.


"The domain of privacy partially overlaps security (confidentiality), which can include the concepts of appropriate use, as well as protection of information." [1] It does not, however, implicitly provide security.

If I send and receive e-mails with a reporter off the record, we are communicating privately. But the communication may not be strictly confidential, nor secure, unless I take additional steps to ensure it.

If I keep files in my home directory, on my own hard disk, with permissions so only my user can access the files, then my files are private. They are not, however, implicitly secure. Another example: an SSH private key. Without a password on the key, the key is private, but not secure.

[1] https://en.wikipedia.org/wiki/Privacy


A system that doesn’t collect certain kinds of data also doesn’t need to protect (i.e. secure) it.

(Of course it’s impossible to tell that a system hasn’t been manipulated if it’s insecure and that makes the argument bollocks.)


> Security keeps things safe, privacy keeps things hidden.

This seems like a false dichotomy. Safety and being hidden are utterly intertwined—is the act of preventing a request revealing my identity an act of security, or of privacy? It seems like both to me: privacy is effected via security of not performing the request without my consent.


You can have privacy and security, you just have no guarantee of one just because you have the other.

Cookie tracking is like wearing only a towel at the beach. Under the towel, you have privacy. But browsers suck at security, and so many websites can still walk up and yank off your towel, exposing you.

Security would be locking the towel to your body with a padlock. I'm not aware of browsers implementing strong security mechanisms for user data, so I'm pretty sure any privacy gains you get are just another towel.


ChromeOS devices don't ship with Play Store, you have to enable it.


Isn’t that as long as you keep all your data with a third party? Not sure how that works for real privacy.


>I never wanted to "waste money" on a mac

it's a pedantic point I'll make, but one that's important to articulate: Apple hardware has incredible build quality- and you pay for that. An equivelant build quality Windows laptop will cost roughly the same.

The Entry level Apple MacBook pro 15" is £2,349.00 with:

256GB Storage (m.2 SSD, high speed))

2.2GHz 6-core 8th-generation Intel Core i7 processor

Radeon Pro 555X with 4GB of GDDR5 memory

16GB 2400MHz DDR4 memory

Retina Display,

--

The same spec DELL Precision 5530 is: £2,481.49

256GB M.2 NVMe PCIe SSD Class 40 (Much slower)

Intel Core i7-8850H, Six Core 2.60GHz, 4.30GHz Turbo, 9MB 45W

nVidia P1k

16GB, 2 DIMMS, DDR4-2666MHz SDRAM, Non-ECC

15.6" Ultrasharp UHD IGZO4, 3840x2160, Touch, w/Prem Panel Guar 100% color gamut, Brushed Onyx

--

So, more powerful CPU, slower storage and less pixels with a touch screen. -- For the same price.

The issue when comparing price is that it's often Apples (heh) to Oranges, Apple only sell high quality hardware thus the cost to play is higher.

(FWIW they also charge too much for upgrades; but this is just smart business as those who need that much power are willing to pay)

(PS: I actually own a Precision 5520 and I love it; I don't buy into the Apple hype train but I don't buy into the anti-apple hype train either- all systems should be weighed on their merits but my point is that price is often an unfair metric when people talk about laptops due to the abhorrent build quality of most laptops)


It is about the same price or more expensive to get an equivalent windows machine, the Thinkpad P52 is similarly priced if you go for those specs.

I think part of the issue is that you don't have a choice of specs. If PCI-E SSD speeds are enough for you, you don't have a choice to save the money on it. If you want to go for a cheaper 4-core processor with higher clock speeds and put the money into more/better RAM, you can't make that trade-off.

I do agree that macbooks are pretty good value for the components you're getting, but I think unless your view on what you want in your computer matches what Apple will give you then you will end up "wasting" some money on your machine.


I bought a MacBook Pro for 2.2k in 2010 and 8 years later, everything still works. I highly doubt I could say that about a Dell or Toshiba of any price.


Why not Linux then? Apple can still change their minds in the future and sell previously gathered data.


Try developing for Safari and get back to us. Safari is easily the worst browser to develop for this year.


And this is the end users problem... how?


Lack of support for one.. Safari doesn't have the market share to force developers to support it when it's painful to work with..


If you can't make a web site work with Safari then you have no business calling yourself a web developer. Not even joking.


I am perfectly capable of making a website work in safari but I am not able to test it because I don't want to spend $xxxx buying a macbook for the purpose of refreshing a web page. Firefox and chrome run on my dev machine and Microsoft gives out a free VM image with edge.


I was under the impression the discussion was about developing extensions for Safari, not websites.


I'd say the majority of websites were never tested on safari because most small dev places can't afford to buy macbooks just to test one browser.


They could use Sauce labs or some similar very affordable solution.


Potentially. Although in my experience safari works 99% the same as chrome so I'd bet a bunch of devs just assume if it works on chrome it will work on safari.


Can you elaborate on that, why, what exactly makes is so bad?


On MacOS I use Cookie of https://sweetpproductions.com

On a regular timebase it removes all cookies and databases except my Favorites like HN, Docker, GitHub, Netflix, my newspaper, etc. Works like a charm, set-and-forget.


Blocking cookies is an OK first step, but I was expecting this to go into things like HSTS supercookies that exploit intended behavior and aren't really fixable.


I have to disagree with the statement, that those techniques are not being used in the wild. I‘ve observed a porn advertising network delivering some js once, which opened a third-party domain served pdf with cookies in the background and then closed the popup immediately again. I was wondering what that was about. Now it’s clear to me.


A friend of mine might have noticed something similar (on a news site, of course).


It would be very useful if you could point us to such examples! (I'm an author of the paper)


Pornhub. It could of course be a popup playing a different role (e.g. being part of a "you need to upgrade your vulnerable software naow!1"-scheme) that's only visible if no blockers at all are used.


Self destructing cookies will mostly defeat these problems unless trackers get clever about cross-correlating cookies from different sessions. Restricting JavaScript makes that even harder for them to accomplish.

For most purposes there's little benefit to keeping old cookies hanging around. Just whitelist the sites you want to stay logged in to.


That has been my strategy lately, but it keeps getting more annoying because of all those cookie banners that now can’t remember to not show up – quite absurd and probably not intended by regulators.


There is an extension called "I don't care about cookies" [1] that takes care of those.

[1] https://addons.mozilla.org/en-US/firefox/addon/i-dont-care-a...


Or, if you already use ublock origin there is a blacklist in the setting that you can turn on to block all cookie banners.


Someone should make a GDPR notice blocker.

Edit, Haha, sibling comment links to it. Absurdity.


> Self destructing cookies

Is that what Safari has? Do any other browsers have plans for this? Or stated plans to NOT do this? I imagine Chrome falls in the latter camp.


Haven’t almost all browsers always had this feature in the form of “keep until browser is closed” or “delete local data after closing the browser”? At least Firefox and Chrome have it hidden somewhere in the settings.


right, right! forgot about that since (as sibling post says) I never close my browser. and since deleting all cookies on browser close is super aggressive and painful.

i'm referring to the latest safari which tracks 3rd-party cookies and deletes them automatically after 24 hours if you've never sent that cookie as a 1st-party one. thus effectively eliminating tracking, yet allowing sites to work normally without having to temporarily enable various trackers or determine which ones are "safe".

at the same time, google/chrome said they are taking a different approach which still allows tracking. i'm not sure that they said they would NOT CONSIDER implementing a feature like safari's though.


When was the last time you closed your browser?


On a desktop, every time I wonder why I am running out of RAM or why my CPU is max-ed up.


Do you close all the tabs that could have tracking elements? If not, session restore preserves the cookies.


I set the browser to flush all site data every time it closes.


I use an extension called the Great Suspender. It auto suspends pages on unused tabs. I REALLY like it.


Ich close it every few hours.


It’s a Firefox extension.


> unless trackers get clever about cross-correlating cookies from different sessions.

I thought some of them were already doing that by using HSTS flag as a super cookie. (but safari implemented a defense)


Is there a privacy-maximizing combination of browsers and extensions that keeps the web mostly usable?

I'm currently running chrome with uBlock Origin and uMatrix. uMatrix is a bit of a hassle, but I didn't realize the scope of the threat landscape until I saw the huge number of (potential) trackers called out by almost every site.


gorhill, the developer of uBlock Origin, has already fixed the issues affecting uBlock Origin (AppCache and SW).

"Regarding [who left open the cookie jar]

I was contacted in March by one of the researcher regarding the "behind-the-scene" issues (the "AppCache" and "SW" columns in the tables).

This was fixed in 1.15.20 [...]" https://twitter.com/gorhill/status/1030071494263615489

I believe the only proper step up from your setup would be to switch to browsing exclusively via Tor. Generally smaller browsers that advertise themselves as "privacy-maximizing" make basic mistakes like serving their own user agent - instead of using one of the extremely common user agents. Or at least that was the situation a few years ago.


Maybe swap from Chrome to Firefox?

If nothing else, Firefox isn’t built by a literal advertising company.


Is there a meaningful distinction between a browser built by an advertising company, and a browser built by another company that earns almost all of its revenue from the advertising company?


* Well, Firefox being fully open source is certainly a distinction that counts with me.

* Their built-in tracking protection is also another distinction [1].

* Ability to modify core settings to improve privacy is also really nice, but not viable for the average user [2].

* Firefox on android is the only mobile browser that allows you to install add-ons. I'm not talking special mobile-made add-ons. Any add-on that you can install on desktop, you can install on the mobile version. Although usability will definitely vary. uBlock Origin, Privay Badger, Decentraleyes, Cookie AutoDelete - all available on Firefox mobile for android

I'm not going to go as far as saying Firefox deserves your 100% trust. They have definitely made some missteps along the way. However, as far as meaningful distinction, yes I think that is well earned.

[1] https://support.mozilla.org/en-US/kb/tracking-protection

[2] https://www.privacytools.io/#about_config


Ublock0, umatrix, privacy badger, noscript (take your pick -- you can use any one of those, up to all 4). Decentraleyes. Self-destructing cookies.


It's funny this is posted on Boingboing.net - I stopped reading years ago because their monetization attempts made their site unusable...


I always wondered if it was possible to embed JavaScript in a PDF for tracking or other purposes.

The article suggests: "The techniques allowed them to track users across sites by means of Javascript in PDF tables"

Has anyone done this? Is there any literature about it (I didn't find any after a quick look).


Again a reason to block at least third party JavaScript.


I wish browsers had an option to make all cookies and site data local to the domain visited in the url of the browser. So if you are domain on “x”, and there is an iframe into domain “z”, the data would be local to domain “x.z”. When you would visit domain “y” which also has an iframe to domain “z”, its data would be local to “y.z” and therefore you couldn’t be tracked by “z” when going from “x” to “y”.

Of course that would probably break google analytics, so I don’t expect this on chrome.



Not really, it would break adwords but for google analytics you don't need to correlate the users between x.z and y.z, and if you need as you control both sites, you can do changing the link between both to include de google analytics session id (watch for gid parameter on urls).


But how can google analytics tell the demographics of a site if it can not identify its users and correlate it with what it knows on them?


I hope there could be more tests on Brave browser, too, which aims to improve privacy. But its most lovely feature imo is opening any kind of tab (normal, private, private on Tor network) on the same window. I wonder if this causes some backdoors, though. I support so that it can become better.


I worked for a web analytics company and they simply used reverse proxies.


Mind elaborating?


I'm not the parent poster, but I worked in ad tech.

With third party cookie policies getting more stringent, many websites now use either a reverse proxy within the first party domain that points to third party servers, or they use a first party subdomain that points to third party servers.

In either case, it allows the servers belonging to the data gatherer to appear as first party, thus getting around third party cookie restrictions.

Combine that with browser fingerprinting, and you now have a harder but very viable way to replace the functionality third party cookies previously had.


I guess he means something like all requests to www.yoursite.com/foo123/BAR proxies to www.soulsucking.com/BAR


A company has multiple websites and all of them use a reverse proxy for tracking. (a webserver that is between clients and the real webserver and just "proxies" requests and responses between them, logging all that happens)

This is completely transparent from the outside.


This is rather offtopic but it bothers me how most people in IT seem to use 'transparent' to mean 'opaque'.

When I hear PMs say "this change will be completely transparent to clients" what they mean is, the client will see no difference, which means really, the details are hidden in a black - opaque - box.


It should make sense if you realize "transparent" means "no visible difference".


Transparent has a unique meaning in the context of computing And a different one in design, business and physics.

Importantly however; Tech people can claim they are being 'transparent'. To them this can mean no visible difference to the user- and to everyone else means visible/public and available for scrutiny.

So yes, I am sure Zuckerberg is focused on 'transparency'.


Quite so. A less intentionally disingenuous word for the computing context would be "hidden".


Personally I could care less. There are literally billions of words that sometimes mean their own opposite.


Unclear whether this was an ingenious comment that points out the daft American multi-word expression "I could care less" also means it's own opposite.

But, I'ma guess probably not.


You could look at "literally billions" and try guessing one more time.


I don't understand.

Doesn't transparent mean that the interface stays the same and clients can interact with the system in the same way as before without the need to change their code?


And the glass on your mobile phone is opaque too? Because it is definitely hidden from you if you cannot see it.

But don't despair - all isn't lost! You can fix it with sandpaper, after that you'll be able to see the glass and it will become transparent.

Please don't sue me if you don't like the result, however.


This makes little sense. Unless their reverse proxy is in front of every website they provide analytics for (like CloudFlare!), Then I don't see how this is means anything.. most analytics companies don't do this - really it's just CloudFlare that I know of...


From the awkward grammar of the name, this project must have been named by a German.


Browsers don't automatically attach cookies to all HTTP requests by default.


If you don't want to visit BoingBoing,

https://wholeftopenthecookiejar.eu/static/tpc-paper.pdf



## Enabling the option to block third-party cookies in Edge has no effect ##

Third-party cookies are still included in all requests when enabling the option to block these in Edge.

Oh my God T_T


IE cursed Edge from beyond the grave. Its legacy must live on.


do we hate boingboing now?


There is a popup. Remember when browsers added popup blockers? They've worked around them now with JS & CSS...


umatrix with first-party scripts disabled had no problem.


I was running uMatrix with first-party scripts disabled by default for a while, but I found a lot of pages I needed 3 or 4 refreshes to get content. It opened my eyes to how much simple static stuff in dependent on Javascript; stuff that really shouldn't be.


I did the same, but instead decided most of those sites weren't worth my time. (For the few that I cared about, I whitelisted the bits needed to function).


My browser can also disable js (per site as well) with out any plugins, but doing it globally breaks too much and whitelisting those sites (and 3rd party they rely on) is way too much effort. Worst case that happened to me is a payment that went through but some bit of JS never ran so the order didn't make it to the shop.

Looking forward to a blocker that can detect if a script is going to pop up and block that (and it'd be ok to have to whitelist the few sites whose entire funtionality is popup based, like twitter), but I think that's equivalent to solving the halting problem.


It's pretty heavy on trackers, including canvas fingerprinting.


It's a place where journalists post.


Would it be possible to change the link from bb to the source:

https://wholeftopenthecookiejar.eu/



"Currently Unblockable"

Unless you don't allow jerberscript. Which blocks all of them.

Hyperbole, much?


Don't allow 'jerberscript' and don't expect the web to work properly. Simple as.


If it doesn't work w/o js, it's not actually the web, the de facto truth of your statement notwithstanding.

It's an eminently defensible descriptive statement; the trend is certainly away from building the web and towards treating the browser as the VM to rule them all. It is not a particularly well-defensible normative statement.


I don't know if I agree that. It's pretty standardized. Every user-agent includes it.

You can give people documents without scripts, but it's not mandatory for them to work. And it's not like Javascript is some obscure single-vendor extension, it's widely supported.


The web works perfectly well without JavaScript: HTML still displays text & images fine, links still work properly &c.. Now, a whole host of things which aren't the web will break, but honestly that's okay.


Do you honestly never buy anything online?


You can buy things online just fine without JavaScript. Forms have been around for ages, and require no client-side code (they do require server-side smarts, and for security they require encryption).


The only real way to do that is to store the session variable in the URL. And that comes with its own host of issues.

People are going to be pissed when they load up their cart and then follow some bookmark they created for a product on your site to add it to the cart, only to find the cart empty.


> The only real way to do that is to store the session variable in the URL. And that comes with its own host of issues.

There are also cookies, which have their own host of issues. As does JavaScript, as does anything else, really.


Wait, I’m confused. These all seem like basic unit testing bugs?

Unit testing cookie read/write permissions isn’t “a thing?”

I’m going to say something crazy; At least some of the major browser vendors are violating a warranty with this.

An entirely fake privacy crucial setting?! Obviously they knew and left it there deceptively, because the alternative is even worse.


Despite the title, they do not actually host the techniques.


The definition of “host”, in this case, just means “many”.


Collection


See also: array, assortment, bevy, collection, horde, legion, multitude, myriad, panoply, plethora...

Words often have multiple, independent meanings.




Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: