Blocking 3rd party cookies (iframe)

[Ilkka Huotari]

Hi,

I find it a little intrusive to privacy when I'm browsing around (say,
a news site), and Facebook suddenly pops up and cheerfully greets me.
What just happened? Oh, it must be an IFRAME. So I go and set "Block
third-party cookies from being set" but no help, Facebook still
sitting there as nothing had happened.

So.. would it be possible to make Chrome block 3rd party cookies in an
iframe as well? I thought it would do that with that setting, but
maybe it applies only to non-iframe cookies (tracking images etc)? How
about iframes?

I understand that it would be a big change and probably break
something/cause a lot of trouble for other users, but maybe there are
ways..? (and as always, please correct if something above was wrong).

Thanks,
Ilkka

[Adrian Scoica]

On Tue, Jul 5, 2011 at 7:20 PM, Ilkka Huotari <ilk...@gmail.com> wrote:

Hi,

I find it a little intrusive to privacy when I'm browsing around (say,
a news site), and Facebook suddenly pops up and cheerfully greets me.
What just happened? Oh, it must be an IFRAME. So I go and set "Block
third-party cookies from being set" but no help, Facebook still
sitting there as nothing had happened.

I spent last summer working on an antivirus software, and more specifically on a product that offers browser security. One of the security holes that my team was tasked with researching was the leaking of private information through cookies to third party sites (either intentionally or unintentionally, as is the case with XSS attacks of all shapes and sizes). There is more than one approach in this case, but I will sum up by saying that basically, you cannot prevent private information from leaking away from a web page because you (read 'the browser') cannot judge whether the information that gets sent out to 3rd party sites is part of the infrastructure of the web page or is personal information used for serving custom content.

So.. would it be possible to make Chrome block 3rd party cookies in an
iframe as well? I thought it would do that with that setting, but
maybe it applies only to non-iframe cookies (tracking images etc)? How
about iframes?

I understand that it would be a big change and probably break
something/cause a lot of trouble for other users, but maybe there are
ways..? (and as always, please correct if something above was wrong).

Facebook, as we discovered, was by far and large the worst leak of private information that we looked into. Basically, many apps that are running as part of it make us of external resources and/or forward personal information to 3rd party web sites. By blocking these cookies, one would make the web site unusable. Furthermore, many web pages store large resources on external locations. Blocking cookies between a web site and all 3rd party candidates would stop these resources from being loaded, and possibly break the functionality of the web site.

Thanks,
Ilkka

I hope this information was useful input to the issue :) (before you consider any specific solution to your problem).

[Caleb Eggensperger]

There are a few chrome extensions to block facebook connect. Here's a popular one:

https://chrome.google.com/webstore/detail/jeoacafpbcihiomhlakheieifhpjdfeo

--
Chromium Discussion mailing list: chromium...@chromium.org
View archives, change email options, or unsubscribe:
   http://groups.google.com/a/chromium.org/group/chromium-discuss

--
Caleb Eggensperger
www.calebegg.com

[Ilkka Huotari]

> There are a few chrome extensions to block facebook connect. Here's a
> popular one:

Facebook was just an example. I would like to block all of them, for
the reasons Adrian Scoica outlined in his reply (thanks).

Also, I wouldn't really like to trust this for a plugin, I think the
browser should be able to do this (imo) - it's such a core behavior.

[Ilkka Huotari]

The answer was in about:flags.