/
cookies.html
120 lines (103 loc) · 4.83 KB
/
cookies.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en"><head><title>Cookies</title>
<meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<link href="../faq.css" rel="stylesheet" type="text/css">
<link href="faq_notes.css" rel="stylesheet" type="text/css">
</head>
<body>
<h1><a name="cookies" id="cookies">Cookies</a></h1>
<ul>
<li><a href="#proxIs">Privacy filters on proxies</a></li>
</ul>
<h2><a name="proxIs" id="proxIs">Privacy filters on proxies</a></h2>
<p id="proxIs_1">
<a href="http://www.w3schools.com/js/js_cookies.asp">The page
referenced</a> from <a href="http://jibbering.com/faq/#FAQ4_4">section 4.4 of
the FAQ</a> describes a generally sound strategy for using cookies but suffers from
an additional issue relating to "privacy" filters employed by content
inserting/re-writing proxies.
</p>
<p id="proxIs_2">
The problem is that some of these filters identify the character sequence
"cookie" within Javascript source code and replace it with an
alternative string. <a href="http://groups.google.com/groups?threadm=41ebaba2.0306240406.1fdff5ef%40posting.google.com">
A c.l.j. thread describing an occurrence of this problem</a> had
"cookie" replaced by "ignore" by ZoneAlarm, and
Proximatron has a similar filter available (but not active) by default.
</p>
<p id="proxIs_3">
The effect of changing occurrences of <code>document.cookie</code>
into <code>document.ignore</code> within source code is that attempts
to write to the property just result in a new string property being
assigned to the document object, but no cookie is created. And reading
from the property returns the same string, or an undefined value
if nothing has yet been written to the property.
</p>
<p id="proxIs_4">
The problem with the irt.org code is that the <code>Get_Cookie</code>
and <code>Set_Cookie</code> functions are
not written with a consideration that <code>document.cookie</code> may
not refer to a string.
</p>
<p id="proxIs_5">
<code>Get_Cookie</code> will error if "cookie" has been replaced with
"ignore" because it treats the <code>document.cookie</code>
value as if it was a string. But changing that one function so that it
does not attempt to read <code>document.cookie</code> if the value is
not a string may prevent the error but would still undermine that strategy used.
</p>
<p id="proxIs_6">
However, the problem can be completely avoided by wrapping the content
of the <code>Get_Cookie</code> and <code>Set_Cookie</code> functions
in <code>typeof</code> tests and only executing the rest of the
function if <code>typeof</code> returns <code>"string"</code>.
</p>
<pre id="proxIs_ex1">
function Get_Cookie(name) {
if(typeof document.cookie == "string"){
var start = document.cookie.indexOf(name+"=");
var len = start+name.length+1;
if ((!start)&&
(name != document.cookie.substring(0,name.length))){
return null;
}
if (start == -1) return null;
var end = document.cookie.indexOf(";",len);
if (end == -1) end = document.cookie.length;
return unescape(document.cookie.substring(len,end));
}else{
<span class="commentJS">/* document.cookie is not a string so return an
empty string. When tested this will type-convert to
boolean false (accurately) giving the impression that
client-side cookies are not available on this system:-
*/</span>
return "";
}
}
function Set_Cookie(name,value,expires,path,domain,secure) {
if(typeof document.cookie == "string"){
document.cookie = name + "=" +escape(value) +
( (expires) ? ";expires=" + expires.toGMTString() : "") +
( (path) ? ";path=" + path : "") +
( (domain) ? ";domain=" + domain : "") +
( (secure) ? ";secure" : "");
}<span class="commentJS">//else document.cookie is not a string so do not write to it.</span>
}
function Delete_Cookie(name,path,domain) {
if (Get_Cookie(name)) document.cookie = name + "=" +
( (path) ? ";path=" + path : "") +
( (domain) ? ";domain=" + domain : "") +
";expires=Thu, 01-Jan-70 00:00:01 GMT";
}
}
</pre>
<p id="proxIs_7">
Cookie reading and writing is unlikely to be done sufficiently often that
the extra overhead of the tests will impact on the performance of
the resulting script.
</p>
<p id="rToc">
<a href="faq_notes.html#toc">comp.lang.javascript FAQ notes T.O.C.</a>
</p>
</body>
</html>