1. 3

big up TorontoJS https://www.youtube.com/channel/UC1samyyfqiKmOT6fq3uVO1A

Here’s the poem, for the reading type.

Fishy Sneaky Sticky Cookies can make even the greatest devs feel like rookies disguised as something so delicious hiding something oh so malicious

do you ever wonder how that after googling for a cow you take look at the ‘ol book they’re trying to sell you steak knives now

what is this black magic, I do say? what if, my friends, I told you today That it’s all part of a cat & mouse game and a Fishy Sneaky Sticky Cookie could be to blame

__

When I build my full stack app I do use cookies and they’re not a trap! They help me know it’s really you, so realYou2 doesn’t have a clue

often cookies store some state you’d hate to wait for a new token to create but there are good cookies, there are amen so you don’t have to login all over again

Some cookies are great but Some cookies are bait These are not the cookies you’re lookin’ for, mate

Almost every site that you visit will, one way or another leave cookies in chrome

Some of these cookies look rather exquisite they look like they came from a long away from home

I like go to foodnetwork.com. I’m a chef! but look at these cookies!!! WTF?? what are they doing?? what stew is stewing?? Could it maybe be me that they’re screwing??

I need to find out what the H.. or F.. they’re about or else I’ll be dreadfully mad and I’ll yell.. i mean shout

You probably know what’s the main cookie setter That’s right.. it’s the set-cookie header Ya you know me, it’s HTTP when a server responds with a cookie it’s better

These are the cookies, easy to inspect from the network panel, right click and detect or in a browser extension’s, onHeadersReceived that cookie information, it’s a dream to retrieve

There is, of course, another way though You bet your ass it’s javascript yo, document.cookie = your shit you can’t see these cookies come in bit by bit

there is a restriction for this that you’ll see the cookie’s domain and site have to be the same document.cookie = EHH.. same origin policy

that and cross origin resource sharing the browser’s watching out for you, it’s caring cookies won’t be set where you did not intend to get but somehow these cookies just keep on appearing

I didn’t go to “gigya.com”. it was foodnetwork bro, it must’ve came from the dom any guesses as to who we should blame? that’s right folks… mr iframe

iframes do the thing that is sneaky their domain is their own, getting around SOP a whole site inserted, the policy averted they bring their own javascript which can be really freaky

and sometimes these iframes don’t seem to do shit but they DO load another iframe just down a little bit and that’s the culprit that’s leaving these crumbs these are the ones that make me feel dumb

so what’s the big deal they’re just cookies right? well if you work in advertising the cookies are tight these cookies are sticky, these cookies are icky they help advertisers sell you the perfect doohicky

cookies get sent along with your requests so the advertisers can sell you more gorilla vests every site and every byte from page 1 and page 2 through these crazy iframe nests

so what can we do of these nefarious things well we can blast them all, with all the destruction that brings or we can try to selectively remove but that’s easier said than to prove

remember that plenty of cookies are great we only want remove the ones that we hate

cookies are kind of like bacteria.. you can pour anitbiotics into the system but it’s an arms race eventually it makes that harder to resist ’em

browser extensions have more apis to cut the browser’s cookiestore down to size but there’s no guarantee that you’ll be totally free the best lesson here is to become more wise

rememeber that when you are browsing the net it’s not always gonna be a safe bet you have to be vigilent, do your due diligence our privacy’s at stake, recognize the threat

  1.  

  2. 1

    also I have no idea what’s the deal with Reddit anymore. I tried posting it there but it doesn’t show. gonna drop the link here in case anyone can educate me on what the deal with that is

    https://www.reddit.com/r/javascript/comments/an5nkl/torontojs_presentation_fishy_sneaky_sticky/