Skip to content

Cookie Revealer: One Reason Greasemonkey Should Allow Its Scripts Access to Cookies

Log off. That cookie s— makes me nervous.
–Tony Soprano

The malicious activity that can result from Greasemonkey scripts having the ability to access cookies has been a topic of discussion among Greasemonkey aficionados. Cookie-related Greasemonkey issues and the possible solutions to them were mentioned in the recent trilogy of entries on this blog about past and present security concerns with Greasemonkey. Possible solutions to these issues were mentioned in the third part of that series of entries. And one solution mentioned is one that would completely eliminate the possibility of Greasemonkey scripts performing malicious cookie-related activity. Such a solution would be implemented by having a future version of Greasemonkey deny its user scripts access to cookies. This solution may seem drastic, although it is one that has been given some consideration.

This simple solution’s drawbacks are about as obvious as its benefits. And if this solution were implemented, these drawbacks would be very similar to the ones that existed a few years ago when Greasemonkey 0.3.5 was released. The issues that Greasemonkey had with its API functions at the time necessitated that these API functions be disabled in version 0.3.5, and these changes caused many scripts to not work with this version. And Greasemonkey denying its scripts access to cookies would cause hundreds of Greasemonkey scripts to not work, as one can see by performing this Google search for scripts that use the document.cookie property. It should also be noted that the security issues prevented at the time Greasemonkey’s API functions were disabled were considered much more serious than the issue of cookie stealing scripts. In this case, the benefits of precluding a security risk do not outweigh the disadvantage of causing the number of scripts that would be affected to not work.

Many Greasemonkey scripts depend upon access to cookie data via the document.cookie property, and some of these scripts cannot exist at all without access to cookies. These scripts that would cease to be useful at all if Greasemonkey scripts could not access cookies are ones that perform what many users would like to have done with cookies. And in this entry, these scripts that completely depend on access to cookies are the topic. However, as the title of this entry suggests, much of the focus of this entry will be on one script in particular whose function is to work with cookies.

Greasemonkey scripts may be able to perform malicious cookie-related activity, although there are a few scripts that do what many users may want done with cookies. I considered writing a post here in which I would list a few of these scripts that are primarily for working with cookies. And I discovered a few scripts that require access to cookies in order to perform what they are intended to perform. One of these scripts is titled “Google Search Cookie Cleaner.” Much has been said about Google’s cookie policy, and how Google having its cookies expire after two years matters little to some of those concerned about privacy. And the Google Search Cookie Cleaner script removes much data from cookies that could possibly be used to track users. Another script, titled “Google Anonymizer” takes this prevention of possible tracking of user activity on Google’s part a few steps further. In addition to deleting more data that is in cookies from Google, it can disable JavaScript functions that appear to be used by Google to track users. And whereas the Google Search Cookie Cleaner script has a disadvantage in that it takes away the user’s ability to store preferences for Google searches, the Google Anonymizer script allows users to store these preferences by saving them in Firefox’s preferences.

There was one more script that I found was entirely dependent upon its ability to access cookies, as work with cookies was its primary function. This script, known as “Cookie Monster” was one that I found did not work at all when I tried to use it. It was quite unfortunate that it did not work, as its ability to give a quick way to reveal cookie data set by the page being viewed would be considered useful by some. A few modifications were needed in order to make it work, and so I decided to make those modifications, and I added a few of my own personal touches to it. And this modified version of the script, which I refer to as “Cookie Revealer,” is the primary topic of this blog post, as I explain how I went beyond simply making the script on which it was based work properly

There are a number of different ways that one can view the cookie data set by a page being viewed when Firefox is used. However, when using the option in Firefox for displaying cookies or a number of Firefox extensions made for working with cookies, there are no easy ways to get a quick overview of what is happening on a page cookie-wise. One might want information on cookies set by a page to be accessible through the page itself. Therefore, a script that adds elements to pages in which cookie data set by pages can be accessed could be one that some might want. And this script, which adds elements to web pages and frames within pages through which cookie data set by the page and its frames can be accessed, makes data in cookies easily accessible. And after I made adjustments to the script so that it would work as intended, I found the script useful. In fact, I used it to determine what data was removed from cookies set by Google by the two scripts previously mentioned. However, there were a few adjustments that I thought should be made to it.

Previously, the script would display cookie data only when leaving the mouse cursor over the elements the script would add. This may not be preferable to some, as in this case, the cursor would often be in the way of the cookie data being displayed. In addition, one would have more difficulty highlighting this cookie data when trying to copy and paste it, as the cookie data would disappear whenever the cursor is even slightly outside the area that would display this data. Therefore, I chose to modify it so that one could toggle whether or not cookie data is to be displayed by double-clicking the elements the script adds to pages. Also, I modified the CSS properties of the added elements so that scroll bars would added to the elements when necessary, so that all cookie data could be viewed when there is much cookie data to display. In addition, changes could be made to cookies while the pages that set them are displayed. And so I modified the script so that after these changes are made, they will appear when the cookie data is redisplayed. Also, the functionality for completely removing the elements for displaying cookie data was also removed, as one could simply disable the script and refresh the page when one does not want these elements to be displayed. Below are links to screen shots of a page on which this script is running. The first one simply displays the element added in the lower left corner of the page by the script, and the other displays cookie data after this element is double-clicked.

Free Image Hosting at www.ImageShack.usFree Image Hosting at www.ImageShack.us

If you have Greasemonkey installed, then you can click here to install this script. I already have some ideas in mind on how to improve upon this script. I was primarily interested in simply making this script work correctly, and there are some improvements that can be made to it to make cookie data more easily visible in some cases. This is only version 0.1.0 of this script, and new versions of it will almost certainly be released in the future. There might be those who will suggest improvements to it, and implementing requested improvements will be a priority for me. There may be interest in this script and in improvements to it, and that is why this script could be considered a reason Greasemonkey should not disallow its scripts access to cookies.

However, some ideas I have for improvements to this script are beyond Greasemonkey’s scope. Therefore, what could evolve from this script is another useful Firefox extension for handling cookies. I may need to take some time to see if there are Firefox extensions that perform anything similar to what I am thinking of writing, as I prefer not to waste my time writing redundant extensions. In any case, I will write software that could make some people less nervous about cookies.

[poll=4]

2 Comments