browseraudit.com: same issues for Opera and Chrome
-
MichaelRoss5 last edited by leocg
I have found with browseraudit.com both Opera and Chrome have the same security issues. The below issue is critical the other 23 are minor issues.
Problem - cookie set by JavaScript should not be sent over HTTP
This critical test executed in ≈834ms and failed for the following reason: The cookie was sent to the server.
Test function:function() {
var thisTest = this;
$.cookie("sessionSecureCookie", "910", {
secure: true,
path: "/",
domain: ".browseraudit.com"
});
$("<img>", {
src: "http://browseraudit.com/set_session_secure_cookie"
}).load(function() {
$.get("/get_session_secure_cookie", function(data) {
if (data === "nil") {
thisTest.PASS("The cookie was not sent to the server.");
} else {
thisTest.CRITICAL("The cookie was sent to the server.");
}
}); -
zalex108 last edited by
Hi,
Can't test it but seems related to this, since a year or more ago.
--
"Off Topic Tip"
Follow the Signature's Backup | Reset link.
Take the opportunity to start a Backup plan and even create a Template Profile.
Windows 7 (x64)
Opera Test profile | Back up | Reset"You cannot know the meaning of your life until you are connected to the power that created you". · Shri Mataji Nirmala Devi
-
blackbird71 last edited by
@MichaelRoss5 It's also the case with Vivaldi, so I suspect it's a characteristic of the chromium engine, common to all 3 browsers in one form or another. The real question is: how significant is that chromium behavior in the real, practical world?. In the first place, sensitive information should never be stored in a website's cookies. Second, there are better site-code mechanisms for protecting cookies (eg: the SameSite attribute).
-
leocg Moderator Volunteer last edited by
@MichaelRoss5 Most probably all Chromium based browsers have those issues.
-
leocg Moderator Volunteer last edited by
@MichaelRoss5 Here with Opera developer 67, no critical issue was listed.
-
nvmjustagirl last edited by nvmjustagirl
64 bit Opera Dev 67.0.3564.0
Chromium 79.0.3945.117 (Official Build) (64-bit) - same score
Google Chrome 79.0.3945.117 (Official Build) (64-bit).. - same score..
Note - Flags had to set to defaiult - with a few flags enabled - sore was higher..
-
debianchrome last edited by
for me it happens specifically in Debian10.2 on the latest version on apt 78.0.3904.108-1 for chromium but only when https everywhere extension is being used. and only when "Encrypt All Sites Eligible is ON" otherwise it's fine.
Do you happen to also use this extension?
ublock is fine
-
MichaelRoss5 last edited by
@nvmjustagirl I thought my chrome and opera were auto updating on exit, so , manually updated to latest versions, (not Dev), still get the same errors, what do you mean by setting flags to default?
-
MichaelRoss5 last edited by
@nvmjustagirl I tested microsoft Edge which is also chromium based and it has a different critical issue but not the same as Opera and Chrome.
-
MichaelRoss5 last edited by
@MichaelRoss5 Yes I have https everywhere extension with "Encrypt All Sites Eligible is ON" Will have to let https everywhere know
-
nvmjustagirl last edited by nvmjustagirl
@leocg thats really good scores !..
here is score of - Opera Stable 66.0.3515.36 (64-bit)
Passed - 370
Warning - 14
Critical - 0
Skipped - -20
@MichaelRoss5 go here in address bar: opera://flags
i had a few flags enabled in opera dev.. so when i ran 1st test - score - Warning - 11 / Critical - 6
so while your in the flag 's settings (AKA - Experiments) - their is a button called (Reset all to default)
so what few flags i had Enabled.. i reset them to default..
ran 2nd test (flags set @ default) - score - Warning - 11 / Critical - 0
so to me some of the flags' were make 'n score worse.. in my case
i got a few extensions.. if i disabled them .. my score may have been even better..
-
MichaelRoss5 last edited by
@nvmjustagirl HTTPS everywhere extension is the cause of the problem, have emailed them to look into.
-
leocg Moderator Volunteer last edited by
@MichaelRoss5 I think it would be possible. Try disabling them.
Or maybe it's something fixed in the version of Chromium used in Opera developer.
-
MichaelRoss5 last edited by
@leocg Will wait and see what HTTPS everywhere come back with, they prevent you using HTTP unencrypted websites and try to make HTTP into HTTPS, I assume they are using cookies to do this. It will depend on what level of security is needed for the information in the cookie