Menu
A lot of you are probably aware of the new EU privacy law, but for those who are not, it basically means no site operated by a company resident in the EU can set cookies classed as 'non-essential to the operation of the website' on a visitors machine unless given express permission to do so.
So, the question becomes how to best deal with this?
Browsers obviously have the ability to block cookies from a specific website built in to them. My question is, is there a way of doing something similar using JS or PHP?
i.e. intercept any cookies that might be trying to be set (including 3rd party cookies like Analytics, or Facebook), and block them unless the user has given consent.
It's obviously possible to delete all cookies once they have been set, but although this amounts to the same thing as not allowing them to be set in the first place, I'm guessing that it's not good enough in this case because it doesn't adhere to the letter of the law.
Ideas?
823
To block third-party cookies, find a JavaScript code that is setting third-party cookies and: change type attribute from text/javascript to text/plain (if type attribute missing, just add it) add data-cookiescript attribute and set it to accepted.
JavaScript can also manipulate cookies using the cookie property of the Document object. JavaScript can read, create, modify, and delete the cookies that apply to the current web page.
An http-only cookie cannot be accessed by client-side APIs, such as JavaScript. This restriction eliminates the threat of cookie theft via cross-site scripting (XSS).
I'm pretty interested in this answer too. I've accomplished what I need to accomplish in PHP, but the JavaScript component still eludes me.
Here's how I'm doing it in PHP:
$dirty = false; foreach(headers_list() as $header) { if($dirty) continue; // I already know it needs to be cleaned if(preg_match('/Set-Cookie/',$header)) $dirty = true; } if($dirty) { $phpversion = explode('.',phpversion()); if($phpversion[1] >= 3) { header_remove('Set-Cookie'); // php 5.3 } else { header('Set-Cookie:'); // php 5.2 } } Then I have some additional code that turns this off when the user accepts cookies.
The problem is that there are third party plugins being used in my site that manipulate cookies via javascript and short of scanning through them to determine which ones access document.cookie - they can still set cookies.
It would be convenient if they all used the same framework, so I might be able to override a setCookie function - but they don't.
It would be nice if I could just delete or disable document.cookie so it becomes inaccessible...
EDIT: It is possible to prevent javascript access to get or set cookies.
document.__defineGetter__("cookie", function() { return '';} ); document.__defineSetter__("cookie", function() {} ); EDIT 2: For this to work in IE:
if(!document.__defineGetter__) { Object.defineProperty(document, 'cookie', { get: function(){return ''}, set: function(){return true}, }); } else { document.__defineGetter__("cookie", function() { return '';} ); document.__defineSetter__("cookie", function() {} ); } If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
