Creating a Cookie Log
creating a cookie log is often necessary to troubleshoot problems with firefox's cookie handling.
...please follow the instructions below to run firefox with cookie logging enabled.
... enabling cookie logging windows open a command prompt (this is under programs or programs/accessories in normal installations of windows).
...And 6 more matches

Cookies Preferences in Mozilla
network.cookie.cookiebehavior default value: 0 0 = accept all cookies by default 1 = only accept from the originating site (block third party cookies) 2 = block all cookies by default 3 = use p3p settings (note: this is only applicable to older mozilla suite and seamonkey versions.) 4 = storage access policy: block cookies from trackers network.cookie.lifetimepolicy default value: 0 0 = accept cookies normally 1 = prompt for each cookie (prompting was removed in firefox 44) 2 = accept for current session only 3 = accept for n days network.cookie.lifetime.days default value...
...: 90 only used if network.cookie.lifetimepolicy is set to 3 sets the number of days that the lifetime of cookies should be limited to.
... network.cookie.alwaysacceptsessioncookies default value: false only used if network.cookie.lifetimepolicy is set to 1 true = accepts session cookies without prompting false = prompts for session cookies network.cookie.thirdparty.sessiononly default value: false true = restrict third party cookies to the session only false = no restrictions on third party cookies network.cookie.maxnumber default value: 1000 configures the maximum amount of cookies to be stored valid range is from 0-65535, rfc 2109 and 2965 require this to be at least 300 network.cookie.maxperhost default value: 50 configures the maximum amount of cookies to be stored per host valid range is from 0-65535, rfc 2109 and 2965 require this to be at least 20 network.cookie.disablecookieformailnews default value: tru...
...And 4 more matches

Navigator.cookieEnabled - Web APIs
navigator.cookieenabled returns a boolean value that indicates whether cookies are enabled or not.
... syntax var cookieenabled = navigator.cookieenabled; cookieenabled is a boolean: true or false.
... note: when the browser is configured to block third-party cookies, and navigator.cookieenabled is invoked inside a third-party iframe, it returns true in safari, edge spartan and ie (while trying to set a cookie in such scenario would fail).
...And 4 more matches

Cookie - MDN Web Docs Glossary: Definitions of Web-related terms
a cookie is a small piece of information left on a visitor's computer by a website, via a web browser.
... cookies are used to personalize a user’s web experience with a website.
...a user can customize their web browser to accept, reject, or delete cookies.
...And 2 more matches

nsICookieAcceptDialog
extensions/cookie/nsicookieacceptdialog.idlscriptable this interface holds some constants for the cookie accept dialog.
... inherits from: nsisupports last changed in gecko 1.7 constants constant value description accept_cookie 0 value for accepting a cookie object.
... cookiesfromhost 3 value for holding the cookie from the host.
...And 2 more matches

Set-Cookie2 - HTTP
the obsolete set-cookie2 http response header used to send cookies from the server to the user agent, but has been deprecated by the specification.
... use set-cookie instead.
... header type response header forbidden header name no syntax set-cookie2: <cookie-name>=<cookie-value> set-cookie2: <cookie-name>=<cookie-value>; comment=<value> set-cookie2: <cookie-name>=<cookie-value>; commenturl=<http-url> set-cookie2: <cookie-name>=<cookie-value>; discard set-cookie2: <cookie-name>=<cookie-value>; domain=<domain-value> set-cookie2: <cookie-name>=<cookie-value>; max-age=<non-zero-digit> set-cookie2: <cookie-name>=<cookie-value>; path=<path-value> set-cookie2: <cookie-name>=<cookie-value>; port=<port-number> set-cookie2: <cookie-name>=<cookie-value>; secure set-cookie2: <cookie-name>=<cookie-value>; version=<version-number> // multiple directives are also possible, for example: set-cookie2: <cookie-name>=<cookie-value>; domain=<domain-value>;...
...And 2 more matches

Cookie - HTTP
the cookie http request header contains stored http cookies previously sent by the server with the set-cookie header.
... the cookie header is optional and may be omitted if, for example, the browser's privacy settings block cookies.
... header type request header forbidden header name yes syntax cookie: <cookie-list> cookie: name=value cookie: name=value; name2=value2; name3=value3 <cookie-list> a list of name-value pairs in the form of <cookie-name>=<cookie-value>.
... examples cookie: phpsessid=298zf09hf012fh2; csrftoken=u32t4o3tb3gg43; _gat=1 specifications specification title rfc 6265, section 5.4: cookie http state management mechanism ...

Cookies - Archive of obsolete content
reading existing cookies cookies for a given host, represented as nsicookie2 objects, can be enumerated as such: let enum = services.cookies.getcookiesfromhost("example.com"); while (enum.hasmoreelements()) { var cookie = enum.getnext().queryinterface(ci.nsicookie2); dump(cookie.host + ";" + cookie.name + "=" + cookie.value + "\n"); } all cookies, regardless of host, can be enumerated using services.cookies.enumerator rather than getcookiesfromhost().
... setting a cookie the following code demonstrates how to set a cookie in firefox.
... services.cookies.add(".host.example.com", "/cookie-path", "cookie_name", "cookie_value", is_secure, is_http_only, is_session, expiry_date); see also document.cookie nsicookie nsicookie2 nsicookieservice nsicookiemanager nsicookiemanager2 http cookies ...

Blocked: Custom cookie permission
message firefox: cookieblockedbypermission=request to access cookies or storage on “x” was blocked because of custom cookie permission.
... a request to access cookies or storage was blocked because there's a custom user-defined permission set.
... the permission can be changed or removed by: going to preferences > content blocking > cookies and site data clicking on the manage permissions button and updating the listed exceptions ...

nsICookie2 MOZILLA 1 8 BRANCH
netwerk/cookie/public/nsicookie2.idlscriptable please add a summary to this article.
... last changed in gecko 1.9 (firefox 3) inherits from: nsicookie2 attributes attribute type description ishttponly boolean holds true if the cookie is an http only cookie.
... see also nsicookie2 ...

Cookies in Mozilla
creating a cookie log steps to create and attach a cookie log in order to aid in triaging a bug in cookies.
... cookies preferences in mozilla documentation on what the preferences used by the cookies code actually do.

Cookie2 - HTTP
the obsolete cookie2 http request header used to advise the server that the user agent understands "new-style" cookies, but nowadays user agents will use the cookie header instead, not this one.
... header type request header forbidden header name yes examples cookie2: $version="1" specifications specification title rfc 2965: cookie2 historic specification of http state management mechanism, obsoleted by rfc 6265 ...

Using XPCOM Components
in fact, virtually all of the functionality that you associate with a browser - navigation, window management, managing cookies, bookmarks, security, searching, rendering, and other features - is defined in xpcom components and accessed by means of those component interfaces.
... this chapter demonstrates how mozilla uses some of these xpcom objects, such as the cookiemanager, and shows how access to the weblock component will be defined.
... cookie manager cookie management is one of the many sets of functionality that is made available to the browser in the form of an xpcom component and that can be reused by developers who want similar functionality in their applications.
...And 31 more matches

Commenting IDL for better documentation
example this is an example of what the sample interface document idl would look like: /** * @brief a make-believe interface that eats and enjoys cookies.
... * * @note the article's name should be simply "nsicookiemonster" but is not in * order to make it more obvious this is an example.
... * * @see nsicookie * @see nsicookiemanager */ /* * take note that this is not a doxygen style comment, there is only one * on * the line above.
...And 20 more matches

Migrating from Firebug - Firefox Developer Tools
xhr, dom, cookie and error breakpoints are not supported yet (see bug 821610, bug 1004678, bug 895893 and bug 1165010).
...they contain a headers, params, response and cookies panel.
... storage inspector the cookies panel in firebug displays information related to the cookies created by a page and allows to manipulate the information they store.
...And 15 more matches

Types of attacks - Web security
the user's browser cannot detect the malicious script is untrustworthy, and so gives it access to any cookies, session tokens, or other sensitive site-specific information, or lets the malicious script rewrite the html content.
...the variety of attacks based on xss is almost limitless, but they commonly include transmitting private data like cookies or other session information to the attacker, redirecting the victim to a webpage controlled by the attacker, or performing other malicious operations on the user's machine under the guise of the vulnerable site.
...in this situation, someone includes an image that isn’t really an image (for example in an unfiltered chat or forum), instead it really is a request to your bank’s server to withdraw money: <img src="https://bank.example.com/withdraw?account=bob&amount=1000000&for=mallory"> now, if you are logged into your bank account and your cookies are still valid (and there is no other validation), you will transfer money as soon as you load the html that contains this image.
...And 13 more matches

XPCOM Examples - Archive of obsolete content
cookies next, we will get a list of cookies that have been saved in the browser.
... the cookie service can be used for such a purpose.
... it implements the nsicookiemanager interface which can be used to enumerate over all of the cookies.
...And 12 more matches

Index
in fact, virtually all of the functionality that you associate with a browser - navigation, window management, managing cookies, bookmarks, security, searching, rendering, and other features - is defined in xpcom components and accessed by means of those component interfaces.
...to create an instance, use: 448 nsicookie cookies, interfaces, interfaces:scriptable, xpcom, xpcom api reference, xpcom interface reference an optional interface for accessing the http or javascript cookie object.
... 449 nsicookie2 cookies, interfaces, interfaces:scriptable, xpcom, xpcom api reference, xpcom interface reference the nsicookie2 interface provides information about a cookie, and extends the nsicookie interface.
...And 12 more matches

Creating Sandboxed HTTP Connections
introduction starting with gecko 1.8.1 (firefox 2), it is possible to create sandboxed http connections which don't affect the user's cookies.
... since nsistreamlistener does not cover cookies, the current channel being used will need to be stored as a global, since another listener will be used for cookie notifications (covered in the next section).
... }) } handling cookies when sending a request, cookies that apply to the url are sent with the http request.
...And 10 more matches

Cross-Origin Resource Sharing (CORS) - HTTP
servers can also inform clients whether "credentials" (such as cookies and http authentication) should be sent with requests.
... requests with credentials the most interesting capability exposed by both xmlhttprequest or fetch and cors is the ability to make "credentialed" requests that are aware of http cookies and http authentication information.
... in this example, content originally loaded from http://foo.example makes a simple get request to a resource on http://bar.other which sets cookies.
...And 8 more matches

Index - Web APIs
876 document.cookie api, dom, document, html dom, js, needsmarkupwork, reference, storage, cookie the document property cookie lets you read and write cookies associated with the document.
... it serves as a getter and setter for the actual values of the cookies.
... 877 simple cookie framework cookies, cookie as cookies are just specially formatted strings it is sometimes difficult to manage them.
...And 7 more matches

Client-Server Overview - Learn web development
client-side cookies.
... cookies contain session data about the client, including keys that the server can use to determine their login status and permissions/accesses to resources.
...ade-insecure-requests: 1 user-agent: mozilla/5.0 (windows nt 10.0; wow64) applewebkit/537.36 (khtml, like gecko) chrome/52.0.2743.116 safari/537.36 accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 referer: https://developer.mozilla.org/ accept-encoding: gzip, deflate, sdch, br accept-charset: iso-8859-1,utf-8;q=0.7,*;q=0.7 accept-language: en-us,en;q=0.8,es;q=0.6 cookie: sessionid=6ynxs23n521lu21b1t136rhbv7ezngie; csrftoken=zipujsazv6pcgcbjscj1zu6pqzbfmuat; dwf_section_edit=false; dwf_sg_task_completion=false; _gat=1; _ga=ga1.2.1688886003.1471911953; ffo=true the first and second lines contain most of the information we talked about above: the type of request (get).
...And 6 more matches

Website security - Learn web development
because the injected code comes to the browser from the site, the code is trusted and can do things like send the user's site authorization cookie to the attacker.
... when the attacker has the cookie, they can log into a site as though they were the user and do anything the user can, such as access their credit card details, see contact details, or change passwords.
... while the data from post or get requests is the most common source of xss vulnerabilities, any data from the browser is potentially vulnerable, such as cookie data rendered by the browser, or user files that are uploaded and displayed.
...And 5 more matches

Storage Inspector - Firefox Developer Tools
cookies — all the cookies created by the page or any iframes inside of the page.
... cookies created as a part of response of network calls are also listed, but only for calls that happened while the tool is open.
...for cookies, the protocol does not differentiate the origin.
...And 5 more matches

Storage Access API - Web APIs
concepts and usage most browsers implement a number of storage access policies that restrict access to cookies and site data for embedded, cross-origin resources.
... the semantics around third-party cookie blocking policies in particular differ from browser to browser, but the core functionality is similar: cross-origin resources embedded in a third-party context are not given access to the same cookies and site storage that they would have access to when loaded in a first-party context.
... these cookie blocking policies are known to break embedded cross-origin content that requires access to its first-party storage.
...And 5 more matches

HTTP headers - HTTP
cookies, storage, cache) associated with the requesting website.
... max-forwards cookies cookie contains stored http cookies previously sent by the server with the set-cookie header.
... set-cookie send cookies from the server to the user-agent.
...And 4 more matches

HTTP Index - HTTP
45 http cookies advertising, browser, cookies, cookies article, guide, http, history, javascript, privacy, protocols, server, storage, web development, data, request, tracking an http cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser.
... 68 clear-site-data http, http header, reference, header the clear-site-data header clears browsing data (cookies, storage, cache) associated with the requesting website.
... 109 cookie cookies, http, reference, header, request the cookie http request header contains stored http cookies previously sent by the server with the set-cookie header.
...And 4 more matches

nsIAlertsService
implemented by: @mozilla.org/alerts-service;1 as a service: var alertsservice = components.classes["@mozilla.org/alerts-service;1"] .getservice(components.interfaces.nsialertsservice); method overview void showalertnotification(in astring imageurl, in astring title, in astring text, [optional] in boolean textclickable, [optional] in astring cookie, [optional] in nsiobserver alertlistener, [optional] in astring name, [optional] in astring dir, [optional] in astring lang, [optional] in astring data, [optional] in nsiprincipal principal,[optional] in boolean inprivatebrowsing); void closealert([optional] in astring name, [optional] in nsiprincipal principal); methods showalertnotification() displays a notification window.
... void showalertnotification( in astring imageurl, in astring title, in astring text, in boolean textclickable, optional in astring cookie, optional in nsiobserver alertlistener, optional in astring name, optional in astring dir, optional in astring lang, optional in astring data, optional in nsiprincipal principal, optional in boolean inprivatebrowsing, optional ); parameters imageurl a url identifying the image to display in the notification alert.
... cookie optional a blind cookie the alert passes back to the consumer during alert listener callbacks.
...And 3 more matches

nsIHttpChannel
void getoriginalresponseheader( in acstring aheader, in nsihttpheadervisitor avisitor ); parameters aheader the case-insensitive name of the response header to query (for example "set-cookie").
... acstring getresponseheader( in acstring header ); parameters header the case-insensitive name of the response header to query (for example "set-cookie").
... void setemptyrequestheader( in acstring aheader ); parameters aheader the case-insensitive name of the request header to set (for example "cookie").
...And 3 more matches

Network request list - Firefox Developer Tools
cookies: the number of request cookies associated to the request.
... set-cookies: the number of response cookies associated to the request.
... has-response-header:cache-control has-response-header:x-firefox-spdy set-cookie-domain shows the resources that have a set-cookie header with a domain attribute that matches the specified value.
...And 3 more matches

Clear-Site-Data - HTTP
the clear-site-data header clears browsing data (cookies, storage, cache) associated with the requesting website.
... // single directive clear-site-data: "cache" // multiple directives (comma separated) clear-site-data: "cache", "cookies" // wild card clear-site-data: "*" directives all directives must comply with the quoted-string grammar.
... "cookies" indicates that the server wishes to remove all cookies for the origin of the response url.
...And 3 more matches

Index - HTTP
20 clear-site-data http, http header, reference, header the clear-site-data header clears browsing data (cookies, storage, cache) associated with the requesting website.
... 54 cookie cookies, http, reference, header, request the cookie http request header contains stored http cookies previously sent by the server with the set-cookie header.
... 55 cookie2 http, obsolete, reference, header, request the obsolete cookie2 http request header used to advise the server that the user agent understands "new-style" cookies, but nowadays user agents will use the cookie header instead, not this one.
...And 3 more matches

Same-origin policy - Web security
cookies use a separate definition of origins.
... a page can set a cookie for its own domain or any parent domain, as long as the parent domain is not a public suffix.
...the browser will make a cookie available to the given domain including any sub-domains, no matter which protocol (http/https) or port is used.
...And 3 more matches

Index - Archive of obsolete content
177 cookies add-ons, code snippets, cookies, extensions no summary!
...the issue that is commonly overlooked here is that the rss feed could contain some malicious javascript code and it would then execute with the privileges of the extension — meaning that it would get full access to the browser (cookies, history etc) and to user’s files.
...this includes cookies, history information, download information, and so forth.
...And 2 more matches

MCD, Mission Control Desktop, AKA AutoConfig - Archive of obsolete content
[root@calaz firefox]# cat firefox.cfg //put everything in a try/catch try { //privacy & security defaultpref("signon.remembersignons", false); //proxy and cache, as it is on nfs volume, we don't want cache lockpref("browser.cache.disk.capacity", 0); lockpref("network.cookie.cookiebehavior", 0); defaultpref("network.proxy.autoconfig_url", "http://wpad.int-evry.fr/wpad.dat"); defaultpref("network.proxy.type", 2); lockpref("network.protocol-handler.app.mailto", "/usr/bin/thunderbird"); //firefox3 urlclassifier3.sqlite iowait/cpu pb //http://forums.mozillazine.org/viewtopic.php?p=3381133#3381133 defaultpref("browser.safebrowsing.enabled", false); defaultpref("browser.s...
...ter-arith -wcast-align -wno-long-long -pedantic -pthread -pipe c++ gcc version 3.4.3 20050227 (red hat 3.4.3-22.fc3) -fno-rtti -fno-exceptions -wall -wconversion -wpointer-arith -wcast-align -woverloaded-virtual -wsynth -wno-ctor-dtor-privacy -wno-non-virtual-dtor -wno-long-long -pedantic -fshort-wchar -pthread -pipe -i/usr/x11r6/include configure arguments --disable-mailnews --enable-extensions=cookie,xml-rpc,xmlextras,pref,transformiix,universalchardet,webservices,inspector,gnomevfs,negotiateauth --enable-crypto --disable-composer --enable-single-profile --disable-profilesharing --with-system-jpeg --with-system-zlib --with-system-png --with-pthreads --disable-tests --disable-jsd --disable-installer '--enable-optimize=-os -g -pipe -m32 -march=i386 -mtune=pentium4' --enable-xft --enable-xineram...
...shared ac_add_options --disable-crashreporter the option --disable-crashreporter is necessary if you get compile error at this stage of the build gmake[7]: entering directory `/usr/local/moz2/commsrc/mozilla/toolkit/crashreporter/google-breakpad/src/common/linux' dump_symbols.cc build then start building [root@b008-02 commsrc]# time make -f client.mk build rm -f ../../mozilla/dist/bin/testcookie if test -f ../../mozilla/dist/bin/testtarray; then cp ../../mozilla/dist/bin/testtarray ../../mozilla/dist/bin/testcookie; fi; gmake[5]: quittant le répertoire « /usr/local/moz/commsrc/mail/app » gmake[4]: quittant le répertoire « /usr/local/moz/commsrc/mail » gmake[3]: quittant le répertoire « /usr/local/moz/commsrc » gmake[2]: quittant le répertoire « /usr/local...
...And 2 more matches

Client-side storage - Learn web development
old school: cookies the concept of client-side storage has been around for a long time.
... since the early days of the web, sites have used cookies to store information to personalize user experience on websites.
... these days, there are easier mechanisms available for storing client-side data, therefore we won't be teaching you how to use cookies in this article.
...And 2 more matches

Network request details - Firefox Developer Tools
the tabs at the top of this pane enable you to switch between the following pages: headers messages (only for websocket items) cookies params response cache timings security (only for secure pages) stack trace (only when the request has a stack trace, e.g.
... { "name": "server", "value": "mw1316.eqiad.wmnet" }, { "name": "server-timing", "value": "cache;desc=\"pass\"" }, { "name": "strict-transport-security", "value": "max-age=106384710; includesubdomains; preload" }, { "name": "vary", "value": "accept-encoding,treat-as-untrusted,x-forwarded-proto,cookie,authorization,x-seven" }, { "name": "via", "value": "1.1 varnish (varnish/5.1), 1.1 varnish (varnish/5.1)" }, { "name": "x-analytics", "value": "ns=-1;special=badtitle;wmf-last-access=11-jun-2019;wmf-last-access-global=11-jun-2019;https=1" }, { "name": "x-cache", "value": "cp1075 pass, cp1075 pass" }, ...
... ] }, "request headers (665 b)": { "headers": [ { "name": "accept", "value": "*/*" }, { "name": "accept-encoding", "value": "gzip, deflate, br" }, { "name": "accept-language", "value": "en-us,en;q=0.5" }, { "name": "connection", "value": "keep-alive" }, { "name": "cookie", "value": "wmf-last-access=11-jun-2019; wmf-last-access-global=11-jun-2019; mwphp7seed=5c9; geoip=us:ny:port_jervis:41.38:-74.67:v4" }, { "name": "dnt", "value": "1" }, { "name": "host", "value": "en.wikipedia.org" }, { "name": "referer", "value": "https://www.wikipedia.org/" }, { "nam...
...And 2 more matches

Using Fetch - Web APIs
fetch() won't can receive cross-site cookies; you can’t can establish a cross site session using fetch.
... set-cookie headers from other sites are silently ignored.
... fetch won’t send cookies, unless you set the credentials init option.
...And 2 more matches

Request.credentials - Web APIs
the credentials read-only property of the request interface indicates whether the user agent should send cookies from the other domain in the case of cross-origin requests.
... syntax var mycred = request.credentials; value a requestcredentials dictionary value indicating whether the user agent should send cookies from the other domain in the case of cross-origin requests.
... possible values are: omit: never send or receive cookies.
...And 2 more matches

Using the Storage Access API - Web APIs
usage notes the storage access api is designed to allow embedded content to request access to storage that would otherwise be blocked when a user’s browser is set to block all third-party cookies.
...this is particularly true for document.cookie access, as browsers will often return an empty cookie jar when third-party cookies are blocked.
... accessing a user's cookies in an embedded cross-origin iframe in this example we show how an embedded cross-origin <iframe> can access a user’s cookies under a storage access policy that blocks third-party cookies.
...And 2 more matches

XMLHttpRequest.withCredentials - Web APIs
the xmlhttprequest.withcredentials property is a boolean that indicates whether or not cross-site access-control requests should be made using credentials such as cookies, authorization headers or tls client certificates.
... in addition, this flag is also used to indicate when cookies are to be ignored in the response.
...xmlhttprequest from a different domain cannot set cookie values for their own domain unless withcredentials is set to true before making the request.
...And 2 more matches

net/xhr - Archive of obsolete content
if transmission of cookies isn't prevented, malicious code could access sensitive data.
... finally, we need to also consider attenuating http/https requests such that they're "sandboxed" and don't communicate potentially sensitive cookie information.
... functions forceallowthirdpartycookie(xhr) force relevant cookies to be sent with this xmlhttprequest even if normally they would not be.
... parameters xhr: xmlhttprequest the xmlhttprequest to allow third-party cookies for.

Supporting private browsing mode - Archive of obsolete content
this includes cookies, history information, download information, and so forth.
... when private browsing mode is enabled, temporary, databases are created to be used for cookies and local storage; these databases are thrown away when private browsing mode is turned off, and the regular databases are re-activated.
... the temporary cookie and local storage databases start out empty.
... all data related to pages the user has visited, including cookies and form data.

NPN_GetValueForURL - Archive of obsolete content
« gecko plugin api reference « browser side plug-in api summary provides information to a plugin which is associated with a given url, for example the cookies or preferred proxy.
... syntax #include <npapi.h> typedef enum { npnurlvcookie = 501, npnurlvproxy } npnurlvariable; nperror npn_getvalueforurl(npp instance, npnurlvariable variable, const char *url, char **value, uint32_t *len); parameters this function has the following parameters: instance pointer to the current plug-in instance.
... variable selects the type of information to be retrieved (npnurlvcookie or npnurlvproxy) url the url for which to fetch information.
... when multiple cookies are returned for a given url, the format of the return value is: cookie1=value1;cookie2=value2;cookie3=value3 len out parameter.

NPN_SetValueForURL - Archive of obsolete content
« gecko plugin api reference « browser side plug-in api summary allows a plugin to change the stored information associated with a url, in particular its cookies.
... (while the api theoretically allows the preferred proxy for a given url to be changed, doing so does not have much meaning given how proxies are configured, and is not supported.) syntax #include <npapi.h> typedef enum { npnurlvcookie = 501, npnurlvproxy } npnurlvariable; nperror npn_setvalueforurl(npp instance, npnurlvariable variable, const char *url, const char *value, uint32_t len); parameters this function has the following parameters: instance pointer to the current plug-in instance.
...the only supported type is npnurlvcookie.
... description this entry point is designed to allow plugins to affect the cookies sent by the browser back to the server.

Writing JavaScript for XHTML - Archive of obsolete content
problem: my cookie isn't saved!
...in xml documents there is no document.cookie.
... that is, you can write something like document.cookie = "key=value"; in xml as well, but nothing is saved in cookie storage.
...although this feature is not free of critics, you can use it to bypass the non-existing cookie, if your document is of type xml.

Server-side web frameworks - Learn web development
the http request may also include information about the current session or user in a client-side cookie.
...an http get), get or post parameters, cookie and session data, etc.
...it contains a development server and debugger, and includes support for jinja2 templating, secure cookies, unit testing, and restful request dispatching.
... a full-stack http and websocket client/server implementation with ipv6, tls, sni, idna, http/socks5 proxy, unix domain socket, comet (long polling), keep-alive, connection pooling, timeout, cookie, multipart, and gzip compression support.

HTTP logging
press the enter key after each one.: for 64-bit windows: set moz_log=timestamp,rotate:200,nshttp:5,cache2:5,nssockettransport:5,nshostresolver:5,cookie:5 set moz_log_file=%temp%\log.txt "c:\program files\mozilla firefox\firefox.exe" for 32-bit windows: set moz_log=timestamp,rotate:200,nshttp:5,cache2:5,nssockettransport:5,nshostresolver:5,cookie:5 set moz_log_file=%temp%\log.txt "c:\program files (x86)\mozilla firefox\firefox.exe" (these instructions assume that you installed firefox to the default location, and that drive c: is your win...
... export moz_log=timestamp,rotate:200,nshttp:5,cache2:5,nssockettransport:5,nshostresolver:5,cookie:5 export moz_log_file=/tmp/log.txt cd /path/to/firefox ./firefox reproduce the problem you're debugging.
... export moz_log=timestamp,rotate:200,nshttp:5,cache2:5,nssockettransport:5,nshostresolver:5,cookie:5 export moz_log_file=~/desktop/log.txt cd /applications/firefox.app/contents/macos ./firefox-bin (the instructions assume that you've installed firefox directly into your startup disk's applications folder.
... copy and paste the following line into the "run" command window and then press enter: for 32-bit windows: "c:\program files (x86)\mozilla firefox\firefox.exe" -moz_log=timestamp,rotate:200,nshttp:5,cache2:5,nssockettransport:5,nshostresolver:5,cookie:5 -moz_log_file=%temp%\log.txt for 64-bit windows: "c:\program files\mozilla firefox\firefox.exe" -moz_log=timestamp,rotate:200,nshttp:5,cache2:5,nssockettransport:5,nshostresolver:5,cookie:5 -moz_log_file=%temp%\log.txt (these instructions assume that you installed firefox to the default location, and that drive c: is your windows startup disk.

nsIHttpChannelInternal
introduced gecko 1.0 inherits from: nsisupports last changed in gecko 6.0 (firefox 6.0 / thunderbird 6.0 / seamonkey 2.3) method overview void getrequestversion(out unsigned long major, out unsigned long minor); void getresponseversion(out unsigned long major, out unsigned long minor); void httpupgrade(in acstring aprotocolname, in nsihttpupgradelistener alistener); void setcookie(in string acookieheader); void setupfallbackchannel(in string afallbackkey); attributes attribute type description canceled boolean returns true if and only if the channel has been canceled.
... forceallowthirdpartycookie boolean force relevant cookies to be sent with this load even if normally they would not be.
...setcookie() helper method to set a cookie with a consumer-provided cookie header, but using the channel's other information (uri's, prompters, date headers and so on.).
... void setcookie( in string acookieheader ); parameters acookieheader the cookie header to be parsed.

Web Console remoting - Firefox Developer Tools
examples: { "from": "conn0.netevent14", "type": "networkeventupdate", "updatetype": "requestheaders", "headers": 10, "headerssize": 425 }, { "from": "conn0.netevent14", "type": "networkeventupdate", "updatetype": "requestcookies", "cookies": 0 }, { "from": "conn0.netevent14", "type": "networkeventupdate", "updatetype": "requestpostdata", "datasize": 1024, "discardrequestbody": false }, { "from": "conn0.netevent14", "type": "networkeventupdate", "updatetype": "responsestart", "response": { "httpversion": "http/1.1", "status": "304", "statustext": "not modified", "headerssize": 194, ...
... "discardresponsebody": true } }, { "from": "conn0.netevent14", "type": "networkeventupdate", "updatetype": "eventtimings", "totaltime": 1 }, { "from": "conn0.netevent14", "type": "networkeventupdate", "updatetype": "responseheaders", "headers": 6, "headerssize": 194 }, { "from": "conn0.netevent14", "type": "networkeventupdate", "updatetype": "responsecookies", "cookies": 0 }, { "from": "conn0.netevent14", "type": "networkeventupdate", "updatetype": "responsecontent", "mimetype": "text/css", "contentsize": 0, "discardresponsebody": true } actual headers, cookies, and bodies are not sent.
... ], "headerssize": 350 } the getrequestcookies packet: { "to": "conn0.netevent15", "type": "getrequestcookies" } { "from": "conn0.netevent15", "cookies": [] } the getresponseheaders packet: { "to": "conn0.netevent15", "type": "getresponseheaders" } { "from": "conn0.netevent15", "headers": [ { "name": "date", "value": "mon, 17 sep 2012 20:05:27 gmt" }, ...
... ], "headerssize": 320 } the getresponsecookies packet: { "to": "conn0.netevent15", "type": "getresponsecookies" } { "from": "conn0.netevent15", "cookies": [] } starting with firefox 19: for all of the header and cookie values in the above packets we use longstringactor grips when the value is very long.

Fetch API - Web APIs
fetch() won't can receive cross-site cookies; you can’t can establish a cross site session using fetch.
... set-cookie headers from other sites are silently ignored.
... fetch() won’t send cookies, unless you set credentials: 'same-origin'.
... if you are targetting older versions of these browsers, be sure to include credentials: 'same-origin' init option on all api requests that may be affected by cookies/user login state.

An overview of HTTP - HTTP
but while the core of http itself is stateless, http cookies allow the use of stateful sessions.
... using header extensibility, http cookies are added to the workflow, allowing session creation on each http request to share the same context, or the same state.
...basic authentication may be provided by http, either using the www-authenticate and similar headers, or by setting a specific session using http cookies.
... sessions using http cookies allows you to link requests with the state of the server.

HTTP
http cookies how cookies work is defined by rfc 6265.
... when serving an http request, a server can send a set-cookie http header with the response.
... the client then returns the cookie's value with every request to the same server in the form of a cookie request header.
... the cookie can also be set to expire on a certain date, or restricted to a specific domain and path.

Proxy - JavaScript
// [{ name: 'firefox', type: 'browser' }, { name: 'seamonkey', type: 'browser' }] console.log(products.types); // ['browser', 'mailer'] console.log(products.number); // 3 a complete traps list example now in order to create a complete sample traps list, for didactic purposes, we will try to proxify a non-native object that is particularly suited to this type of operation: the doccookies global object created by the "little framework" published on the document.cookie page.
... /* var doccookies = ...
... get the "doccookies" object here: https://developer.mozilla.org/docs/dom/document.cookie#a_little_framework.3a_a_complete_cookies_reader.2fwriter_with_full_unicode_support */ var doccookies = new proxy(doccookies, { get: function (otarget, skey) { return otarget[skey] || otarget.getitem(skey) || undefined; }, set: function (otarget, skey, vvalue) { if (skey in otarget) { return false; } return otarget.setitem(skey, vvalue); }, deleteproperty: function (otarget, skey) { if (skey in otarget) { return false; } return otarget.removeitem(skey); }, enumerate: function (otarget, skey) { return otarget.keys(); }, ownkeys: function (otarget, skey) { return otarget.keys(); }, has: function (otarget, skey) { return skey in otarget || otarget.hasitem...
...{ value: vvalue, writable: true, enumerable: true, configurable: false } : undefined; }, }); /* cookies test */ console.log(doccookies.my_cookie1 = 'first value'); console.log(doccookies.getitem('my_cookie1')); doccookies.setitem('my_cookie1', 'changed value'); console.log(doccookies.my_cookie1); specifications specification ecmascript (ecma-262)the definition of 'proxy' in that specification.

Index - MDN Web Docs Glossary: Definitions of Web-related terms
91 cookie glossary, webmechanics a cookie is a small piece of information left on a visitor's computer by a website, via a web browser.
... 158 forbidden response header name glossary, http, response, forbidden a forbidden response header name is an http header name (either `set-cookie` or `set-cookie2`) that cannot be modified programmatically.
...request headers, like accept, accept-*, or if-* allow to perform conditional requests; others like cookie, user-agent, or referer precise the context so that the server can tailor the answer.

Blocked: All storage access requests
message firefox: cookieblockedall=request to access cookies or storage on “x” was blocked because we are blocking all storage access requests.
... a request to access cookies or storage was blocked because the browser is blocking all storage access.
... the permission can be changed or removed by: going to preferences > content blocking in the custom content blocking section, selecting a value other than all cookies for the cookies item if the resource that is being blocked doesn't need authentication, you can fix the warning message by adding a crossorigin="anonymous" attribute to your element.

Blocked: All third-party storage access requests
message firefox: cookieblockedforeign=request to access cookies or storage on “x” was blocked because we are blocking all third-party storage access requests and content blocking is enabled.
... a request to access cookies or storage was blocked because it came from a third-party (a different origin) and content blocking is enabled.
... the permission can be changed or removed by: going to preferences > content blocking and either adding an exception with the manage exceptions… button choosing the custom content blocking and unchecking the cookies checkbox if the resource that is being blocked doesn't need authentication, you can fix the warning message by adding a crossorigin="anonymous" attribute to the relevant element.

Observer Notifications
cookies these topics indicate whenever a cookie has been changed (added, changed, cleared, or deleted) or its setting rejected by the browser.
... see nsicookieservice for details.
... topic description cookie-changed called upon a cookie change (added, changed, cleared, or deleted) cookie-rejected called when the setting of a cookie was rejected by the browser (per the user's preferences) http-on-response-set-cookie this is fired only when a cookie is created due to the presence of set-cookie header in the response header of any network request.

Mozilla
cookies in mozilla suggestions as to needed documentation can be directed to mike connor.
... cookies preferences in mozilla these preferences apply to most mozilla products (including firefox and seamonkey), however they are application-specific, so not all of them may apply to you.
... creating sandboxed http connections starting with gecko 1.8.1 (firefox 2), it is possible to create sandboxed http connections which don't affect the user's cookies.

Index - Firefox Developer Tools
105 storage inspector cookies, dev tools, firefox, guide, indexeddb, local storage, session storage, storage, tools the storage inspector enables you to inspect various types of storage that a web page can use.
...for each resource, you'll see: 107 cookies cookies, dev tools, firefox, guide, storage, storage inspector, tools, l10n:priority when you select an origin inside the cookies storage type from the storage tree, all the cookies present for that origin will be listed in a table.
... the cookies table has the following columns: 108 extension storage dev tools, extension storage, firefox, guide, storage, storage inspector, tools, l10n:priority this storage type is only shown when debugging extensions.

Browser storage limits and eviction criteria - Web APIs
we term them "quota clients" in this context: indexeddb asm.js caching cache api cookies note: in firefox, web storage will soon start to use the same storage management tools too, as described in this document.
...local storage data and cookies are still stored, but they are ephemeral — the data is deleted when you close the last private browsing window.
...this will only be evicted if the user chooses to (for example, in firefox you can choose to delete all stored data or only stored data from selected origins by going to preferences and using the options under privacy & security > cookies & site data).

Writing WebSocket servers - Web APIs
this means that you don't have to bloat your server code with cookie and authentication handlers (for example).
...also, common headers like user-agent, referer, cookie, or authentication headers might be there as well.
... note: the server can send other headers like set-cookie, or ask for authentication or redirects via other status codes, before sending the reply handshake.

Web Storage API - Web APIs
the web storage api provides mechanisms by which browsers can store key/value pairs, in a much more intuitive fashion than using cookies.
... storage limit is larger than a cookie (at most 5mb).
... note: access to web storage from third-party iframes is denied if the user has disabled third-party cookies (firefox implements this behaviour from version 43 onwards.) note: web storage is not the same as mozstorage (mozilla's xpcom interfaces to sqlite) or the session store api (an xpcom storage utility for use by extensions).

Link prefetching FAQ - HTTP
privacy implications along with the referral and url-following implications already mentioned above, prefetching will generally cause the cookies of the prefetched site to be accessed.
... (for example, if you google amazon, the google results page will prefetch www.amazon.com, causing amazon cookies to be sent back and forth.
... you can block 3rd party cookies in firefox, see disabling third party cookies.) what about...?

Source code directories overview - Archive of obsolete content
these include: cookies, irc, wallet, dom inspector, p3p, schema validation, spellchecker, transformiix, typeaheadfind, javascript debugger, xforms, etc.
... components contains the alerts, autocomplete, command line interface, console, cookies, download manager, filepicker, history, password manager, typeaheadfind, view source, etc.

jspage - Archive of obsolete content
urn string(b); case false:return"null";}return null;},decode:function(string,secure){if($type(string)!="string"||!string.length){return null;}if(secure&&!(/^[,:{}\[\]0-9.\-+eaeflnr-u \n\r\t]*$/).test(string.replace(/\\./g,"@").replace(/"[^"\\\n\r]*"/g,""))){return null; }return eval("("+string+")");}});native.implement([hash,array,string,number],{tojson:function(){return json.encode(this);}});var cookie=new class({implements:options,options:{path:false,domain:false,duration:false,secure:false,document:document},initialize:function(b,a){this.key=b; this.setoptions(a);},write:function(b){b=encodeuricomponent(b);if(this.options.domain){b+="; domain="+this.options.domain;}if(this.options.path){b+="; path="+this.options.path; }if(this.options.duration){var a=new date();a.settime(a.gettime()+this.opti...
...ons.duration*24*60*60*1000);b+="; expires="+a.togmtstring();}if(this.options.secure){b+="; secure"; }this.options.document.cookie=this.key+"="+b;return this;},read:function(){var a=this.options.document.cookie.match("(?:^|;)\\s*"+this.key.escaperegexp()+"=([^;]*)"); return(a)?decodeuricomponent(a[1]):null;},dispose:function(){new cookie(this.key,$merge(this.options,{duration:-1})).write("");return this;}});cookie.write=function(b,c,a){return new cookie(b,a).write(c); };cookie.read=function(a){return new cookie(a).read();};cookie.dispose=function(b,a){return new cookie(b,a).dispose();};var swiff=new class({implements:[options],options:{id:null,height:1,width:1,container:null,properties:{},params:{quality:"high",allowscriptaccess:"always",wmode:"transparent",swliveconnect:true},callbacks:{},vars:{...

XUL accessibility guidelines - Archive of obsolete content
for example, under the privacy section of preferences there are three groupboxes captioned: history, cookies, and private data.
... if the user were to tab to the "exceptions..." button they would hear "cookies {pause} exceptions {pause} button." the next tab would read "cookies {pause} keep until {pause} they expire {pause} one of three {pause} combobox." if the screen reader only read the label, then the user would have to guess what the "exceptions" button or the "keep until" combobox was referring to.

NPAPI plugin reference - Archive of obsolete content
npn_getvalueforurl provides information to a plugin which is associated with a given url, for example the cookies or preferred proxy.
... npn_setvalueforurl allows a plugin to change the stored information associated with a url, in particular its cookies.

Browser Feature Detection - Archive of obsolete content
document.domain true true true document.url true true true document.body true true true document.images true true true document.applets true true true document.links true true true document.forms true true true document.anchors true true true document.cookie true true true document.open() true true true document.close() true true true document.write() true true true document.writeln() true true true document.getelementbyid() true true true document.getelementsbyname() true true true dom css 1 support for properties/methods in d...
...e: 'title', 'supported': false}, {name: 'referrer', 'supported': false}, {name: 'domain', 'supported': false}, {name: 'url', 'supported': false}, {name: 'body', 'supported': false}, {name: 'images', 'supported': false}, {name: 'applets', 'supported': false}, {name: 'links', 'supported': false}, {name: 'forms', 'supported': false}, {name: 'anchors', 'supported': false}, {name: 'cookie', 'supported': false}, {name: 'open', 'supported': false}, {name: 'close', 'supported': false}, {name: 'write', 'supported': false}, {name: 'writeln', 'supported': false}, {name: 'getelementbyid', 'supported': false}, {name: 'getelementsbyname', 'supported': false} ], 'domcore2': [ {name: 'doctype', 'supported': false}, {name: 'implementation', 'supported': false}, {name: 'do...

Making decisions in your code — conditionals - Learn web development
human beings (and other animals) make decisions all the time that affect their lives, from small ("should i eat one cookie or two?") to large ("should i stay in my home country and work on my father's farm, or should i move to america and study astrophysics?") conditional statements allow us to represent such decision making in javascript, from the choice that must be made (for example, "one cookie or two"), to the resulting outcome of those choices (perhaps the outcome of "ate one cookie" might be "still felt hungr...
...y", and the outcome of "ate two cookies" might be "felt full, but mom scolded me for eating all the cookies".) if...else statements let's look at by far the most common type of conditional statement you'll use in javascript — the humble if...else statement.

Introduction to the server side - Learn web development
the request includes a url identifying the affected resource, a method that defines the required action (for example to get, delete, or post the resource), and may include additional information encoded in url parameters (the field-value pairs sent via a query string), as post data (data sent by the http post method), or in associated cookies.
...this information is an example of session information stored in cookies.

Embedding API for Accessibility
us (or will give us), for accessibility: functionality implementation works as of images setintpref("network.image.imagebehavior", behavior); /* behavior: 0=accept, 1=accept images from originating server only, 2=no images */ moz 0.8 cookies setintpref("network.cookie.cookiebehavior", behavior); /* behavior: 0=accept, 1=accept cookies from originating server only, 2=no cookies */ setboolpref("network.cookie.warnaboutcookies", boolwarn); moz 0.8 fonts setcharpref("font.name.monospace.x-w...
... we have a permissions system for cookies and images based on url's.

Index
170 storage access policy: block cookies from trackers privacy, storage access policy, tracking protection firefox includes a new storage access policy that blocks cookies and other site data from third-party tracking resources.
...the new policy protects against cross-site tracking while minimizing the site breakage associated with traditional cookie blocking.

Blocked: Storage access requests from trackers
message firefox: cookieblockedtracker=request to access cookies or storage on “x” was blocked because it came from a tracker and content blocking is enabled.
... a request to access cookies or storage was blocked because the browser identified it as coming from a tracker and content blocking is enabled.

Partitioned: All third-party storage access requests
message firefox: cookiepartitionedforeign=partitioned cookie or storage access was provided to “<url>” because it is loaded in the third-party context and storage partitioning is enabled.
... a request to access cookies or storage was partitioned because it came from a third-party (a different origin) and dynamic first-party isolation is enabled.

HTMLIFrameElement.purgeHistory()
it only deletes history, not cookies or other stored information.
... note: to delete cookies for a firefox os app, you could call clearbrowserdata() on the actual app itself.

Localization content best practices
as a native english speaker, you might find it natural to use delete-cookie = delete cookie delete-cookies = delete cookies in firefox this should be # localization note (delete-cookies): semi-colon list of plural forms.
... # see: http://developer.mozilla.org/en/docs/localization_and_plurals # #1 is the number of cookies to delete # example: delete-cookies = delete #1 cookie;delete #1 cookies important: always include the localization note with this format if you use a plural form in firefox.

Localizing with Mozilla Translator
|-- browser-region | `-- region.properties `-- ab-cd |-- alerts | `-- notificationnames.properties |-- autoconfig | `-- autoconfig.properties |-- cookie | |-- cookieacceptdialog.dtd | `-- cookieacceptdialog.properties |-- global | |-- about.dtd | |-- apppicker.dtd .
... but in the cvs and mozilla-central repositories the locale part looks like this: toolkit |-- locales | |-- en-us | | |-- chrome | | | |-- alerts | | | | `-- notificationnames.properties | | | |-- autoconfig | | | | `-- autoconfig.properties | | | |-- cookie | | | | |-- cookieacceptdialog.dtd | | | | `-- cookieacceptdialog.properties | | | |-- global | | | | |-- about.dtd | | | | |-- apppicker.dtd .

Mozilla Web Services Security Model
please do not depend on anything in it being correct for security.) to prevent the browser from being used as a tool for web sites to obtain priveleges that belong to the browser's user (such as being behind a firewall or getting the benefits of the user's cookies), web browsers restrict what web pages can do when accessing things in other domains.
... allow all services on a site to be accessed from any web page note that this is only a sensible thing to do if nothing on the site serves content based on cookies, http authentication, ip address / domain origin, or any other method of authentication.

NSS 3.35 release notes
the application is then able to examine application-chosen content from the session tickets, or helloretryrequest cookie, and decide whether to proceed with the connection.
... for an initial clienthello, an application can control whether nss sends a helloretryrequest, and include application-chosen content in the cookie.

nsIPermission
the nsipermission interface defines a "permission" object, which is used to allow or block objects (for example cookies, images) from certain sites based on user preferences.
... type acstring the type of permission: cookie, image, and so on.

nsIPrivateBrowsingService
in addition, temporary, databases are created to be used for cookies and local storage; these databases are thrown away when private browsing mode is turned off, and the regular databases are re-activated.
... the temporary cookie and local storage databases start out empty.

nsISessionStore
note: the returned string does not include cookies.
... if you need to retrieve cookies as well, you should use getwindowstate() instead.

nsIWebBrowserPersist
persist_flags_force_allow_cookies 65536 force relevant cookies to be sent with this load even if normally they wouldn't be.
...cookies, permanent cache, etc.) null must only be passed in the event that no such relevant context exists (ie.

Address book sync client design
* acookie - hmmm...cooookies!
... */ void onstopauthoperation(in nsresult astatus, in wstring amsg, in string acookie); /** * notify the observer that the ab sync operation has begun.

Index
18 cookies in thunderbird cookies, guide, thunderbird in versions of thunderbird prior to 3 the cookie policy was very restrictive (to rss only).
... thunderbird 3 uses the gecko cookie policy with some changes.

Browser Side Plug-in API - Plugins
npn_getvalueforurl provides information to a plug-in which is associated with a given url, for example the cookies or preferred proxy.
... npn_setvalueforurl allows a plug-in to change the stored information associated with a url, in particular its cookies.

Gecko Plugin API Reference - Plugins
npn_getvalueforurl provides information to a plug-in which is associated with a given url, for example the cookies or preferred proxy.
... npn_setvalueforurl allows a plug-in to change the stored information associated with a url, in particular its cookies.

Document.lastModified - Web APIs
here is a possible example of how to show an alert message when the page changes (see also: javascript cookies api): if (date.parse(document.lastmodified) > parsefloat(document.cookie.replace(/(?:(?:^|.*;)\s*last_modif\s*\=\s*([^;]*).*$)|^.*$/, "$1") || "0")) { document.cookie = "last_modif=" + date.now() + "; expires=fri, 31 dec 9999 23:59:59 gmt; path=" + location.pathname; alert("this page has changed!"); } …the same example, but skipping the first visit: var nlastvisit = parsefloat(documen...
...t.cookie.replace(/(?:(?:^|.*;)\s*last_modif\s*\=\s*([^;]*).*$)|^.*$/, "$1")), nlastmodif = date.parse(document.lastmodified); if (isnan(nlastvisit) || nlastmodif > nlastvisit) { document.cookie = "last_modif=" + date.now() + "; expires=fri, 31 dec 9999 23:59:59 gmt; path=" + location.pathname; if (isfinite(nlastvisit)) { alert("this page has been changed!"); } } note: webkit returns the time string in utc; gecko and internet explorer return a time in the local timezone.

Basic concepts - Web APIs
<iframe> content) can access the indexeddb store for the origin it is embedded into, unless the browser is set to never accept third party cookies (see bug 1147821.) definitions this section defines and explains terms used in the indexeddb api.
...many browsers have settings that let users wipe all data stored for a given website, including cookies, bookmarks, stored passwords, and indexeddb data.

XMLHttpRequest() - Web APIs
most important, this means that cookies will not be sent unless explicitly added using setrequestheader.
...this can't be combined with sending cookies or other user credentials.

XMLHttpRequest.getAllResponseHeaders() - Web APIs
return value a bytestring representing all of the response's headers (except those whose field name is set-cookie or set-cookie2) separated by crlf, or null if no response has been received.
... an example of what a raw header string looks like: date: fri, 08 dec 2017 21:04:30 gmt\r\n content-encoding: gzip\r\n x-content-type-options: nosniff\r\n server: meinheld/0.6.1\r\n x-frame-options: deny\r\n content-type: text/html; charset=utf-8\r\n connection: keep-alive\r\n strict-transport-security: max-age=63072000\r\n vary: cookie, accept-encoding\r\n content-length: 6502\r\n x-xss-protection: 1; mode=block\r\n each line is terminated by both carriage return and line feed characters (\r\n).

XMLHttpRequest - Web APIs
xmlhttprequest.withcredentials is a boolean that indicates whether or not cross-site access-control requests should be made using credentials such as cookies or authorization headers.
...if true, the request will be sent without cookie and authentication headers.

<audio>: The Embed Audio element - HTML: Hypertext Markup Language
in other words, it sends the origin: http header without a cookie, x.509 certificate, or performing http basic authentication.
...in other words, it sends the origin: http header with a cookie, a certificate, or performing http basic authentication.

<img>: The Image Embed element - HTML: Hypertext Markup Language
allowed values: anonymous a cors request is sent with credentials omitted (that is, no cookies, x.509 certificates, or authorization request header).
... use-credentials the cors request is sent with any credentials included (that is, cookies, x.509 certificates, and the authorization request header).

<link>: The External Resource Link element - HTML: Hypertext Markup Language
no cookie, x.509 certificate, or http basic authentication).
...a cookie, certificate, and/or http basic authentication is performed).

<video>: The Video Embed element - HTML: Hypertext Markup Language
in other words, it sends the origin: http header without a cookie, x.509 certificate, or performing http basic authentication.
...in other words, it sends the origin: http header with a cookie, a certificate, or performing http basic authentication.

Evolution of HTTP - HTTP
t-encoding: gzip, deflate, br referer: https://developer.mozilla.org/docs/glossary/simple_header 200 ok connection: keep-alive content-encoding: gzip content-type: text/html; charset=utf-8 date: wed, 20 jul 2016 10:55:30 gmt etag: "547fa7e369ef56031dd3bff2ace9fc0832eb251a" keep-alive: timeout=5, max=1000 last-modified: tue, 19 jul 2016 00:59:33 gmt server: apache transfer-encoding: chunked vary: cookie, accept-encoding (content) get /static/img/header-background.png http/1.1 host: developer.cdn.mozilla.net user-agent: mozilla/5.0 (macintosh; intel mac os x 10.9; rv:50.0) gecko/20100101 firefox/50.0 accept: */* accept-language: en-us,en;q=0.5 accept-encoding: gzip, deflate, br referer: https://developer.mozilla.org/docs/glossary/simple_header 200 ok age: 9578461 cache-control: public, max-ag...
... the introduction of security-related prefixes in the cookie header, now helps guarantee a secure cookie has not been altered.

A typical HTTP session - HTTP
-type: text/html; charset=utf-8 content-length: 55743 connection: keep-alive cache-control: s-maxage=300, public, max-age=0 content-language: en-us date: thu, 06 dec 2018 17:37:18 gmt etag: "2e77ad1dc6ab0b53a2996dfd4653c1c3" server: meinheld/0.6.1 strict-transport-security: max-age=63072000 x-content-type-options: nosniff x-frame-options: deny x-xss-protection: 1; mode=block vary: accept-encoding,cookie age: 7 <!doctype html> <html lang="en"> <head> <meta charset="utf-8"> <title>a simple webpage</title> </head> <body> <h1>simple html5 webpage</h1> <p>hello, world!</p> </body> </html> notification that the requested resource has permanently moved: http/1.1 301 moved permanently server: apache/2.4.37 (red hat) content-type: text/html; charset=utf-8 date: thu, 06 dec 2018 17:33:08 gmt ...
...tml; charset=utf-8 content-length: 38217 connection: keep-alive cache-control: no-cache, no-store, must-revalidate, max-age=0 content-language: en-us date: thu, 06 dec 2018 17:35:13 gmt expires: thu, 06 dec 2018 17:35:13 gmt server: meinheld/0.6.1 strict-transport-security: max-age=63072000 x-content-type-options: nosniff x-frame-options: deny x-xss-protection: 1; mode=block vary: accept-encoding,cookie x-cache: error from cloudfront <!doctype html...

431 Request Header Fields Too Large - HTTP
this lets users attempt to fix the problem, such as by clearing their cookies.
... servers will often produce this status if: the referer url is too long there are too many cookies sent in the request status 431 request header fields too large specifications specification title rfc 6585, section 5: 431 request header fields too large additional http status codes ...

Mixed content - Web security
in the case of passive content, the threat is lower (the page may contain misleading content, or the user's cookies may be stolen).
...if the webpage is public and has no sensitive data about the user, using mixed active content still provides the attacker with the opportunity to redirect the user to other http pages and steal http cookies from those sites.

request - Archive of obsolete content
se to be interpreted as latin-1, use overridemimetype: var request = require("sdk/request").request; var quijote = request({ url: "http://www.latin1files.org/quijote.txt", overridemimetype: "text/plain; charset=latin1", oncomplete: function (response) { console.log(response.text); } }); quijote.get(); anonymous boolean if true, the request will be sent without cookies or authentication headers.

Examples and demos from articles - Archive of obsolete content
[article] code snippets and tutorials javascript complete cookies reader/writer with full unicode support this little framework consists of a complete cookies reader/writer with unicode support.

Code snippets - Archive of obsolete content
browser-oriented code tabbed browser code (firefox/seamonkey) basic operations, such as page loading, with the tabbed browser, which is the heart of mozilla's browser applications cookies reading, writing, modifying, and removing cookies page loading code used to load pages, reload pages, and listen for page loads interaction between privileged and non-privileged code how to communicate from extensions to websites and vice-versa.

Displaying web content in an extension without security issues - Archive of obsolete content
the issue that is commonly overlooked here is that the rss feed could contain some malicious javascript code and it would then execute with the privileges of the extension — meaning that it would get full access to the browser (cookies, history etc) and to user’s files.

Extension Etiquette - Archive of obsolete content
status bar items should only be added for extensions that need constant monitoring, such as ad blocking, page ranking, or cookie management.

Local Storage - Archive of obsolete content
it's also used for storing cookies, form inputs, and others.

Security best practices in extensions - Archive of obsolete content
sandboxed http connections the main purpose of sandboxed http connections is to interact with a web service, without interfering with the cookies set in the browser by that service/site.

Session store API - Archive of obsolete content
new windows are opened as required (one for each window that was saved in the session store), and cookies and the list of recently closed tabs are restored.

Index of archived content - Archive of obsolete content
ooting unit testing using xpcom without chrome using third-party modules (jpm) bootstrapped extensions code snippets alerts and notifications autocomplete bookmarks boxes canvas code snippets cookies customizing the download progress bar delayed execution dialogs and prompts downloading files drag & drop embedding svg examples and demos from articles file i/o finding window handles forms related code snippets html in xul for rich tooltips html to dom...

Merging TraceMonkey Repo - Archive of obsolete content
there's no cookie cutter way to handle it.

MenuButtons - Archive of obsolete content
<toolbarbutton type="menu" image="cookies.png"> <menupopup> <menuitem label="block cookies" type="checkbox"/> <menuitem label="clear cookies"/> </menupopup> </toolbarbutton> the 'menu-button' button the 'menu-button' type of button is used when you want to attach a menu to a button but want to have a default action carried out when the button is pressed by itself.

Creating a Skin - Archive of obsolete content
(the cookie viewer is a good example.) you will notice that it has adopted the rules that we have added.

Archived Mozilla and build documentation - Archive of obsolete content
this includes cookies, history information, download information, and so forth.

Extentsions FAQ - Archive of obsolete content
could someone write an extension that zaps the google analytics cookie, the urchin cookie, switches gmail and google calender to https?

Adobe Flash - Archive of obsolete content
these block-listed modules include various fingerprinting and http_cookie#supercookie modules.

Cross-site scripting - MDN Web Docs Glossary: Definitions of Web-related terms
the user's browser cannot detect the malicious script is untrustworthy, and so gives it access to any cookies, session tokens, or other sensitive site-specific information, or lets the malicious script rewrite the html content.

Forbidden header name - MDN Web Docs Glossary: Definitions of Web-related terms
forbidden header names start with proxy- or sec-, or are one of the following names: accept-charset accept-encoding access-control-request-headers access-control-request-method connection content-length cookie cookie2 date dnt expect feature-policy host keep-alive origin proxy- sec- referer te trailer transfer-encoding upgrade via note: the user-agent header is no longer forbidden, as per spec — see forbidden header name list (this was implemented in firefox 43) — it can now be set in a fetch headers object, or via xhr setrequestheader().

Forbidden response header name - MDN Web Docs Glossary: Definitions of Web-related terms
a forbidden response header name is an http header name (either `set-cookie` or `set-cookie2`) that cannot be modified programmatically.

Netscape Navigator - MDN Web Docs Glossary: Definitions of Web-related terms
netscape could display a webpage while loading, used javascript for forms and interactive content, and stored session information in cookies.

Page prediction - MDN Web Docs Glossary: Definitions of Web-related terms
also, pre-loaded websites and embedded content can set and read their cookies as if they were visited even if they weren't.

Request header - MDN Web Docs Glossary: Definitions of Web-related terms
request headers, like accept, accept-*, or if-* allow to perform conditional requests; others like cookie, user-agent, or referer precise the context so that the server can tailor the answer.

Response header - MDN Web Docs Glossary: Definitions of Web-related terms
note that strictly speaking, the content-encoding and content-type headers are entity header: 200 ok access-control-allow-origin: * connection: keep-alive content-encoding: gzip content-type: text/html; charset=utf-8 date: mon, 18 jul 2016 16:06:00 gmt etag: "c561c68d0ba92bbeb8b0f612a9199f722e3a621a" keep-alive: timeout=5, max=997 last-modified: mon, 18 jul 2016 02:36:04 gmt server: apache set-cookie: mykey=myvalue; expires=mon, 17-jul-2017 16:06:00 gmt; max-age=31449600; path=/; secure transfer-encoding: chunked vary: cookie, accept-encoding x-backend-server: developer2.webapp.scl3.mozilla.com x-cache-info: not cacheable; meta data too large x-kuma-revision: 1085259 x-frame-options: deny ...

Session Hijacking - MDN Web Docs Glossary: Definitions of Web-related terms
protection against session hijacking create a secure communication channel with ssh (secure shell) pass authentication cookies over https connection implement logout functionality so the user can end the session generate the session id after successful login pass encrypted data between the users and the web server use a string or long random number as a session key learn more general knowledge session hijacking on wikipedia ...

Site - MDN Web Docs Glossary: Definitions of Web-related terms
the concept of a site is used in samesite cookies, as well as a web application's cross-origin resource policy.

MDN Web Docs Glossary: Definitions of Web-related terms
character set chrome cia cipher cipher suite ciphertext class client hints closure cms code splitting codec compile compile time computer programming conditional constant constructor continuous media control flow cookie copyleft cors cors-safelisted request header cors-safelisted response header crawler crlf cross axis cross-site scripting crud cryptanalysis cryptographic hash function cryptography csp csrf css css object model (cssom) css pixel css pre...

Implementing feature detection - Learn web development
if you look at the dom inspector of your browser's developer tools, you'll see that modernizr has updated your <html> class value like so: <html class="js no-htmlimports sizes flash transferables applicationcache blobconstructor blob-constructor cookies cors ...and loads more values!> it now contains a large number of classes that indicate the support status of different technology features.

Strategies for carrying out testing - Learn web development
private browsing in firefox, incognito mode in chrome) so things like cookies and temp files are not saved.

Configuring Build Options
some extensions are not compatible with all apps, for example: cookie is not compatible with thunderbird typeaheadfind is not compatible with any toolkit app (firefox, thunderbird) unless you know which extensions are compatible with which apps, do not use the --enable-extensions option; the build system will automatically select the proper default set of extensions.

Errors
you can find further information about them by clicking on the links below: a request to access cookies or storage was blocked because of a custom cookie permission blocked because it came from a tracker and content blocking is enabled blocked because we are blocking all storage access requests blocked because we are blocking all third-party storage access requests and content blocking is enabled granted partitioned access because it came from a third-party and dynamic first-party isolation is enabled ...

Tracking Protection
if tracking cookies were present, you would be able to view the list by clicking on "blocking tracking cookies" in the above image to view the following popup: you can click "manage content blocking" to change the blocking settings: how does firefox choose what to block?

Privacy
storage access policy: block cookies from trackerstracking protection ...

Firefox Operational Information Database: SQLite
in the manager, select the database you want to explore in the '(select profile database)' pulldown, click 'go', select one of the tables listed in the left column and see the current contents of the database in the 'browse & search' tab.) some databases are used by the browser itself, others are used by applications that you have installed or used; for example: content-prefs.sqlite cookies.sqlite download.sqlite formhistory.sqlite persmissions.sqlite places.sqlite search.sqlite signons.sqlite webappstore.sqlite ...

Browser API
htmliframeelement.purgehistory() clears all the resources (cookies, localstorage, cache, etc.) associated with the browser <iframe>.

How to add a build-time test
(example to run the testcookie program) in the test program: if the test fails, exit with a non-zero status and/or print the string "fail" to stdout if the test passes, exit with a zero status and don't print the string "fail" (bonus points for printing "pass" :) ) write the test so that you expect it to pass on all platforms, since if the test fails, the tree will go orange (once we've set this up - see...

Services.jsm
ation shell service blocklist nsiblocklistservice blocklist service cache nsicacheservice cache service cache2 nsicachestorageservice cache storage service clipboard nsiclipboard clipboard console nsiconsoleservice error console service contentprefs nsicontentprefservice content preferences service cookies nsicookiemanager2 cookie manager 2 service cpmm nsimessagesender child process message manager4 crashmanager crashmanager.jsm dirsvc nsidirectoryservice nsiproperties directory service domstoragemanager nsidomstoragemanager dom storage manager domrequest nsidomrequestservice domrequest service downloa...

Patching a Localization
if you do not have these tools, take a few steps back, grab a cookie (because, let's face it, you deserve it for all of your work), and visit the l10n prerequisites page.

Creating localizable web applications
you can achieve this by setting a cookie when the user changes the locale with the language dropdown, or by looking for locale code in the url.

JS::CompileOptions
this allows an attack by which a malicious website loads a sensitive file (say, a bank statement) cross-origin (using the user's cookies), and sniffs the generated syntax errors (via a window.onerror handler) for juicy morsels of its contents.

JSErrorReport
this allows an attack by which a malicious website loads a sensitive file (say, a bank statement) cross-origin (using the user's cookies), and sniffs the generated syntax errors (via a window.onerror handler) for juicy morsels of its contents.

JS_NewGlobalObject
it's unfortunately on the clunky side, but that's the way the cookie crumbles.

Creating XPCOM components
om the xpcom solution gecko components interfaces interfaces and encapsulation the nsisupports base interface xpcom identifiers cid contract id factories xpidl and type libraries xpcom services xpcom types method types reference counting status codes variable mappings common xpcom error codes using xpcom components component examples cookie manager the webbrowserfind component the weblock component component use in mozilla finding mozilla components using xpcom components in your cpp xpconnect: using xpcom components from script component internals creating components in cpp xpcom initialization xpcom registry manifests registration methods in xpcom autoregistration the shutdown process three p...

mozIThirdPartyUtil
this is done as follows: if achannel is an nsihttpchannel and has the 'forceallowthirdpartycookie' property set, then: if auri is null, return false.

getFile
dir "tmpls" ns_win_common_startmenu_dir "cmstrt" ns_win_common_programs_dir "cmprgs" ns_win_common_startup_dir "cmstrt" ns_win_common_desktop_directory "cmdeskp" ns_win_appdata_dir "appdata" ns_win_local_appdata_dir "localappdata" ns_win_printhood "prnthd" ns_win_cookies_dir "cookd" available on unix only these locations are supported only on unix builds of firefox os.

nsIDocShell
internal_load_flags_force_allow_cookies 0x20 used to indicate that load_flags_force_allow_cookies was passed as one of the flags to loaduri().

nsIEffectiveTLDService
cookie setting and domain highlighting, but you should check whether it's the right answer for your application.

nsIMacDockSupport
1.0 66 introduced gecko 2.0 inherits from: nsimacdocksupport last changed in gecko 11.0 (firefox 11.0 / thunderbird 11.0 / seamonkey 2.8) implemented by: @mozilla.org/cookie-monster;1.

nsIPermissionManager
the nsipermissionmanager interface is used to persistently store permissions for different object types (cookies, images, and so on) on a site-by-site basis.

nsIPropertyBag
goodies obtained from window.navigator are: appcodename:"mozilla" appname:"netscape" appversion:"5.0 (windows)" battery:batterymanager buildid:"20140529161749" cookieenabled:true donottrack:"yes" geolocation:geolocation language:"en-us" mimetypes:mimetypearray mozalarms:null mozapps:xpcwrappednative_nohelper mozcameras:cameramanager mozconnection:mozconnection mozcontacts:contactmanager mozid:null mozkeyboard:xpcwrappednative_nohelper mozpay:null mozpermissionsettings:null mozphonenumberservice:phonenumberservice mozpower:mozpowermanager moztcpsocket:null onli...

nsIRequest
this means that things like authorization tokens or cookie headers should not be added.

nsIScriptableIO
for example: io.getfile("profile", "cookies.txt"); from an xpcom component, however, you will need to get a reference as with other components: var scriptableio = components.classes["@mozilla.org/io/scriptable-io;1"] .getservice(); scriptableio.getfile("profile", "cookies.txt"); method overview nsifile getfile(in astring alocation, in astring afilename); nsifile getfilewithpath...

nsIXMLHttpRequest
for instance, as done in example 2, the flag of load_anonymous is added, this strips all user data (cookies, tokens, etc).

XPCOM Interface Reference
ompositionstringsynthesizernsiconsolelistenernsiconsolemessagensiconsoleservicensicontainerboxobjectnsicontentframemessagemanagernsicontentprefnsicontentprefcallback2nsicontentprefobservernsicontentprefservicensicontentprefservice2nsicontentsecuritypolicynsicontentsniffernsicontentviewnsicontentviewmanagernsicontentviewernsicontrollernsicontrollersnsiconverterinputstreamnsiconverteroutputstreamnsicookiensicookie2nsicookieacceptdialognsicookieconsentnsicookiemanagernsicookiemanager2nsicookiepermissionnsicookiepromptservicensicookieservicensicookiestoragensicrashreporternsicryptohmacnsicryptohashnsicurrentcharsetlistenernsicyclecollectorlistenernsidbchangelistenernsidbfolderinfonsidnslistenernsidnsrecordnsidnsrequestnsidnsservicensidomcanvasrenderingcontext2dnsidomchromewindownsidomclientrectnsido...

XPCOM Interface Reference by grouping
nsiprotocolproxycallback nsiprotocolproxyfilter nsiprotocolproxyservice nsiproxyinfo preferences nsiiniparser nsiiniparserfactory nsiprefbranch nsiprefbranch2 nsipreflocalizedstring nsiprefservice nsistringbundle nsistringbundleservice security cookies nsicookie nsicookie2 nsicookieacceptdialog nsicookieconsent nsicookiemanager nsicookiemanager2 nsicookiepermission nsicookiepromptservice nsicookieservice nsicookiestorage nsisessionstore crypto nsicryptohash ...

XPCOM reference
in a big change from the original nsiabcard, properties are now stored in a hash table instead of as attributes on the interface, allowing it to be more flexible.nsicookie2 mozilla 1 8 branchnsimsgsearchvaluedefined in comm-central/ mailnews/ base/ search/ public/ nsimsgsearchvalue.idl nsmsgmessageflagsthe nsmsgmessageflags interface describes possible flags for messages.

Firefox Developer Tools
storage inspector inspect cookies, local storage, indexeddb, and session storage present in a page.

Cache - Web APIs
console.error(' error in fetch handler:', error); throw error; }); }) ); }); storing cookies in caches the fetch api requires set-cookie headers to be stripped before returning a response object from fetch().

Document.requestStorageAccess() - Web APIs
grant the document access to cookies and other site storage and store that fact for the purposes of future calls to document.hasstorageaccess() and requeststorageaccess().

Document - Web APIs
document.cookie returns a semicolon-separated list of the cookies for that document or sets a single cookie.

The HTML DOM API - Web APIs
among the things added to document by the html standard are: support for accessing various information provided by the http headers when loading the page, such as the location from which the document was loaded, cookies, modification date, referring site, and so forth.

Using IndexedDB - Web APIs
<iframe> content) cannot access indexeddb if the browser is set to never accept third party cookies (see bug 1147821.) warning about browser shutdown when the browser shuts down (because the user chose the quit or exit option), the disk containing the database is removed unexpectedly, or permissions are lost to the database store, the following things happen: each transaction on every affected database (or all open databases, in the case of browser shutdown) is aborted with an aborterror.

MediaDeviceInfo.deviceId - Web APIs
it is reset when the user clears cookies.

MediaDeviceInfo - Web APIs
it is reset when the user clears cookies (for private browsing, a different identifier is used that is not persisted across sessions).

Navigator.sendBeacon() - Web APIs
window.addeventlistener("unload", function logdata() { navigator.sendbeacon("/log", analyticsdata); }); the beacon sends an http request via the post method, with all relevant cookies available when called.

Navigator - Web APIs
navigator.cookieenabled read only returns false if setting a cookie will be ignored and true otherwise.

NavigatorStorage - Web APIs
there are many apis which provide ways for web content to store data on a user's computer, including cookies, the web storage api (window.localstorage and window.sessionstorage), and indexeddb.

ParentNode.replaceChildren() - Web APIs
this html might look something like this: <h2>party food option list</h2> <main> <div> <label for="no">no thanks!</label> <select id="no" multiple size="10"> <option>apples</option> <option>oranges</option> <option>grapes</option> <option>bananas</option> <option>kiwi fruits</option> <option>chocolate cookies</option> <option>peanut cookies</option> <option>chocolate bars</option> <option>ham sandwiches</option> <option>cheese sandwiches</option> <option>falafel sandwiches</option> <option>ice cream</option> <option>jelly</option> <option>carrot sticks and houmous</option> <option>margherita pizza</option> <option>pepperoni pizza</option> ...

RTCDataChannel: error event - Web APIs
examples // strings for each of the sctp cause codes found in rfc // 4960, section 3.3.10: // https://tools.ietf.org/html/rfc4960#section-3.3.10 const sctpcausecodes = [ "no sctp error", "invalid stream identifier", "missing mandatory parameter", "stale cookie error", "sender is out of resource (i.e., memory)", "unable to resolve address", "unrecognized sctp chunk type received", "invalid mandatory parameter", "unrecognized parameters", "no user data (sctp data chunk has no data)", "cookie received while shutting down", "restart of an association with new addresses", "user-initiated abort", "protocol violation" ]; dc.addeventlisten...

Response.type - Web APIs
it can be one of the following: basic: normal, same origin response, with all headers exposed except “set-cookie” and “set-cookie2″.

Web Authentication API - Web APIs
this is outside the scope of the web authentication api specification, but one option would be to drop a new cookie for the user session.

Window.open() - Web APIs
this function is the lonely key to get back the handle on a window if the developer has access only to its name (the name can be saved with cookies or local storage but not the window object handle).

Window.sessionStorage - Web APIs
opening a page in a new tab or window creates a new session with the value of the top-level browsing context, which differs from how session cookies work.

WindowOrWorkerGlobalScope.fetch() - Web APIs
to automatically send cookies for the current domain, this option must be provided.

Worklet.addModule() - Web APIs
cookies and http authentification) when loading the module.

XMLHttpRequest.mozAnon - Web APIs
if true, the request will be sent without cookies or authentication headers.

HTML attribute: crossorigin - HTML: Hypertext Markup Language
the "anonymous" keyword means that there will be no exchange of user credentials via cookies, client-side ssl certificates or http authentication as described in the terminology section of the cors specification, unless it is in the same origin.

<figure>: The Figure with Optional Caption element - HTML: Hypertext Markup Language
iful mdn logo."> <figcaption>mdn logo</figcaption> </figure> code snippets <figure> <figcaption>get browser details using <code>navigator</code>.</figcaption> <pre> function navigatorexample() { var txt; txt = "browser codename: " + navigator.appcodename + "; "; txt+= "browser name: " + navigator.appname + "; "; txt+= "browser version: " + navigator.appversion + "; "; txt+= "cookies enabled: " + navigator.cookieenabled + "; "; txt+= "platform: " + navigator.platform + "; "; txt+= "user-agent header: " + navigator.useragent + "; "; console.log("navigatorexample", txt); } </pre> </figure> quotations <figure> <figcaption><cite>edsger dijkstra:</cite></figcaption> <blockquote>if debugging is the process of removing software bugs, then programming must be th...

Reason: CORS header 'Access-Control-Allow-Origin' missing - HTTP
in addition, the wildcard only works for requests made with the crossorigin attribute set to anonymous, and it prevents sending credentials like cookies in requests.

Content Security Policy (CSP) - HTTP
a complete data transmission security strategy includes not only enforcing https for data transfer, but also marking all cookies with the secure attribute and providing automatic redirects from http pages to their https counterparts.

Access-Control-Allow-Credentials - HTTP
credentials are cookies, authorization headers or tls client certificates.

Access-Control-Allow-Headers - HTTP
* (wildcard) the value "*" only counts as a special wildcard value for requests without credentials (requests without http cookies or http authentication information).

Access-Control-Allow-Methods - HTTP
* (wildcard) the value "*" only counts as a special wildcard value for requests without credentials (requests without http cookies or http authentication information).

Access-Control-Expose-Headers - HTTP
* (wildcard) the value "*" only counts as a special wildcard value for requests without credentials (requests without http cookies or http authentication information).

Trailer - HTTP
these header fields are disallowed: message framing headers (e.g., transfer-encoding and content-length), routing headers (e.g., host), request modifiers (e.g., controls and conditionals, like cache-control, max-forwards, or te), authentication headers (e.g., authorization or set-cookie), or content-encoding, content-type, content-range, and trailer itself.

Redirections in HTTP - HTTP
…while chrome displays: this webpage has a redirect loop in both cases, the user can't do much (unless a corruption is happening on their side, like a mismatch of cache or cookies).

HTTP resources and specifications - HTTP
rfc 7234 hypertext transfer protocol (http/1.1): caching proposed standard rfc 5861 http cache-control extensions for stale content informational rfc 8246 http immutable responses proposed standard rfc 7235 hypertext transfer protocol (http/1.1): authentication proposed standard rfc 6265 http state management mechanism defines cookies proposed standard draft spec cookie prefixes ietf draft draft spec same-site cookies ietf draft draft spec deprecate modification of 'secure' cookies from non-secure origins ietf draft rfc 2145 use and interpretation of http version numbers informational rfc 6585 additional http status codes proposed standard ...

Privacy, permissions, and information security
ocument in the frame should be allowed to access http public key pinning (hpkp) hpkp is used by servers to instruct a client to associate a specific public key with the server going forward in order to decrease the likelihood of man-in-the-middle attacks http strict transport security (hsts) hsts is used by servers to let them protect themselves from protocol downgrade and cookie hijack attacks by letting sites tell clients that they can only use https to communicate with the server http/2 while http/2 technically does not have to use encryption, most browser developers are only supporting it when used with https, so it can be thought of in that regard as being security-related permissions api provides a way to determine the status of permissions f...

The building blocks of responsive design - Progressive web apps (PWAs)
adaptive images a server-side solution, which records the viewport size in a cookie, then resizes images via a combination of php and .htaccess to a more appropriate size, if appropriate.

Subdomain takeovers - Web security
if an attacker can do this, they can potentially read cookies set from the main domain, perform cross-site scripting, or circumvent content security policies, thereby enabling them to capture protected information (including logins) or send malicious content to unsuspecting users.

Web security
redirection with 301 and 302 response codes to be written data security using http cookies an http cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser.