Thread: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]
View Single Post
Old 19-07-2008, 12:28   #12281
pseudonym
Inactive
 
Join Date: Apr 2008
Posts: 76
pseudonym is on a distinguished roadpseudonym is on a distinguished road
Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]
Quote:
Originally Posted by gnilddif View Post
That's very helpful, thanks warescouse.
Can someone explain how such shenanigans can break HTTP apps please? And why HTTP is particularly significant. Not just for me, a techno-semi-literate, but it would be useful detail to add in my enlightening letters to John Hutton and Shriti Vadera at BERR and my MP, and I don't wish to misinform, or only partially inform.
Is it possible to put clear links to, or the actual technical information of this nature, on a webpage that is easily accessed? Useful links on this thread easily get lost because it moves fast.
gnilddif
One notable issue was discovered by a poster on Badphorm. It was pointed out that because phorm's system redirects the browser to a third party domain (webwise.net), the webwise.net cookie is in fact a third party cookie (see rfc2965).

Now Safari, Internet Explorer and Firefox do not treat such cookies as third party.

Opera however will block (neither send not accept) all cookies after a redirect to a third party domain occurs if the "accept only cookies from the site I visit" option has been enabled by the user. It will continue to block cookies until a user action occurs where the user can verify the domain requested - such as clicking on a link on the page (even if subsequently redirected back to the original URL).

This will result in the genuine website not being sent its cookies after a Phorm redirect, which will cause problems for users of Opera who block third party cookies. As Phorm's system would not be able to set its cookie it would blacklist such users for 30 minutes after each webwise redirect, but this would only serve to make the problem intermittent.


Another potential issue with some websites:-

Phorm will strip its forged cookies from http requests, but where a site also uses https it will receive these forged cookies. While this usually won't cause a problem, it would not be unreasonable for a web developer to expect only cookies set by his site to be present and write his code accordingly, so it is likely that some sites will not function correctly.
pseudonym is offline