Chrome's custom exceptions can be used to broadly block content on non-secure origins, neat! pic.twitter.com/KibrK4ZMlV— Aidan Woods (@aidantwoods) March 25, 2017
To set this up, just navigate to
+ Show advanced settings then
manage exceptions and add
Why do this?
PoisonTap and attacks like it that can occur on untrusted networks (e.g. hotel, or coffee shop wifi) can be severely handicapped by these settings.
While I can't stop a website sending me cookies while on HTTP, this does prevent me sending them back.
This means that if I log in to https://example.com and receive cookies securely, my browser will then make sure that does not send any cookies it received to http://example.com, even if the cookies were not sent to me with the
Secure flag. I.e. this works as if https://example.com had sent me a cookie with the secure flag, even if it did not.
Let's see this in action:
Setting a cookie on HTTPS
Cookie is sent back over HTTPS
Cookie is not sent over HTTP
In addition to this, if a website sends me cookies over HTTP, Chrome will simply ignore it (prevents poisoning of cookies via dirty HTTP traffic).
While enabling these things again as soon as a site tells you it needs them really just thwarts the protection, there will certainly be situations where you have no choice 😢. So the next best bet is adding a temporary exception if we don't feel like we're on a hostile network (at your own risk etc, etc...). Regardless, having a temporary exception is much better than a permanent one.
Let's look at our options:
Hmm... not looking so good. I might forget to delete that later. This might be a better solution though...
If you add the exception in an incognito window, you get a fresh browsing session (JS and cookies don't have access to already existing ones), your session will be cleared on exit (any poisoned cookies, local storage, or cached scripts will be deleted on exit), and the exception will be cleared on exit too:
It would be great to see a major browser hint at defaulting to similar settings after a warning period. If websites enjoy using features like scripts, cookies, and local data storage then they should make sure they're using them securely and responsibly.