mailing list archives
RE: Microsoft IE cookies readable via about: URLS
From: "Per Arne Johansson" <perarne () johansson com>
Date: Mon, 12 Nov 2001 14:06:35 +0100
From: Nick FitzGerald [mailto:nick () virus-l demon co uk]
Sent: Friday, November 09, 2001 3:51 PM
To: bugtraq () securityfocus com
Cc: Jouko Pynnonen
Subject: Re: Microsoft IE cookies readable via about: URLS
A better workaround (assuming that you feel cookies are "relatively
useful" and would rather not turn them off) is to put about: URLs
into the Restricted Sites zone, as detailed in Andrew Clover's
followup to his own post:
In short, create a DWORD value named "about" under:
and set it to 4.
I just tested this against your test page and with the above value set,
the test tells me "No cookies found for site...".
Interestingly, this registry change seems to have almost immediate
effect -- i.e. it did not require a restart or >>>>>logout/login or even
an IE exit/restart (I did this on Win2K) but occasionally, when
running the test page over and over alternating back and forward
between having the above value set and not present (the default), the
page would work as if the registry value had not yet been changed.
I have tried this workaround it works as described and without a reboot.
However it breaks certain applications that use the "Internet Explorer
Server Window" most notably Yahoo Instant messanger 5. I does not affect
versions 3 or 4. My version of YAIM is 5,0,0,1036.
The effect in short the "Internet Explorer Server Window" remains blank
not showing the IM texts.
This might be due to poor design om yahoos part, but I am posting it as
it may effect other applications aswell and might not be a good
workaround for all.
Per Arne Johansson