Bug#649384: [Gnash-dev] Bug#649384: gnash creates world-readable cookies under /tmp

Rob Savoye rob at welcomehome.org
Mon Nov 21 00:16:22 UTC 2011


On 11/20/11 16:56, Gabriele Giacone wrote:

> 22:19 < gg0> what's the difference between /tmp/gnash-cookies* and stuff
> under ~/.gnash/SharedObjects?
> 22:20 < strk> SharedObjects are flash-specific "cookies" while
> /tmp/gnash-cookies* are common HTTP ones

  Correct. The /tmp/gnash-cookies* are standard HTTP cookies, which are
required to make many sites work, including YouTube. SharedObjects are
often called Flash Cookies, and a potential privacy issue. Gnash has a
utility called soldumper that'll dump all the SharedObject data to the
terminal so you can see what's being stored.

> IIRC they contain essential info to make yt working. So we can't move
> them under SOLSafeDir because if you set it to /dev/null or make it
> read-only, it'll break yt.

  YouTube needs the HTTP cookies, so it can get the redirect to a
geographically closer server. It should work without the SharedObjects,
if not, it's a bug. Here's what's in the three SharedObjects used by
YouTube:

Dumping SOL file
The file name is: ./videostats.sol
The size of the file is: 199
The name of the object is: videostats
perf:

Dumping SOL file
The file name is: ./soundData.sol
The size of the file is: 49
The name of the object is: soundData
volume: 1.01501e-319

Dumping SOL file
The file name is: ./hdTooltipClue2.sol
The size of the file is: 53
The name of the object is: hdTooltipClue2
count: 4.33197e-320

There's a little more info on SharedObjects on our web site:
http://www.gnashdev.org/?q=node/62

	- rob -





More information about the pkg-flash-devel mailing list