Computer Security and Privacy: Javascript and Cookies

How Javascript and cookies can compromise your security and privacy on the web.

The main thing about a computer, the thing that really defines it and makes it a computer, is that it's programmable. Not programmable in the limited sense that it will remember which TV programs to record while you're out, but in the true sense of programmable – your computer is constantly following a list of instructions, and it will absolutely follow them.

This is the great strength of true computers. Unfortunately, in the modern interconnected world, it is sometimes their great weakness.


The internet , as you know, is made up of websites and webpages. The pages you browse to are displayed on your screen by a web browser, such as Internet Explorer, Firefox, Chrome or Safari. Generally speaking, the information sent to your browser from the web is quite simple – it's just text and pictures, and some simple instructions* on where to put them. That's basic HTML, the language the web is written in. Basic HTML can't do calculations, it can't run computer games in your browser, it can't really command your computer to do something in the way a programming language can. It just tells your browser what text and pictures to display, and where to put them, and nothing much more than that.

The nice thing about this way of doing things is that it's relatively safe from a security point of view*. If your web browser can only display things or play sounds, then it's not so likely that information sent from the internet can take over your computer.

As the internet evolved, it quickly became desirable to add a bit more cleverness to the way web pages worked. It's impossible to run a shopping or banking website without a program being run somewhere to keep track of things and provide the 'brains' needed for dynamic content. It's at this point that programming languages have to be used, because basic HTML can't do that sort of thing. So the web very quickly evolved to make use of programming languages.

It was at this point that something interesting happened. In a situation where a program needs to be run to handle something complicated on the web, then the obvious solution is to have the webserver (the computer responsible for sending the web page) run the program itself, and send the finished result in the normal way, via dumb old HTML. After all, it's already running programs responsible for making the webpages. But along came webscripting, and Javascript. Javascript works in a very different way. Instead of running programs on the webserver, a web page that uses Javascript sends the program instructions to your computer, and your computer is forced to run them. It removes a huge burden from the webserver, because it doesn't have to run the program, it just has to send the program instructions to every machine that connects to the webpage. (It's generally quicker, from the webserver's point of view, to send instructions rather than follow them – to understand why, consider that it's less time- consuming to tell someone else to count to 100 than it is to do it yourself).

The wide acceptance of Javascript means that the default way of working for any web-enabled computer is that Javascript is enabled for every website you visit, meaning that every website can run whatever program they like on your computer. It could be a program to keep track of what's in your shopping basket on a shopping website. It might just as easily be a malicious program. Of course Javascript has safeguards built-in to help prevent programs from overstepping the bounds of privacy or rampaging across your machine. But hackers can and do find ways around these restrictions.

Ideally websites would run their programs on their own webserver and not trouble our machines with having to do their job for them. If you're using a highly interactive or secure website – for example, shopping, banking or commenting on a forum or social networking site – then it's almost impossible to do without some programs being run on your machine. But as time goes on, Javascript is being used more and more where it's not really needed, simply because it's convenient to the people who make the websites.

The more it's used, the more people will tend to run less secure browsers allowing everything that's thrown at them. The more this happen, the less secure we all are.

The use of Javascript on websites should be discouraged, in my opinion – it should only be used when it really has to be. For example, I should be able to browse a newspaper website with Javascript disabled and still be able to access everything, including the comments left by other people. If I wish to make a comment myself, then fair enough if I have to enable Javascript (and cookies) to do it. I particularly dislike browsing to a website and then being immediately confronted with a big message box that says “We notice you don't have Javascript enabled. Is there something wrong with you? Get with the programme! This is the 21st Century and we expect everyone to completely disregard the concept of IT security and privacy at all times!”. Or words to that effect.

And Javascript does have privacy implications. Visiting a site with a Javascript-enabled browser can allow the website owner to find out much more about your computer than he or she would be able to otherwise. For example, if you visit this site with Javascript enabled, the dimensions of the screen you're using will be recorded by the Google statistics package I use.** There's nothing unusual about that – it's a standard bit of data collection for Google Stats, and most websites use the same facilities (or something similar – perhaps something even more intrusive). To see just how bad it can be, try out the Electronic Frontier Foundation's Panopticlick website, which attempts to 'fingerprint' your computer using Javascript. (Though their 'uniqueness rating' feels a little exagerated to me. The site probably doesn't get as many visitors as it used to when it first launched, so newer operating systems and browser versions probably tend to look more unique to the site than they really are.)

As a general piece of advice, you should block Javascript from running by default, and only enable it when you trust the website in question. The best and most convenient way of doing this that I know of is to use Firefox and the NoScript add-on.

*And by 'simple', I mean relatively simple, yet needlessly complicated. But that's a topic for another time, perhaps.
**As of October 2013, this no longer applies here - Google Analytics removed from website.


Most websites these days will plant cookies on your computer if you let them – including this one.

They're usually essential on websites that involve interaction, but should be disabled otherwise, and deleted when you've finished using the website in question.

Cookies are actually just harmless text files sent by a webserver to your machine. They generally contain a short code that identifies you to the website, so it can tell you apart from other people currently browsing the website. This is important when you need to stay logged in to a site for something. By way of privacy, only the website that sets the cookie can read it.

So far so good. However, cookies aren't just employed for useful things, and it's often not only the website you're visiting that plants the cookies. Modern websites often pull in feeds and content from other places to build up what you see on the screen. For example, adverts on websites are often served up from another internet location – effectively from another website. In this case, not only can the website you're visiting set a cookie (lets call this website A), but so can the advert server too (website Z). Once you leave website A, other websites can't read the cookies set by website A and can't identify you from them. But if you then visit website B, which also carries adverts from the same supplier (Z) as website A, then the cookies that were set by website Z may be read again by the advert server working via website B. In this way, advertisers (and any web service provider that works in this way) might be able to track you from site to site and build up a picture of who you are.

Take this website as an example. You'll notice I don't have any adverts (apart from the Google ones in the search facility). I also don't set any cookies from the website itself. But you may still get cookies from visiting. They come from Google, who provide the search bar, and also from IntenseDebate, who provide the comment system. Theoretically, those cookies could be used to track you on other sites that also use Google's or IntenseDebate's facilities. If you happen to see the posting where I've embedded a Youtube video, then you'll also get cookies from Youtube. Which is owned by Google. So if you've got cookies enabled, it's quite possible that Google is tracking you wherever you Google-search to, and any website you visit that carries a Youtube link.

So the message is: stop your computer from collecting cookies unless you need them to make a website work. Delete collected cookies once you're finished using the site. Firefox and the CookieMonster add-on will take care of standard cookies, though you also need the BetterPrivacy extension to delete any cookies left by programs that use Adobe Flash, which sets its own cookies outside of the standard web browser way of doing things.

Remember that whichever web browser you use, they are all privacy-lax by default, and that the private browsing modes they provide have no effect on Javascript and generally don't properly handle Flash cookies.

22.12.12: Updated to clarify Google Analytics' cookie domain.
05.10.13: Updated to reflect removal of Google Analytics.