Simon Willison’s Weblog

Django snippets: Sign a string using SHA1, then shrink it using url-safe base65. I needed a way to create tamper-proof URLs and cookies by signing them, but didn’t want the overhead of a full 40 character SHA1 hash. After some experimentation, it turns out you can knock a 40 char hash down to 27 characters by encoding it using a custom base65 encoding which only uses URL-safe characters. 27th August 2008, 10:18 pm

Major Update to Prism (via) Mozilla’s site-specific browser tool can now use separate profiles (and hence separate cookie jars) for each instance, making it an excellent tool for protecting yourself against CSRF vulnerabilities in the web applications you rely on. 10th March 2008, 2:03 pm

Fluid. Another site-specific browser toolkit for OS X (Leopard only), from Todd Ditchendorf. Again, it’s not clear if this does the Right Thing and creates separate cookie jars for every application. 28th December 2007, 11:42 pm

Site-specific browsers and GreaseKit. New site-specific browser tool which lets you include a bunch of Greasemonkey scripts. For me, the killer feature of site-specific browsers is still cookie isolation (to minimise the impact of XSS and CSRF holes) but none of the current batch of tools advertise this as a feature, and most seem to want to share the system-wide cookie jar. 25th October 2007, 7:56 am

IE vulnerability allows cookie stealing. Full exploit against the same-domain cookie origin policy, so malicious sites can steal cookies from elsewhere. Avoid using IE until this is patched. 6th June 2007, 9:53 am

IE and 2-letter domain-names (via) IE won’t let you set a cookie on XX.YY, where YY is anything other than .pl or .gr. Other browsers have better exception lists. 15th February 2007, 12:33 am

Ubuntu sugar cookies (via) Different coloured dough is used to bake the Ubuntu logo in to the cookies themselves, kind of like making sushi rolls. 11th January 2007, 2:49 pm