I'd get myself another machine (or a VMWare image), delete all cookies, allow all cookies from all sites, then go to your site and log in (which sounds similar to what you've already tried).
Then, after your banking session is finished (or during, if they create a short-lived cookie just for testing you have them enabled), have a look at your cookie jar to see what the bank added. That should tell you the domains you need to add to your real machine.
If that doesn't work, contact the bank and explain your issues. They'll either tell you which ones you need to allow or they'll tell you to allow them all. If the latter, you need to decide if they're still worth keeping as your bank.
Alternatively, you can either:
- use that VM you set up as a sandbox for accessing the bank if you don't want all cookies appearing on your main box.
- set up a script to delete all non-whitelisted cookies after FF shuts down.
- stop worrying about cookies altogether and just allow them (I don't think I've ever heard of cookies being used as an attack vector).
If you'd like, send me your account details (user/password) and I'll see if I can debug it from here :-) Just kidding (in case it wasn't immediately obvious).
Update:
Your bank has a particularly nefarious way of checking requirements. They check to see if you're accepting ALL cookies, something they have no business doing at all. They should just see if they can create a cookie and read it back, which would make them compatible with cookie managers.
The code they have is:
function testCookie() {
if (typeof navigator.cookieEnabled !== "undefined") {
return !!navigator.cookieEnabled;
} else{
document.cookie="testcookie";
return document.cookie.indexOf("testcookie")!=-1;
}
}
if(!testCookie()){
var browserWarningString = '';
browserWarningString += '<div class="warning">';
browserWarningString += '<p>To login to online banking, you must have
JavaScript and cookies enabled.</p>';
browserWarningString += '</div>\n';
document.getElementById("loginAuth").innerHTML = browserWarningString;
}
It's that first bit of testCookie()
, the return !!navigator.cookieEnabled
bit which is problematic. No amount of whitelisting URLs is going to help you here since that would only be checked once the global cookieEnabled
is set to true (which it isn't for you, and rightly so).
Ideally, you'd just be able to replace that testCookie()
function in the HTML that comes down.
I've found a similar site that talks about the same problem from a different bank (I guess banks are where all the brain-dead Javascript kiddies end up :-) here, along with two proposed solutions.
The first was to install GreaseMonkey and use this script here. Obviously this would need to be changed for your bank (URLs, function name and so on).
The last post on that first link above (at the moment, look for "afternoonnap, February 15th, 2009, 10:10 am" post) also shows how to achieve the same result using NoScript. This involves replacing the cookieEnabled script (for that specific page) with a more rational one, although I'd probably just opt for replacing it with "return true"
and hang the consequences :-).
Hope that helps somewhat.
For completeness (in case the links ever disappear), I'll include the two scripts here. The GreaseMonkey one boils down to:
// ==UserScript==
// @name TD Canada Trust EasyWeb Repair
// @namespace tag:GossamerGremlin,2007-04-28:Repair
// @description Repair TD Canada Trust EasyWeb website.
// @include https://easyweb*.tdcanadatrust.com/*
// @exclude
// ==/UserScript==
var scriptName = "TD Canada Trust EasyWeb Repair";
// The above @include pattern is overbroad because it exposes this
// user script to potential attacks from URLs such as this:
// https://easyweb.evil.example.com/not.tdcanadatrust.com/bad.html
// The following check eliminates such possibilities:
if (location.href.match(/^https:\/\/easyweb\d\d[a-z].tdcanadatrust.com\//))
{
// Visibly mark page to remind that this script is in use.
if (document.body)
{
host = document.location.host;
dummyDiv = document.createElement('div');
dummyDiv.innerHTML = '<div><span style="color: red">Greased by: ' +
scriptName + ' (' + host + ')</span></div>';
document.body.insertBefore(dummyDiv.firstChild,
document.body.firstChild);
}
unsafeWindow.navigator.__defineGetter__("cookieEnabled",
canStoreCookieFixed);
}
// canStoreCookieFixed()
// TD's version relies on navigator.cookieEnabled, which is not set
// if customer has cookie manager, even when cookies are allowed for
// EasyWeb. The only reliable check for enabled cookies is to actually
// test if session cookie settings succeed, as done in this function
// replacement.
function canStoreCookieFixed()
{
var testSessionCookie ="testSessionCookie=Enabled";
document.cookie = testSessionCookie;
return (document.cookie.indexOf(testSessionCookie) != -1);
}
The NoScript version boils down to "add the following to about:config":
noscript.surrogate.nce.sources=@easyweb*.tdcanadatrust.com
noscript.surrogate.nce.replacement=navigator.__defineGetter__(
"cookieEnabled",function(){
var ed=new Date;
ed.setTime(0);
var tc="__noscriptTestCookie_"+Math.round((Math.random()*99999))
.toString(16)+"=1";
document.cookie=tc;
var ok=document.cookie.indexOf(tc)>-1;
document.cookie=tc+";expires="+ed.toGMTString();
return ok
}
);
Test and update:
When I install noscript and turn off cookies altogether in FF3, then add the following about:config
items, the login prompt shows up for your bank, so I think this is probably the way to go:
noscript.surrogate.nce.sources = *.citizensbank.ca
noscript.surrogate.nce.replacement =
navigator.__defineGetter__("cookieEnabled",function(){return true});
I suggest you do this and test it to make sure you still have all your functionality.