Local shared object
A local shared object (LSO), commonly called a Flash cookie (due to its similarity with an
Flash cookies, which can be stored or retrieved whenever a user accesses a page containing a Flash application, are a form of local storage. Similar to cookies, they can be used to store user preferences, save data from
Storage
Local shared objects contain data stored by individual websites. Data is stored in the Action Message Format. With the default settings, the Flash Player does not seek the user's permission to store local shared objects on the hard disk. By default, an SWF application running in Flash Player from version 9 to 11 (as of Sept 1, 2011) may store up to 100 kB of data to the user's hard drive. If the application attempts to store more, a dialog asks the user whether to allow or deny the request.[3]
Adobe Flash Player does not allow third-party local shared objects to be shared across domains. For example, a local shared object from "www.example.com" cannot be read by the domain "www.example.net".[1] However, the first-party website can always pass data to a third-party via some settings found in the dedicated XML file and passing the data in the request to the third party. Also, third-party LSOs are allowed to store data by default.[4][5] By default, LSO data is shared across browsers on the same machine. As an example:
- A visitor accesses a site using their Firefox browser, then views a page displaying a specific product, then closes the Firefox browser, the information about that product can be stored in the LSO.
- If that same visitor, using the same machine now opens an Internet Explorer browser and visits any page from the site viewed in Firefox, the site can read the LSO value(s) in the Internet Explorer browser, and display dynamic content or otherwise target the visitor.
This is distinct from cookies which have directory isolated storage paths for saved cookies while LSOs use a common directory path for all browsers on a single machine.
Application to games
To prevent cheating, games may be designed to render LSO files unusable if acquired from another location.
Privacy concerns
As with HTTP cookies, local shared objects can be used by websites to collect information on how people navigate them, although users have taken steps to restrict data collection.[6] Online banks, merchants, or advertisers may use local shared objects for tracking purposes.[7]
On 10 August 2009, Wired magazine reported that more than half of the top websites used local shared objects to track users and store information about them, but only four of them mentioned it in their privacy policy. "Flash cookies are relatively unknown to web users," the article said, "even if a user thinks they have cleared their computer of tracking objects, they most likely have not." The article further says that some websites use Flash cookies as hidden backups so that they can restore HTTP cookies deleted by users.[8]
According to the
In certain countries, it is illegal to track users without their knowledge and consent. For example, in the United Kingdom, customers must consent to the use of cookies/local shared objects:[10][11]
Cookies or similar devices must not be used unless the subscriber or user of the relevant terminal equipment:
- is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
- is given the opportunity to refuse the storage of, or access to, that information.
— Information Commissioner's Office
Local shared objects were the first subject to be discussed in the Federal Trade Commission (FTC) roundtable in January 2010.[12] FTC Chairman Jon Leibowitz has been talking with Adobe about what it describes as "the Flash problem." [13]
User control
Users can disable local shared objects using the Global Storage Settings panel of the online Settings Manager at Adobe's website.[14] However, this places a permanent flash cookie on the computer, informing all other websites that the user does not want flash cookies stored on their computer. Users can opt out of LSOs from specified sites from Flash Player's "Settings", accessed by right-clicking the Player, or using the Website Storage Settings panel; the latter also allows users to delete local shared objects.[15]
Users may also delete local shared objects either manually or using third-party software. For instance, CCleaner, a standalone computer program for Microsoft Windows and Mac OS X, allows users to delete local shared objects on demand. There is also a Firefox add-on, Clear Flash Cookies, which will automatically clear out all LSOs each time the browser is restarted.[16]
Since version 10.3 of Flash, the Online Settings Manager (letting users configure privacy and security permissions via Adobe's website) is superseded by the Local Settings Manager on Windows, Mac, and Linux platforms. It can be accessed via the
Browser control
Browser control refers to the web browser's ability to delete local shared objects and to prevent the creation of persistent local shared objects when
Also on January 5, 2011, Adobe Systems,
As for the behavior in browser's privacy mode, Adobe Flash Player 10.1, released on June 10, 2010, supports the privacy modes of Internet Explorer, Mozilla Firefox, Google Chrome, and Safari. Local shared objects created in privacy are discarded at the end of the session. Those created in a regular session are also not accessible in privacy mode.[28][29]
Third-party software
Viewers and editors
Software | Developer | Platform | Abilities | First public release | Latest stable version | License | ||
---|---|---|---|---|---|---|---|---|
Read | Write | Format | ||||||
.minerva (GitHub) | Gabriel Mariani | Web platform | Yes | Yes | AMF0/AMF3, JSON | ~2008-07-15 (1.5.1) | 4.1.1 (2015-01-10) | BSD
|
.sol Editor | Alexis Isaac | Windows
|
Yes | Yes | AMF0 | Feb. 2005 | 1.1.0.1 (2005-02-21) | MPL
|
SOLReader | Alessandro Crugnola | Windows
|
Yes | No | AMF0/AMF3 | 2007-10-25 | 1.0.0 (2007-10-25) | ? |
FlashDevelop | Mika Palmu, Philippe Elsass | Windows
|
Yes | No | AMF0/AMF3 | 2009-06-14 (3.0.0) | 4.4.0 (2013-04-18) | MIT |
SolVE | Darron Schall | Windows, macOS
|
Yes | Yes | AMF0 | Nov. 2004 | 0.2 (2004-10-15) | CPL |
Libraries and frameworks
Software | Developer | Abilities | First public release | Latest stable version | License | ||
---|---|---|---|---|---|---|---|
Read | Write | Format | |||||
Dojo Toolkit | Dojo Foundation
|
No | Yes | AMF0/AMF3 (in browser via Flash) | 2004 | 1.9.0 (2013-05-01) | BSD, AFL
|
PyAMF (GitHub/PyPI) | Nick Joyce | Yes | Yes | AMF0/AMF3 | 2007-10-07 | 0.8.0 (2015-12-17) | MIT |
s2x Open Source Flash | Aral Balkan | Yes | Yes | AMF0, XML | Dec. 2003 | 0.75 (Dec. 2003) | Freeware |
Cleaners
Software | Developer | Platform | First public release | Latest stable version | License |
---|---|---|---|---|---|
PrivacyScan | SecureMac.com, Inc. | macOS 10.6 - 10.10
|
2012-01-30 | 1.5 | Shareware |
Cookie Stumbler | WriteIt! Studios Ltd. | macOS 10.8 - 10.9
|
2011-04-01 | 2.1.2 | Shareware |
Cookie | SweetP Productions | macOS 10.6 - 10.10
|
2011 | 4.3.2 | Shareware |
Safari Cookies | SweetP Productions | macOS 10.5 - 10.10
|
2009-04-12 | 2.0 (2014-10-27) | Freeware |
MAXA Cookie Manager | Maxa Research | Windows
|
? | 5.3 (2011-12-11) | Shareware |
Click&Clean | Vlad & Serge Strukoff | Firefox add-on
|
2010-01-23 (3.6.5.0) | 4.1 (2013-03-16) | MIT |
CCleaner | Piriform (company)
|
Windows
|
? | ? | Freemium |
See also
- HTTP cookie
- Evercookie
- Web storage
- Indexed Database API
- Web SQL Database
- Google Gears
- Device fingerprint
- Canvas fingerprinting
References
- ^ Adobe Systems. Archived from the originalon 2010-05-29. Retrieved 2007-12-05.
- ^ "When the cookies crumbled, so did your web anonymity". The Guardian. 2014-10-04. Archived from the original on 2023-06-05. Retrieved 2023-12-28.
- Adobe Systems. 2011-08-22. Retrieved 2011-09-02.
- ^ "What Are Third-Party Local Shared Objects?". Security and privacy. Adobe Systems. Archived from the original on 2010-05-29. Retrieved 2011-08-15.
- ^ "How to disable third-party local shared objects". Support. Adobe Systems. Retrieved 2011-08-15.
- Network World. Network World, Inc. IDG News Service. Archived from the originalon 2014-04-04. Retrieved 2009-04-10.
- ^ Cohn, Michael (2005-03-15). "Flash Player Worries Privacy Advocates". InformationWeek. UBM Techweb. Retrieved 2007-12-05.
- New York Times. Retrieved 2011-05-05.
- ^ "Part 2: Security, confidentiality, traffic and location data, itemised billing, CLI and directories" (PDF). Guidance on the Privacy and Electronic Communications (EC Directive) Regulations 2003 (3.4 ed.). United Kingdom: Information Commissioner’s Office. 2006-11-30. Retrieved 2011-05-05.
- ^ "Confidentiality of communications". Guide to the Privacy and Electronic Communications Regulations. United Kingdom: Information Commissioner’s Office. Archived from the original on 2011-02-24. Retrieved 2011-05-05.
- ^ James Temple (2010-01-29). "All eyes on online privacy". San Francisco Chronicle. Retrieved 11 February 2011.
- ^ Donald Melanson (2010-12-04). "FTC says it's talking to Adobe about the problem with 'Flash cookies'". Engadget. Retrieved 11 February 2011.
- ^ "Global Storage Settings panel". Flash Player Help. Adobe Systems. 2009-07-14. Retrieved 2011-05-05.
- ^ "Website Storage Settings panel". Flash Player Help. Adobe Systems. 2009-07-14. Retrieved 2011-05-05.
- ^ "Clear Flash Cookies – Add-ons for Firefox". Firefox Add-ons. Mozilla. November 20, 2017. Retrieved 2018-09-29.
- ^ "Adobe - Flash Player : Settings Manager". Flash Player Help. Adobe Systems. 2012-04-14. Retrieved 2012-04-14.
- ^ "Microsoft Announces Availability of Internet Explorer 8". PR Newswire. Redmond, Washington: PR Newswire Association LLC. 2009-03-19. Archived from the original on 2009-03-23. Retrieved 2011-05-05.
- ^ "Deleting "Flash Cookies" Made Easier". IEBlog. Microsoft Corporation. TechNet Blogs. 2011-05-03. Retrieved 2011-05-05.
- ^ Adobe Systems. Adobe Blogs. Retrieved 2011-05-05.
Integration with browser privacy controls for managing local storage – Users will have a simpler way to clear local storage from the browser settings interface – similar to how users clear their browser cookies today.
- ^ Huang, Emmy (2011-01-12). "On Improving Privacy: Managing Local Storage in Flash Player". Adobe Flash Platform Blog. Adobe Systems. Adobe Blogs. Retrieved 2011-05-05.
Representatives from several key companies, including Adobe, Mozilla and Google have been working together to define a new browser API (NPAPI ClearSiteData) for clearing local data, which was approved for implementation on January 5th, 2011. Any browser that implements the API will be able to clear local storage for any plugin that also implements the API.
- ^ a b Mike Beltzner (2011-01-13). "Bugzilla entry 625495 - Clear Adobe Flash Cookies (LSOs) when Clear Cookies is selected in the Privacy > Custom > Clear History". Retrieved 2011-09-28.
Change to the "on close" firefox behavior to use the new NPAPI ClearSiteData API.
- ^ a b Mike Beltzner (2011-01-13). "Bugzilla entry 625496 - Clear Adobe Flash Cookies (LSOs) when Cookies is selected in Clear Recent History". Retrieved 2011-09-28.
Change to the "clear recent history" firefox behavior to use the new NPAPI ClearSiteData API.
- HTTP Cookiesand Flash Local Shared Objects differently.
- ^ "All my saved games are gone". 2011-06-30. Retrieved 2011-09-28.
Kongregate discussion about users losing data as a result of the new browser behavior.
- ^ "Mozilla support question: How do I stop "delete cookies" from deleting saved games of a flash based game?". June 2011. Retrieved 2011-09-28.
Mozilla support question and follow-ups: How do I stop "delete cookies" from deleting saved games of a flash based game?
- ^ Claudio Fontana (2011-07-11). "firefox flash LSO revert patch". Retrieved 2011-09-28.
Third party patch to revert the firefox cookie semantic change
- ^ Huang, Emmy (2011-01-12). "On Improving Privacy: Managing Local Storage in Flash Player". Adobe Flash Platform Blog. Adobe Systems. Adobe Blogs. Retrieved 2011-05-05.
The ability to clear local storage from the browser extends the work we did in Flash Player 10.1, which launched with a new private browsing feature integrated with the private browsing mode in major browsers, including Google Chrome, Mozilla's Firefox, Microsoft's Internet Explorer, and Apple's Safari.
- ^ Betlem, Paul (2010-06-10). "Flash Player 10.1 Now Available for Windows, Mac, and Linux". Adobe AIR and Adobe Flash Player Team Blog. Adobe Systems. Adobe Blogs. Archived from the original on 2011-05-11. Retrieved 2011-05-07.
External links
- Adobe's online tool on its Web site to erase Flash cookies and manage Flash player settings
- What are local shared objects?, Adobe Flash Player security and privacy help
- "New Technique for Tracking Web Site Visitors". Slashdot. 2005-04-04. Retrieved 2007-12-05.
- "Tracking with Flash Cookies". InformIT. 2007-10-05. Archived from the originalon 2007-12-14. Retrieved 2007-12-05.
- How to block Flash cookies
- Electronic Privacy Information Center on "Local Shared Objects"
- Legal action on 'zombie cookies' filed in US court