Cookie Settings for Opera 9.61+

The global cookie settings have been simplified a little and Opera now supports Site-specific Preferences, which allow you to change the cookie settings on a per-site basis.

The cookie settings under "tools -> preferences -> advanced -> cookies" are referred to as the "global cookie settings" (as opposed to the ones for a site preference).

The cookie settings for a site preference are under "tools -> preferences -> advanced -> content -> manage site preferences -> the site -> edit -> cookies tab".

When you create a site preference, you create it for a certain domain. The domain can be a top-level domain (com), a second-level domain (test.com), or a third-level domain (sub.test.com) etc.

'domain' will be used below to refer to the domain the site preference is for. 'subdomains' will be used below to refer to nth-level domains that are automatically inherited under the site preference domain. 'remote domains' will refer to totally different domains that are considered cross-site.

Like Opera 8.x, you have awesome control of the rules Opera follows. You have default rules, and just like the server manager in 8.x, you can use Site preferences to add exceptions and even exceptions to those exceptions. You can do whitelisting, blacklisting, inheritance and inbetween.

Inherited cookie settings

If you add test.com as a site preference, as far as the cookie settings go, sub.test.com is automatically implied and if you have a sub.test.com site preference, its cookie setting doesn't do anything, so you can ignore it. You need to edit the cookie setting in the site preference for test.com instead.

Now, if you want sub1.test.com and sub2.test.com to have different cookie settings, you should not create a test.com site preference. You should create sub1.test.com and sub2.test.com site preferences and set their cookie settings to what you want.

This way, you have control over the inheritance.

An example of this:

1. Set google.com to "Accept cookies" or "Accept only cookies from the site I visit".
2. Set mail.google.com to "Never accept cookies".

In this case, the mail.google.com setting doesn't do anything because it's controlled by google.com's.

That way, you can cover all google services at once if you want.

It is important that you keep inheritance in mind when editing domains in Site preferences, so you get the desired result. This is especially important when you right-click on a page and edit site preferences. You need to take note of the exact domain you're editing. If it's not the exact domain you want to edit, use "manage site preferences" in Opera's preferences to manually add/edit the exact domain you want.

Block all cookies for all domains by default, but add exceptions

1. Set the global to "Never accept cookies".

2. To add an exception, create a site preference for the domain you want and set it to "Accept cookies" or "Accept only cookies from the site I visit".

If you set the site preference to "Accept only cookies from the site I visit", while visiting this domain, only content that resides on this domain can set cookies. Also, automatic redirects from this domain to another will cause the redirected-to domain to not be able to set cookies.

If you set the site preference to "Accept cookies", while visiting this domain, in addition to the cookies allowed by the "Accept cookies only from the site I visit" rule, content coming from a remote domain can set cookies for its corresponding domain and subdomains IF AND ONLY IF the remote domain also has a site preference that allows cookies for itself. This means that if you want to allow remote domains while visiting this domain, you need to manually add a site preference for each remote domain and set it to "Accept only cookies from the site I visit" or "Accept cookies". In addition, if you have a site that supports OpenID?, you need to add both the site and the OpenID? site to Site Preferences and set both of them to "Accept cookies".

In this case, "Accept cookies" for a site preference DOES NOT cause Opera to behave as if the global is set to "Accept cookies". It's more like, "Accept only cookies that are allowed by Site Preferences". This way you're not automatically getting opted in to remote domains. You have to explicitly add a preference for domains you want to allow.

Accept all cookies for all domains by default, but add exceptions

Set the global to "Accept cookies".

While visiting a domain, if you want to block remote content from setting cookies for its relative domain, add the site you're visiting to Site preferences and set its cookie setting to "Accept only cookies from the site I visit".

While visiting a domain, if you want to block all content on the domain and all content from remote domains from setting cookies, add the domain you're visiting to Site preferences and set its cookie setting to "Never accept cookies".

Block remote content from setting cookies by default, but add exceptions

Set the global to "Accept only cookies from the site I visit".

With this setting, while visiting a domain, only content coming from the domain can set cookies.

Also, if you are automatically redirected from one domain to another, the redirected-to domain will not be able to set cookies (this has changed somewhat in the 10.5 pre-alphas). See 3.3.6 in RFC2965. If you don't like this rule, you can uncheck "Enable automatic redirection" in Opera's network preferences and click through all the redirects. Then, the redirected-to domain will be allowed to set cookies. Also note that when turning off 3rd party cookies in other browsers, they violate this RFC rule and still allow some 3rd party cookies.

However, like the other settings, this can be overridden with a Site preference.

While visiting the domain, if you want to allow remote content to set cookies for the remote content's domain, add the domain you're visiting (not the remote domain) to site preferences and set its cookie setting to "Accept cookies". (This is currently broken in Opera. "Accept cookies" doesn't do anything in this case.)

If you want to block a domain from setting cookies, set its cookie setting to "Never accept cookies".

localhost

localhost cookies will be stored under localhost.$localfile$ in the cookie manager. If you want a Site Preference to control localhost cookies, add a site preference for localhost

If you have a local Apache server running for example and visit an http://localhost/ page that sets cookies, the cookies should appear under 'localhost' in the cookie manager. The locahost site preference should control the cookie permissions for it. However, for local servers, it's better to use http://127.0.0.1/ so that its cookies appear under 127.0.0.1 and are controlled by a 127.0.0.1 Site Preference.

Dealing with Corruption

If Opera starts acting up with how it follows the cookie settings (like rejecting all cookies even though you have the global set to "Accept cookies" and have no site preferences), something might be corrupted.

To fix this:

1. Close Opera.

2. Delete cookies4.dat in your profile directory.

3. Delete override.ini in your profile directory.

That should fix things by really wiping out cookies and site preferences.

Disabling Automatic Redirection

In Opera, under tools -> preferences -> advanced -> network, you can uncheck "Enable automatic redirection". This causes Opera to not automatically follow redirects and forces you to verify each redirect by manually clicking on the redirect link.

Manually verifying redirects can be useful when the global cookie setting it set to "Accept only cookies from the site I visit". Since that cookie setting blocks cookies for unverified cross-domain redirects, turning off automatic redirection and clicking on the links will make them verified so the cookies are not blocked.

However, if you disable automatic redirection, Opera will only show a redirect link in one condition:

1. The server sends a Location header and the server sends 0 bytes in the body of the response.

If the body is not 0 bytes, it'll force Opera to try and render the page instead of showing you the redirect link.

Now, if the server doesn't send a 0 byte body in the response, the page must be served as text/html and provide an html anchor element that represents the redirect link for you to click on.

Here are some ways to redirect that don't break things when automatic redirection is disabled:

Example 1 (.htacess):

Redirect 301 /foo.html http://example.com/

Example 2:

<?php
	header("Content-Type: text/html; charset=utf-8");
	$uri = "http://www.google.com/";
	header("Location: $uri");

Example 3:

<?php
	header("Content-Type: text/html; charset=utf-8");
	$uri = "http://www.google.com/";
	header("Location: $uri");
?><!DOCTYPE html>
<html lang="en-US">
	<head>
	    <meta charset="utf-8">
	    <title>302 Moved</title>
	</head>
	<body>
	    <h1>302 Moved</h1>
	    <p>The document has moved <a href="<?php echo $uri;?>">here</a>.</p>
	</body>
</html>

Now, some sites like Yahoo do not follow these guidelines on a lot of their pages, which will break this use case (You just see a blank page with no possibility to redirect).

Turning off automatic redirection seems to break youtube playing of videos. This is most likely because it disables automatic redirection for XMLHttpRequest also.

Warning: Unchecking "Enable automatic redirection" for a site preference may cause cookies4.dat to get corrupted. See the Dealing with Corruption section.

Bookmarklets

When you have the global cookie setting set to "Accept only cookies from the site I visit", using a bookmarklet on a page that redirects you to another domain (like delicious bookmarklets) will fail. This is because of an Opera bug where the bookmarklet action isn't treated as verified.

See this bookmarklet for an example of a workaround.

Examples

Log in to flickr:

Global: Never accept cookies
yahoo.com: Accept cookies 
flickr.com: Accept only cookies from the site I visit

Global: Accept only cookie from the site I visit
yahoo.com: Uncheck "Enable automatic redirection"
(Won't work. See Disabling Automatic Redirection above.)
Log in to stackoverflow:

Global: Never accept cookies
stackoverflow.com: Accept cookies
myopenid.com: Accept cookies

Global: Accept only cookies from the site I visit
myopenid.com: Uncheck "Enable automatic redirection"
stackoverflow.com: Uncheck "Enable automatic redirection"

(After manually redirecting yourself back to stackoverflow.com, you'll be logged in, but part of the page will say you're not. It's just a bug on the site.)
Log in to youtube:

Global: Never accept cookies
google.com: Accept cookies
youtube.com: Accept only cookies from the site I visit

Global: Accept only cookies from the site I visit
google.com: Uncheck "Enable automatic redirection"
Log in to delicious when bookmarking arbitrary site with bookmarklet:

http://delicious.com/help/bookmarklets Firefox Bookmarklet

Non-working:
Global: Accept only cookies from the site I visit
delicious.com: Uncheck "Enable automatic redirection"
(Fails because delicious is a yahoo-based site. See Disabling Automatic Redirection above.)

See Bookmarklets section above for a workaround that doesn't require a site preference.

Workaround for youtube.com when using "Accept only cookies from the site I visit"

(This is no longer needed in the 10.5 pre-alphas)

1. Enable User Javascript for HTTPS via opera:config#User%20JavaScript%20on%20HTTPS

2. Save the following as youtube_cookie_fix.js in the folder you set as your User Javascript folder in "tools -> preferences -> advanced -> content -> Javascript options".

(function() {
	var loc = document.location.href;
	if (loc === "https://www.google.com/accounts/ServiceLoginAuth?service=youtube") {
	    var uri = document.getElementsByTagName("meta")[0].content.replace(/^0; url='|'$/gi, "");
	    document.documentElement.innerHTML = "<body></body>";
	    var a = document.createElement("a");
	    a.href = uri;
	    a.click();
	}
})();

Of course, the downside to this is that Opera will bug you with a dialog whenever you visit an HTTPS site.

As an alternative, you can goto "tools -> preferences -> advanced -> network" and temporarily uncheck "Enabled automatic redirection". Then, when you try to sign into youtube, when you hit the "The URL was redirected to http://www.youtube.com/index." redirection status page, refresh that page and click the http://www.youtube.com/index link. Then, you'll be logged in. Also, if you use the above script anyway, you won't have to refresh the redirection status page.

Do note of course that if Google changes something, these workarounds could break.

Note

This documentation is unofficial. It is developed from messing with the different configs. It should be accurate, but there could be mistakes. If so, please leave a comment or PM http://my.opera.com/burnout426/

Last edited on October 15th, 2009.

Old Cookie Settings

Categories

CategoryOpera

There are 93 comments on this page. [Display and/or add comments]