5 Replies Latest reply: Jan 12, 2009 1:00 AM by iBod
Michael Kunde Level 1 (105 points)
Would someone with some advanced web knowledge please try this and explain to me what is going on here:

Launch Safari. Close all Safari windows, but don't quit the app.
Go into Safari > Preferences.
Click on advanced.
Click on "Show Cookies."
Click the "Remove All" button, then confirm by clicking "Remove All" again.
Leave the cookies window OPEN. Do not open any new Safari windows or navigate to any web pages. Just let Safari sit idle like this for 10-30 minutes.
...OK... wait for it...
Eventually, a cookie called "PREF" will spontaneously appear in your cookies window! It points to ".google.com" and expires in 2 years.

I thought cookies were only set by web pages that *I request*. How can Google just decide to send me a cookie when I have not requested any web pages at all? Isn't that a little... um, intrusive?

Also, my Safari preferences are set to "ONLY ACCEPT COOKIES ONLY FROM SITES I NAVIGATE TO." I haven't navigated to google.com, or anywhere else for that matter, but Safari is accepting this cookie. Why?

Any input would be appreciated.

Message was edited by: mwkdesign

MacBook Pro 15" - 2.5 GHz Intel Core 2 Duo - 2GB RAM, Mac OS X (10.5.3)
  • iBod Level 7 (29,340 points)

    Cookies can't be 'pushed' so something must be requesting a page from Google. Note that the cookie file is a shared resource and other internet-facing resources may be using Google.

    Do you have any widgets, etc, that might be using Google? It may also be the 'Fraudulent sites' feature that is the source of the cookie. The black-listed sites Safari get are retrieved from Google.

    I would test this myself, but I'm not on my Mac at present, sorry
  • Michael Kunde Level 1 (105 points)
    Thanks. Do you have any suggestions on how I can track down the app/widget/whatever that is requesting the cookie? I've tried watching Activity Monitor, but it won't show what processes are sending outbound network requests.
  • iBod Level 7 (29,340 points)

    You could try using [Little Snitch|http://www.obdev.at/products/littlesnitch/index.html] to keep an eye on what is making outgoing connections.
  • Michael Kunde Level 1 (105 points)
    Thank you for the tip!

    According to Little Snitch, *Safari is automatically requesting the PREF cookie from Google*. Even if I am not browsing the web at all.

    Specifically, Safari sends 2 requests. First to "safebrowsing.clients.google.com" on Port 80. The Google PREF cookie gets set immediately following this request. A couple seconds later, Safari sends a request to "static.cache.l.google.com"

    Hmmmm... interesting.
  • iBod Level 7 (29,340 points)
    No probs.

    The 'safebrowsing' request will be the one for the 'Fraudulent sites' data for that Safari uses to check for phishing attempts. If you think you don't need it, disable that option and see if the cookie setting stops.