Cookie Scanning with Fiddler

With the recent kerfuffle about sites providing misleading P3P statements, I decided to throw together a quick Fiddler add-on that displays privacy information simply in the Fiddler UI.

Install the new Privacy Scanner add-on and Fiddler will gain a new top-level menu named Privacy.


The menu has two options. The Enabled option controls whether the add-on does anything at all; it’s a good practice for Add-ons to offer a simple way to turn them off when they’re not wanted.

When the add-on is enabled, it will add a Privacy Info column to the session list and will flag HTTP/HTTPS responses which set cookies. Evaluation of any P3P statements that come along with those cookies will change the session’s background color:


Sessions that send a satisfactory P3P policy are shown in green. Sessions that set a cookie without a P3P policy are yellow; in the default IE settings, these cookies will not be sent to a 3rd party context. Sessions that send a P3P policy that does not permit use of the cookie in a 3rd party context are rendered in orange. Sessions that send invalid P3P header tokens will have a red background.

When the menu option Rename P3P header if invalid is checked, if a session presents a P3P statement that is malformed, that P3P header will be renamed to Malformed-P3P to prevent the browser from interpreting it as the P3P 1.0 specification suggested (e.g. ignoring the unknown tokens). You can see the difference when you load this test page; the cookies with bogus compact policies will be dropped in a 3rd party context.

For folks looking to build their own Fiddler extension, the code is provided below.




using System;
using System.Collections;
using System.Globalization;
using System.Collections.Generic;
using System.Windows.Forms;
using System.Text;
using Fiddler;
using System.IO;
using System.Diagnostics;
using Microsoft.Win32;
using System.Reflection;
using System.Text.RegularExpressions;
[assembly: Fiddler.RequiredVersion("")]
[assembly: AssemblyVersion("")]
[assembly: AssemblyTitle("PrivacyScanner")]
[assembly: AssemblyDescription("Scans for Cookies and P3P")]
[assembly: AssemblyCompany("Eric Lawrence")]
[assembly: AssemblyProduct("PrivacyScanner")]
public class TagCookies : IAutoTamper2
    private bool bEnabled = false;
    private bool bEnforceP3PValidity = false;
    private bool bCreatedColumn = false;
    private System.Windows.Forms.MenuItem miEnabled;
    private System.Windows.Forms.MenuItem miEnforceP3PValidity;
    private System.Windows.Forms.MenuItem mnuCookieTag;
    public void OnLoad()
 * NB: You might not get called here until ~after~ one of the AutoTamper methods was called.
 * This is okay for us, because we created our mnuContentBlock in the constructor and its simply not
 * visible anywhere until this method is called and we merge it onto the Fiddler Main menu.
    public void OnBeforeUnload() {  /*noop*/   }
    private void InitializeMenu()
        this.miEnabled = new System.Windows.Forms.MenuItem("&Enabled");
        this.miEnforceP3PValidity = new System.Windows.Forms.MenuItem("&Rename P3P header if invalid");
        this.miEnabled.Index = 0;
        this.miEnforceP3PValidity.Index = 1;
        this.mnuCookieTag = new System.Windows.Forms.MenuItem();
        this.mnuCookieTag.MenuItems.AddRange(new System.Windows.Forms.MenuItem[] { this.miEnabled, this.miEnforceP3PValidity });
        this.mnuCookieTag.Text = "Privacy";
        this.miEnabled.Click += new System.EventHandler(this.miEnabled_Click);
        this.miEnabled.Checked = bEnabled;
        this.miEnforceP3PValidity.Click += new System.EventHandler(this.miEnforceP3PValidity_Click);
        this.miEnforceP3PValidity.Checked = bEnforceP3PValidity;
    public void miEnabled_Click(object sender, EventArgs e)
        miEnabled.Checked = !miEnabled.Checked;
        bEnabled = miEnabled.Checked;
        this.miEnforceP3PValidity.Enabled = bEnabled;
        if (bEnabled) { EnsureColumn(); }
        FiddlerApplication.Prefs.SetBoolPref("extensions.tagcookies.enabled", bEnabled);
    public void miEnforceP3PValidity_Click(object sender, EventArgs e)
        miEnforceP3PValidity.Checked = !miEnforceP3PValidity.Checked;
        bEnforceP3PValidity = miEnforceP3PValidity.Checked;
        FiddlerApplication.Prefs.SetBoolPref("extensions.tagcookies.EnforceP3PValidity", bEnforceP3PValidity);
    private void EnsureColumn()
        if (bCreatedColumn) return;
        FiddlerApplication.UI.lvSessions.AddBoundColumn("Privacy Info", 1, 120, "X-Privacy");
        bCreatedColumn = true;
    public TagCookies()
        this.bEnabled = FiddlerApplication.Prefs.GetBoolPref("extensions.tagcookies.enabled", false);
        this.bEnforceP3PValidity = FiddlerApplication.Prefs.GetBoolPref("extensions.tagcookies.EnforceP3PValidity", true);
        if (bEnabled) { EnsureColumn(); } else { this.miEnforceP3PValidity.Enabled = false; }
    private void SetP3PStateFromHeader(string sValue, ref P3PState oP3PState)
        if (string.IsNullOrEmpty(sValue))
        string sUnsatCat = String.Empty;
        string sUnsatPurpose = String.Empty;
        sValue = sValue.Replace('\'', '"');
        string sCP = null;
        Regex r = new Regex("CP\\s?=\\s?[\"]?(?<TokenValue>[^\";]*)");
        Match m = r.Match(sValue);
        if (m.Success && (null != m.Groups["TokenValue"]))
            sCP = m.Groups["TokenValue"].Value;
        if (String.IsNullOrEmpty(sCP))
        // Okay, we've got a compact policy token.
        oP3PState = P3PState.P3POk;
        string[] sTokens = sCP.Split(new char[] { ' ' }, StringSplitOptions.RemoveEmptyEntries);
        foreach (string sToken in sTokens)
            // Reject clearly invalid tokens...
            if ((sToken.Length < 3) || (sToken.Length > 4))
                oP3PState = P3PState.P3PMalformed;
            if (",PHY,ONL,GOV,FIN,".IndexOf("," + sToken + ",", StringComparison.OrdinalIgnoreCase) > -1)
                sUnsatCat += (sToken + " ");
            if (",SAM,OTR,UNR,PUB,IVA,IVD,CON,TEL,OTP,".IndexOf("," + sToken + ",", StringComparison.OrdinalIgnoreCase) > -1)
                sUnsatPurpose += (sToken + " ");
            // TODO: Look up the token in the complete collection and check validity
        // If a cookie contains an unsatisfactory purpose and an unsatisfactory category, mark it
        if ((sUnsatCat.Length > 0) && (sUnsatPurpose.Length > 0))
            if (oP3PState == P3PState.P3POk)
                oP3PState = P3PState.P3PUnsatisfactory;
    private enum P3PState
    public void OnPeekAtResponseHeaders(Session oSession) 
        if (!bEnabled) return;
        P3PState oP3PState = P3PState.NoCookies;
        if (!oSession.oResponse.headers.Exists("Set-Cookie"))
        oP3PState = P3PState.NoP3PAndSetsCookies;
        if (oSession.oResponse.headers.Exists("P3P"))
            SetP3PStateFromHeader(oSession.oResponse.headers["P3P"], ref oP3PState);
        switch (oP3PState)
            case P3PState.P3POk:
                oSession["ui-backcolor"] = "#ACDC85";
                oSession["X-Privacy"] = "Sets cookies & P3P";
            case P3PState.NoP3PAndSetsCookies:
                oSession["ui-backcolor"] = "#FAFDA4";
                oSession["X-Privacy"] = "Sets cookies without P3P";
            case P3PState.P3PUnsatisfactory:
                oSession["ui-backcolor"] = "#EC921A";
                oSession["X-Privacy"] = "Sets cookies; P3P unsatisfactory for 3rd-party use";
            case P3PState.P3PMalformed:
                oSession["ui-backcolor"] = "#E90A05";
                if (bEnforceP3PValidity)
                    oSession.oResponse.headers["MALFORMED-P3P"] = oSession.oResponse.headers["P3P"];
                    oSession["X-Privacy"] = "MALFORMED P3P: " + oSession.oResponse.headers["P3P"];
    public void AutoTamperRequestBefore(Session oSession) { }
    public void AutoTamperRequestAfter(Session oSession){ /*noop*/ }
    public void AutoTamperResponseAfter(Session oSession) {/*noop*/}
    public void AutoTamperResponseBefore(Session oSession) { /*noop*/ }
    public void OnBeforeReturningError(Session oSession) {/*noop*/}
Comments (0)