Cookie Check!

WHAT IT DOES: Manifest V3 Structure: Uses a background service worker, proper permissions (cookies), and host permissions. Cookie Table Display: Presents a sortable table with key details: Cookie Name Domain Secure flag HttpOnly flag SameSite attribute Expiration/Session status Calculated Risk (0–10) with a color-coded visual gauge A Remove button for each cookie Risk Calculation: Computes a risk score based solely on cookie attributes: Missing Secure flag (+2) Missing HttpOnly flag (+2) SameSite setting (“none” or undefined adds more risk, “lax” adds less) Expiration details (session cookies get a higher risk score) Cookiepedia Integration: Provides a clearly visible “View Details” link (styled as a button) next to each cookie name that opens a Cookiepedia page for that cookie. Sorting Functionality: Allows users to sort by cookie name, risk, domain, and other attributes by clicking on the table headers. Cookie Management: Users can manually remove cookies directly from the popup. Security Goals Achieved: Visibility of Cookie Security Posture: Clearly shows which cookies are at higher risk due to missing security attributes. Actionable Insights: Enables users to quickly identify and remove insecure cookies. User Education: Integrates external context through Cookiepedia, helping users understand cookie functions. Organized Analysis: Sorting and a visual risk gauge help prioritize which cookies might need attention. WHAT IT DOES NOT DO: Real-Time Notifications: No built-in pop-ups or notifications alert users immediately when a high-risk cookie is added or modified. Inline Cookie Usage Monitoring: The extension does not track or display how frequently cookies are accessed by pages (e.g., via JavaScript), which could be critical for session hijack prevention. Dynamic Behavioral Analysis: It doesn’t integrate history or runtime usage patterns to factor into the risk assessment. Prevention Mechanisms: The tool is diagnostic—it doesn’t actively block or prevent insecure cookie usage, only alerts the user for manual intervention. Inline JavaScript Access Monitoring: There is no injection or override mechanism to detect when document.cookie is accessed by page scripts.