3

I am running a Netsparker scan on my site and it has raised an issue regarding the _fbp (Facebook) cookie - not being Secure and not marked as HttpOnly.

The code that Facebook has supplied which needs to go in the HEAD is:

<script>
!function (f, b, e, v, n, t, s) {
    if (f.fbq) return; n = f.fbq = function () {
        n.callMethod ?
            n.callMethod.apply(n, arguments) : n.queue.push(arguments)
    }; if (!f._fbq) f._fbq = n;
    n.push = n; n.loaded = !0; n.version = '2.0'; n.queue = []; t = b.createElement(e); t.async = !0;
    t.src = v; s = b.getElementsByTagName(e)[0]; s.parentNode.insertBefore(t, s)
}(window,
    document, 'script', 'https://connect.facebook.net/en_US/fbevents.js');
fbq('init', 'XXXXXXXXXXXXX'); // Insert your pixel ID here.
fbq('track', 'PageView');
</script>


<noscript>
    <img style="width: 1px; height: 1px; display: none"
    src="https://www.facebook.com/tr?id=XXXXXXXXXX&ev=PageView&noscript=1" />
</noscript>

I would like this to be Secure and marked as HttpOnly if possible.

Plus, TotalValidator which is validating the site for WCAG2 AA is flagging an issue with the Image in the NoScript tag as Invalid.

Do we have to live with both these issues or is there a way to fix these issues?

Jonathan
  • 113
  • 1
  • 9
  • 3
    No, you can’t. If anything, Facebook would have to do that - but they have probably rather little interest in doing so. I would imagine that not setting it as secure probably helps in tracking the user when they cross between HTTPS and HTTP sites. And they are probably not setting it as HttpOnly, because the JS needs to be able to operate with that cookie on the client side as well. – 04FS Feb 19 '19 at 14:39

0 Answers0