Opened 4 years ago

Last modified 2 years ago

#14085 new enhancement

HTTP redirects can leak third-party state (cookies, etc)

Reported by: michael Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: gk, arthuredelstein, ctang@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by arthuredelstein)

HTTP double redirects (301, 302, etc.) can result in third-party cookies being read without the consent of the user.

See discussion by Dan Witte.

Child Tickets

Change History (9)

comment:1 Changed 4 years ago by gk

Cc: gk added

comment:2 Changed 4 years ago by michael

Status: newneeds_information

The topic was considered in the 5 January 2015 TBB meeting but shelved after encountering positive opinions but nevertheless neither (rough) consensus nor concrete plan or starting design. It may be revisited once progress is made on other children of #3246.

comment:3 Changed 4 years ago by mikeperry

Keywords: TorBrowserTeam201503 removed

comment:4 Changed 3 years ago by arthuredelstein

Description: modified (diff)
Severity: Normal
Summary: Redefine HTTP redirect responses to match 3rd party contextHTTP redirects can leak third-party state (cookies, etc)

Here's a summary of how double-redirects can violate the ban on third-party cookies:

  1. Visit A.com in Tab 1:
    • A.com sets a cookie ("data=A1") with A.com first party
  2. Visit B.com in Tab 2:
    • B.com/ redirects to A.com/trac?from=B.com
    • A.com receives the previously-set cookie "data=A1" in GET request
    • A.com/trac?from=B.com redirects to B.com/home?data=A1

Such a double redirect is invisible to the user, because A.com is never visible in Tab 2's URL bar. But now A.com has linked the activities in Tab 1 and Tab 2.

I observed an example of this behavior while using Tor Browser. (google.com was A.com, and persona.org was B.com)

So I think the idea of considering redirects to have third-party rights is a good idea. HTTP request headers that would seem to leak state include

  • Cookie
  • Authorization

Also OCSP requests might be revealing. What else do we need to worry about?

(I edited the title and description to try to clarify what this ticket is about.)

comment:5 Changed 3 years ago by arthuredelstein

Cc: arthuredelstein added
Status: needs_informationnew

comment:6 Changed 2 years ago by arthuredelstein

An example in Firefox with first-party isolation on:
https://bugzilla.mozilla.org/show_bug.cgi?id=1309800

comment:7 Changed 2 years ago by gk

And https://bugzilla.mozilla.org/show_bug.cgi?id=1319839 is another one. #20754 is a duplicate of this bug.

comment:8 Changed 2 years ago by gk

Cc: ctang@… added

comment:9 Changed 2 years ago by gk

Parent ID: #3246
Note: See TracTickets for help on using tickets.