Changes between Initial Version and Version 4 of Ticket #14085


Ignore:
Timestamp:
Jul 1, 2016, 5:47:18 AM (3 years ago)
Author:
arthuredelstein
Comment:

Here's a summary of how double-redirects can violate the ban on third-party cookies:

  1. Visit A.com in Tab 1:
    • A.com sets a cookie ("data=A1") with A.com first party
  2. Visit B.com in Tab 2:
    • B.com/ redirects to A.com/trac?from=B.com
    • A.com receives the previously-set cookie "data=A1" in GET request
    • A.com/trac?from=B.com redirects to B.com/home?data=A1

Such a double redirect is invisible to the user, because A.com is never visible in Tab 2's URL bar. But now A.com has linked the activities in Tab 1 and Tab 2.

I observed an example of this behavior while using Tor Browser. (google.com was A.com, and persona.org was B.com)

So I think the idea of considering redirects to have third-party rights is a good idea. HTTP request headers that would seem to leak state include

  • Cookie
  • Authorization

Also OCSP requests might be revealing. What else do we need to worry about?

(I edited the title and description to try to clarify what this ticket is about.)

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #14085

    • Property Status changed from new to needs_information
    • Property Cc gk added
    • Property Summary changed from Redefine HTTP redirect responses to match 3rd party context to HTTP redirects can leak third-party state (cookies, etc)
    • Property Keywords TorBrowserTeam201503 removed
    • Property Severity changed from to Normal
  • Ticket #14085 – Description

    initial v4  
    1 Pending consensus by the TBB team, reimplement all ''HTTP redirect'' (301, 302, 303, 307, 308) responses in ''3rd party DOM contexts.'' Rationale of this is to '''support popup and new window''' crossdomain cookie conditions as [https://bugzilla.mozilla.org/show_bug.cgi?id=565965#c3 as suggested by Dan Witte].
     1HTTP double redirects (301, 302, etc.) can result in third-party cookies being read without the consent of the user.
     2
     3See discussion [https://bugzilla.mozilla.org/show_bug.cgi?id=565965#c3 by Dan Witte].