Changes between Initial Version and Version 4 of Ticket #14085

Jul 1, 2016, 5:47:18 AM (3 years ago)

Here's a summary of how double-redirects can violate the ban on third-party cookies:

  1. Visit in Tab 1:
    • sets a cookie ("data=A1") with first party
  2. Visit in Tab 2:
    • redirects to
    • receives the previously-set cookie "data=A1" in GET request
    • redirects to

Such a double redirect is invisible to the user, because is never visible in Tab 2's URL bar. But now has linked the activities in Tab 1 and Tab 2.

I observed an example of this behavior while using Tor Browser. ( was, and was

So I think the idea of considering redirects to have third-party rights is a good idea. HTTP request headers that would seem to leak state include

  • Cookie
  • Authorization

Also OCSP requests might be revealing. What else do we need to worry about?

(I edited the title and description to try to clarify what this ticket is about.)


  • Ticket #14085

    • Property Status changed from new to needs_information
    • Property Cc gk added
    • Property Summary changed from Redefine HTTP redirect responses to match 3rd party context to HTTP redirects can leak third-party state (cookies, etc)
    • Property Keywords TorBrowserTeam201503 removed
    • Property Severity changed from to Normal
  • Ticket #14085 – Description

    initial v4  
    1 Pending consensus by the TBB team, reimplement all ''HTTP redirect'' (301, 302, 303, 307, 308) responses in ''3rd party DOM contexts.'' Rationale of this is to '''support popup and new window''' crossdomain cookie conditions as [ as suggested by Dan Witte].
     1HTTP double redirects (301, 302, etc.) can result in third-party cookies being read without the consent of the user.
     3See discussion [ by Dan Witte].