Opened 2 years ago

Closed 9 months ago

#16450 closed defect (duplicate)

Tor browser removes Authorization header on subdomains

Reported by: justuser Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-usability-website
Cc: gk, jamesbroadhead, fdsfgs@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I couldn't use epayments.com from tor-browser.

Their javascript making queries from https://my.epayments.com/ to https://api.epayments.com
api.epayments.com send Access-Control-Allow-Origin: https://my.epayments.com allowing my.epayments.com to make cross domain request.

Javascript on my.epayments.com adds Authorization: Basic some token while making request.
But tor browser removes this header, breaking authorization process. I googled and found that this is for better privacy, but could you make this feature disableable?

Child Tickets

Change History (10)

comment:1 Changed 2 years ago by justuser

Oh, it's disableable already, sorry for this ticket. It's in Tor Button's preferences "Restrict third party cookies ...."
But i'm using my own proxy server instead of tor. So tor browser is asking me to disable tor button to use my own proxy. To change this setting when using custom proxy i need to enable tor button(reboot firefox), change this setting, disable tor button(reboot firefox). And then it works.
Please allow to change tor-browser privacy settings when using custom proxy without all of those manipulations - switching tor button and restarting browser twice, it's unobvious because when proxy is enabled tor button is disabled and hidden so i couldn't find this setting and created this ticket and also it's annoying to restart browser twice to change setting

Last edited 2 years ago by justuser (previous) (diff)

comment:2 Changed 2 years ago by gk

Cc: gk added
Keywords: tbb-usability-website added

Fixing #15954 should help with this one, too.

comment:3 Changed 21 months ago by jamesbroadhead

Priority: MediumHigh
Severity: Normal

This also breaks TweetDeck (tweetdeck.twitter.com) cf. #18289

Ideally, "Restrict third party cookies" would be more granular, perhaps per-domain.

comment:4 Changed 21 months ago by jamesbroadhead

Cc: jamesbroadhead added

comment:5 Changed 12 months ago by gk

The TweetDeck problem is still an issue in 6.0.6, see: https://blog.torproject.org/blog/tor-browser-606-released#comment-218819.

comment:6 Changed 12 months ago by cypherpunks

Summary: Tor browser removes Authorization headerTor browser removes third-party cookies

comment:7 Changed 11 months ago by vynX

Apparently firefox.com has this same architecture, therefore logging into addons.mozilla.org doesn't work because it is done via accounts.firefox.com. The problem was acknowledged by Firefox developers, but for me even the suggested workaround doesn't help.

Specifically this coding technique is not permitted by torbrowser – which in most cases is good, but sometimes it would be nice to allow same-domain or from-visited policies. Even better if these methods were scrapped from the HTTP standard and all browsers stopped permitting them, but currently the web is optimized for citizen surveillance and manipulation.

Sorry, folks. When we released HTTP/1.1 we didn't think it was going to challenge democracy.

Last edited 11 months ago by vynX (previous) (diff)

comment:8 Changed 9 months ago by tokotoko

Cc: fdsfgs@… added

comment:9 Changed 9 months ago by gk

Summary: Tor browser removes third-party cookiesTor browser removes Authorization header on subdomains

comment:10 Changed 9 months ago by gk

Resolution: duplicate
Status: newclosed

We have a fix in #21555 for the problem originally stated here. Marking this ticket as a duplicate.

Note: See TracTickets for help on using tickets.