Opened 5 years ago

Closed 4 years ago

#16450 closed defect (duplicate)

Tor browser removes Authorization header on subdomains

Reported by: justuser Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-usability-website
Cc: gk, jamesbroadhead, fdsfgs@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


I couldn't use from tor-browser.

Their javascript making queries from to send Access-Control-Allow-Origin: allowing to make cross domain request.

Javascript on adds Authorization: Basic some token while making request.
But tor browser removes this header, breaking authorization process. I googled and found that this is for better privacy, but could you make this feature disableable?

Child Tickets

Change History (10)

comment:1 Changed 5 years ago by justuser

Oh, it's disableable already, sorry for this ticket. It's in Tor Button's preferences "Restrict third party cookies ...."
But i'm using my own proxy server instead of tor. So tor browser is asking me to disable tor button to use my own proxy. To change this setting when using custom proxy i need to enable tor button(reboot firefox), change this setting, disable tor button(reboot firefox). And then it works.
Please allow to change tor-browser privacy settings when using custom proxy without all of those manipulations - switching tor button and restarting browser twice, it's unobvious because when proxy is enabled tor button is disabled and hidden so i couldn't find this setting and created this ticket and also it's annoying to restart browser twice to change setting

Last edited 5 years ago by justuser (previous) (diff)

comment:2 Changed 5 years ago by gk

Cc: gk added
Keywords: tbb-usability-website added

Fixing #15954 should help with this one, too.

comment:3 Changed 5 years ago by jamesbroadhead

Priority: MediumHigh
Severity: Normal

This also breaks TweetDeck ( cf. #18289

Ideally, "Restrict third party cookies" would be more granular, perhaps per-domain.

comment:4 Changed 5 years ago by jamesbroadhead

Cc: jamesbroadhead added

comment:5 Changed 4 years ago by gk

The TweetDeck problem is still an issue in 6.0.6, see:

comment:6 Changed 4 years ago by cypherpunks

Summary: Tor browser removes Authorization headerTor browser removes third-party cookies

comment:7 Changed 4 years ago by vynX

Apparently has this same architecture, therefore logging into doesn't work because it is done via The problem was acknowledged by Firefox developers, but for me even the suggested workaround doesn't help.

Specifically this coding technique is not permitted by torbrowser – which in most cases is good, but sometimes it would be nice to allow same-domain or from-visited policies. Even better if these methods were scrapped from the HTTP standard and all browsers stopped permitting them, but currently the web is optimized for citizen surveillance and manipulation.

Sorry, folks. When we released HTTP/1.1 we didn't think it was going to challenge democracy.

Last edited 4 years ago by vynX (previous) (diff)

comment:8 Changed 4 years ago by tokotoko

Cc: fdsfgs@… added

comment:9 Changed 4 years ago by gk

Summary: Tor browser removes third-party cookiesTor browser removes Authorization header on subdomains

comment:10 Changed 4 years ago by gk

Resolution: duplicate
Status: newclosed

We have a fix in #21555 for the problem originally stated here. Marking this ticket as a duplicate.

Note: See TracTickets for help on using tickets.