Tor browser removes Authorization header on subdomains

I couldn't use epayments.com from tor-browser.

Their javascript making queries from https://my.epayments.com/ to https://api.epayments.com api.epayments.com send Access-Control-Allow-Origin: https://my.epayments.com allowing my.epayments.com to make cross domain request.

Javascript on my.epayments.com adds Authorization: Basic some token while making request. But tor browser removes this header, breaking authorization process. I googled and found that this is for better privacy, but could you make this feature disableable?

Trac:
Username: justuser

added component::applications/tor browser owner::tbb-team priority::high reporter::justuser resolution::duplicate severity::normal status::closed tbb-usability-website type::defect labels

Oh, it's disableable already, sorry for this ticket. It's in Tor Button's preferences "Restrict third party cookies ...." But i'm using my own proxy server instead of tor. So tor browser is asking me to disable tor button to use my own proxy. To change this setting when using custom proxy i need to enable tor button(reboot firefox), change this setting, disable tor button(reboot firefox). And then it works. Please allow to change tor-browser privacy settings when using custom proxy without all of those manipulations - switching tor button and restarting browser twice, it's unobvious because when proxy is enabled tor button is disabled and hidden so i couldn't find this setting and created this ticket and also it's annoying to restart browser twice to change setting

Trac:
Username: justuser

Fixing #15954 (moved) should help with this one, too.

Trac:
Keywords: N/A deleted, tbb-usability-website added
Cc: N/A to gk

This also breaks TweetDeck (tweetdeck.twitter.com) cf. #18289 (moved)

Ideally, "Restrict third party cookies" would be more granular, perhaps per-domain.

Trac:
Username: jamesbroadhead
Severity: N/A to Normal
Reviewer: N/A to N/A
Priority: Medium to High
Sponsor: N/A to N/A

Trac:
Username: jamesbroadhead
Cc: gk to gk, jamesbroadhead

The TweetDeck problem is still an issue in 6.0.6, see: https://blog.torproject.org/blog/tor-browser-606-released#comment-218819.

Trac:
Summary: Tor browser removes Authorization header to Tor browser removes third-party cookies

Apparently firefox.com has this same architecture, therefore logging into addons.mozilla.org doesn't work because it is done via accounts.firefox.com. The problem was acknowledged by Firefox developers, but for me even the suggested workaround doesn't help.

Specifically this coding technique is not permitted by torbrowser – which in most cases is good, but sometimes it would be nice to allow same-domain or from-visited policies. Even better if these methods were scrapped from the HTTP standard and all browsers stopped permitting them, but currently the web is optimized for citizen surveillance and manipulation.

Sorry, folks. When we released HTTP/1.1 we didn't think it was going to challenge democracy.

Trac:
Username: vynX

Trac:
Username: tokotoko
Cc: gk, jamesbroadhead to gk, jamesbroadhead, fdsfgs@krutt.org

Trac:
Summary: Tor browser removes third-party cookies to Tor browser removes Authorization header on subdomains

We have a fix in #21555 (moved) for the problem originally stated here. Marking this ticket as a duplicate.

Trac:
Resolution: N/A to duplicate
Status: new to closed

closed

mentioned in issue #18289 (moved)

mentioned in issue #21555 (moved)

mentioned in issue #22058 (moved)

mentioned in issue tpo/applications/tor-browser-bundle-testsuite#22058

moved to tpo/applications/tor-browser#16450 (closed)