Opened 22 months ago

Closed 7 weeks ago

#16450 closed defect (duplicate)

Tor browser removes Authorization header on subdomains

Reported by: justuser Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-usability-website
Cc: gk, jamesbroadhead, fdsfgs@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I couldn't use epayments.com from tor-browser.

Their javascript making queries from https://my.epayments.com/ to https://api.epayments.com
api.epayments.com send Access-Control-Allow-Origin: https://my.epayments.com allowing my.epayments.com to make cross domain request.

Javascript on my.epayments.com adds Authorization: Basic some token while making request.
But tor browser removes this header, breaking authorization process. I googled and found that this is for better privacy, but could you make this feature disableable?

Child Tickets

Change History (10)

comment:1 Changed 22 months ago by justuser

Oh, it's disableable already, sorry for this ticket. It's in Tor Button's preferences "Restrict third party cookies ...."
But i'm using my own proxy server instead of tor. So tor browser is asking me to disable tor button to use my own proxy. To change this setting when using custom proxy i need to enable tor button(reboot firefox), change this setting, disable tor button(reboot firefox). And then it works.
Please allow to change tor-browser privacy settings when using custom proxy without all of those manipulations - switching tor button and restarting browser twice, it's unobvious because when proxy is enabled tor button is disabled and hidden so i couldn't find this setting and created this ticket and also it's annoying to restart browser twice to change setting

Last edited 22 months ago by justuser (previous) (diff)

comment:2 Changed 22 months ago by gk

  • Cc gk added
  • Keywords tbb-usability-website added

Fixing #15954 should help with this one, too.

comment:3 Changed 14 months ago by jamesbroadhead

  • Priority changed from Medium to High
  • Severity set to Normal

This also breaks TweetDeck (tweetdeck.twitter.com) cf. #18289

Ideally, "Restrict third party cookies" would be more granular, perhaps per-domain.

comment:4 Changed 14 months ago by jamesbroadhead

  • Cc jamesbroadhead added

comment:5 Changed 5 months ago by gk

The TweetDeck problem is still an issue in 6.0.6, see: https://blog.torproject.org/blog/tor-browser-606-released#comment-218819.

comment:6 Changed 5 months ago by cypherpunks

  • Summary changed from Tor browser removes Authorization header to Tor browser removes third-party cookies

comment:7 Changed 3 months ago by vynX

Apparently firefox.com has this same architecture, therefore logging into addons.mozilla.org doesn't work because it is done via accounts.firefox.com. The problem was acknowledged by Firefox developers, but for me even the suggested workaround doesn't help.

Specifically this coding technique is not permitted by torbrowser – which in most cases is good, but sometimes it would be nice to allow same-domain or from-visited policies. Even better if these methods were scrapped from the HTTP standard and all browsers stopped permitting them, but currently the web is optimized for citizen surveillance and manipulation.

Sorry, folks. When we released HTTP/1.1 we didn't think it was going to challenge democracy.

Last edited 3 months ago by vynX (previous) (diff)

comment:8 Changed 8 weeks ago by tokotoko

  • Cc fdsfgs@… added

comment:9 Changed 7 weeks ago by gk

  • Summary changed from Tor browser removes third-party cookies to Tor browser removes Authorization header on subdomains

comment:10 Changed 7 weeks ago by gk

  • Resolution set to duplicate
  • Status changed from new to closed

We have a fix in #21555 for the problem originally stated here. Marking this ticket as a duplicate.

Note: See TracTickets for help on using tickets.