Opened 20 months ago

Last modified 6 weeks ago

#16450 new defect

Tor browser removes third-party cookies

Reported by: justuser Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-usability-website
Cc: gk, jamesbroadhead Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I couldn't use epayments.com from tor-browser.

Their javascript making queries from https://my.epayments.com/ to https://api.epayments.com
api.epayments.com send Access-Control-Allow-Origin: https://my.epayments.com allowing my.epayments.com to make cross domain request.

Javascript on my.epayments.com adds Authorization: Basic some token while making request.
But tor browser removes this header, breaking authorization process. I googled and found that this is for better privacy, but could you make this feature disableable?

Child Tickets

Change History (7)

comment:1 Changed 20 months ago by justuser

Oh, it's disableable already, sorry for this ticket. It's in Tor Button's preferences "Restrict third party cookies ...."
But i'm using my own proxy server instead of tor. So tor browser is asking me to disable tor button to use my own proxy. To change this setting when using custom proxy i need to enable tor button(reboot firefox), change this setting, disable tor button(reboot firefox). And then it works.
Please allow to change tor-browser privacy settings when using custom proxy without all of those manipulations - switching tor button and restarting browser twice, it's unobvious because when proxy is enabled tor button is disabled and hidden so i couldn't find this setting and created this ticket and also it's annoying to restart browser twice to change setting

Last edited 20 months ago by justuser (previous) (diff)

comment:2 Changed 20 months ago by gk

  • Cc gk added
  • Keywords tbb-usability-website added

Fixing #15954 should help with this one, too.

comment:3 Changed 12 months ago by jamesbroadhead

  • Priority changed from Medium to High
  • Severity set to Normal

This also breaks TweetDeck (tweetdeck.twitter.com) cf. #18289

Ideally, "Restrict third party cookies" would be more granular, perhaps per-domain.

comment:4 Changed 12 months ago by jamesbroadhead

  • Cc jamesbroadhead added

comment:5 Changed 3 months ago by gk

The TweetDeck problem is still an issue in 6.0.6, see: https://blog.torproject.org/blog/tor-browser-606-released#comment-218819.

comment:6 Changed 3 months ago by cypherpunks

  • Summary changed from Tor browser removes Authorization header to Tor browser removes third-party cookies

comment:7 Changed 6 weeks ago by vynX

Apparently firefox.com has this same architecture, therefore logging into addons.mozilla.org doesn't work because it is done via accounts.firefox.com. The problem was acknowledged by Firefox developers, but for me even the suggested workaround doesn't help.

Specifically this coding technique is not permitted by torbrowser – which in most cases is good, but sometimes it would be nice to allow same-domain or from-visited policies. Even better if these methods were scrapped from the HTTP standard and all browsers stopped permitting them, but currently the web is optimized for citizen surveillance and manipulation.

Sorry, folks. When we released HTTP/1.1 we didn't think it was going to challenge democracy.

Last edited 6 weeks ago by vynX (previous) (diff)
Note: See TracTickets for help on using tickets.