Web developer network tab breaks first-party isolation in some cases
There are rare cases where the first-part isolation breaks if the Web developer Network tab is open. This got first reported on our blog: https://blog.torproject.org/blog/tor-browser-65a5-released#comment-224102
Steps to reproduce (works both in the stable and the alpha series on Linux at least):
- Start a fresh Tor Browser and set the Torbutton log level to "3"
- Open the Network tab in the Web developer console (Ctrl + Shift + Q)
- Go to https://torproject.org
- Reload the page with the arrow in the URL bar
Result:
Torbutton INFO: tor SOCKS isolation catchall: https://www.torproject.org/images/onion-heart.png via --unknown--:de6a28fb71abeba4febbbdde61de345e
It is actually only the request for the onion heart that is affected. And having the Network tab open is crucial for reproducing the bug.