Opened 15 months ago

Last modified 10 months ago

#21905 new enhancement

Allow third-party cookies as we are isolating them to the first party in ESR52

Reported by: gk Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-usability-website, ff52-esr
Cc: arthuredelstein@…, pastly Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Now that 3rd-party cookies get isolated as well we should relax our cookie handling and allow 3rd-party cookies again.

Child Tickets

Change History (6)

comment:1 Changed 15 months ago by cypherpunks

tbb-nightly: TBB throws an error in error console when you switch "3rd-party cookies" in Options on Windows.

comment:2 Changed 14 months ago by arthuredelstein

Cc: arthuredelstein@… added

comment:3 Changed 14 months ago by cypherpunks

As ip-check.info states, this is equal to #21756 in tracking aspect. So, no problem to enable it.
Also torbutton requires some clean up, as it still uses privacy.thirdparty.isolate, resulting in:

15:25:20.836 NS_ERROR_UNEXPECTED: Component returned failure code: 0x8000ffff (NS_ERROR_UNEXPECTED) [nsIPrefBranch.getIntPref] 1 torbutton.js:155
	torbutton_unique_pref_observer.observe chrome://torbutton/content/torbutton.js:155:40
	set_valueFromPreferences chrome://global/content/bindings/preferences.xml:364:13
	_setValue chrome://global/content/bindings/preferences.xml:191:15
	set_value chrome://global/content/bindings/preferences.xml:198:8
	userChangedValue chrome://global/content/bindings/preferences.xml:1281:15
	onxblcommand chrome://global/content/bindings/preferences.xml:1315:9

from

        switch (data) {
            case "network.cookie.cookieBehavior":
                var val = m_tb_prefs.getIntPref("network.cookie.cookieBehavior");
                var block_thirdparty = m_tb_prefs.getIntPref("privacy.thirdparty.isolate") !== 0;
                if (val == 0 && block_thirdparty) // Allow all cookies
                  m_tb_prefs.setIntPref("privacy.thirdparty.isolate", 0);
                else if (val == 1 && !block_thirdparty) // Block third party cookies
                  m_tb_prefs.setIntPref("privacy.thirdparty.isolate", 2);
                break;
            case "privacy.thirdparty.isolate":
                torbutton_update_thirdparty_prefs();
                break;

comment:4 Changed 13 months ago by gk

I was tempted to move this into our first 7.5 alpha build but it seems to me we might want to have some easy way to inspect the cookie isolation. Or do we have that already and I am just not aware of that? The browser UI is still broken it seems (see: #10353).

comment:5 Changed 12 months ago by gk

Cc: pastly added

pastly mentioned on IRC that Tor Browser does not protect against https://robinlinus.github.io/socialmedia-leak/ if we allow third-party cookies. But I think it should if third-party cookies are really the means to track users across origins. We need to investigate that more thoroughly before flipping the switch.

comment:6 Changed 10 months ago by pastly

pastly said more things on IRC.

[18:08:23] <pastly> Some guy that was really really sure of himself kept
asserting that '3rd party' cookies aren't always third party or could
somehow still be sent depending on special flags in a JavaScript request
function. Idk. I made a PoC and tested with FF, Chrome, and TB. But think
found that JS func and gave up trying to figure out if I was right or if he
was right.
[18:08:47] <pastly> s/But think found/but then I found/
[18:09:40] <pastly>
https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredent
ials
[18:10:08] <pastly> I guess it allows 3rd party cookies to be sent as long
as the sites are colluding with Access-Control-Allow-Origin
[18:11:00] <ANON> I would guess that an ad site might ask the browser
to request the first party site in such a way that passes information such
that the first party deposits a cookie that contains information from the
ad site.
[18:11:28] <ANON> is that what ACAO does?
[18:11:41] <pastly> Dunno. I stopped thinking about it. :p

This may not be new to you smart browser people.

Note: See TracTickets for help on using tickets.