Opened 2 years ago

Closed 2 years ago

#22481 closed defect (worksforme)

Should TorBrowser preserve cookies across opening a new, different size window for same site?

Reported by: joebt Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: cookies, resized windows, new circuits
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

In TBB 6.5.2 Linux, if cookie exceptions are set for a site & TBB's window borders are accidentally dragged (very easy to do), if you open the / a tab in a new window to restore the default window size, the cookies are preserved.

Does this or similar scenarios pose any anonymity or fingerprinting concerns?
A cookie that was set under perhaps unintentionally resized window. Within a few seconds, the same cookie is associated w/ a new circuit and a different window size. Is this a concern? Not so much because of the visited site, but other adversaries / trackers.

Dragging a tab off Firefox's desktop or opening tab in new window doesn't keep the same circuit (by design?) but does preserve cookies. At least, no circuit info shows under Torbutton after moving a connected site to a new window. But it allows establishing a new circuit.

In tests, under the mis-sized and new correctly resized window (returned to default ) the cookie ID values were the same.

In this case, it seems there's no doubt that the same person viewed the exact same material or pages on a website, under two different window sizes and two different circuits, from a couple of seconds to a while, depending whether you immediately realize the window was accidentally resized (not hard to overlook, as no warning when dragging borders).

Child Tickets

Change History (2)

comment:1 Changed 2 years ago by arma

Component: - Select a componentApplications/Tor Browser
Keywords: Tor Browser removed
Owner: set to tbb-team

comment:2 Changed 2 years ago by gk

Resolution: worksforme
Status: newclosed

I think that behavior is okay. If you are concerned about the differently sized windows and tracking identifiers persisting across them (cookies are just one of those!) then you should get you a New Identity to make sure you really got all the concerning tracking mechanisms reset. Trying to fiddle with a single one (here: cookies) is likely to give you not the results you want.

Note: See TracTickets for help on using tickets.