Opened 11 months ago

Last modified 6 weeks ago

#27824 new defect

TorBrowser or NoScript 10 prevents cookies even if cookie exceptions are present

Reported by: joebt Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: Tor Browser, NoScript, cookies
Cc: ilf@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

In Linux-64 Mint 18.1 & NoScript 10.1.9.6, I can't set TBB 8 or 8.0.1 UI prefs to "Block cookies" and use cookie exceptions (session cookies). TBB and / or NS won't use the exceptions to set cookies for them.

-Up through TBB 7.5 & NS 5.x, blocking cookies globally & using exceptions worked fine.

-It appeared the problem may be mostly NS, as uninstalling NS fixed most of the problem. (NoScript forum says contact TorProject "support" for TBB & NS problems).

Blocking cookies by default in browser prefs & entering site exceptions as needed always worked in TBB & NS 3, 4, 5.x. It STILL works in Fx 60.1 & NS 10.1.9.6.

When cookies are blocked & but an exception is entered, https://trac.torproject.org shows: "Missing or invalid form token. Do you have cookies enabled?"

Switch the TBB UI pref to "Allow cookies" & cookies are set & allows logging in or browsing (for sites demanding cookies).
Though to login on many sites, every option in NS 10 "Trusted" mode must be enabled. I don't know if that's a good idea. That wasn't true in TBB 7,5 & NS 5.x.

Switch TBB pref back to "Block cookies & data" & no sites I've tested worked (but had cookie exceptions). There's no reason to allow cookies for all sites, all the time.

  • Even if TBB cookies are enabled, only cookie names show in TBB "View cookies." If you R-click the web page > Page Info > Security, cookie names & content are visible there.

Child Tickets

Change History (9)

comment:1 Changed 11 months ago by dgoulet

Component: - Select a componentApplications/Tor Browser
Owner: set to tbb-team

comment:2 Changed 7 months ago by cypherpunks

It's still not fixed in TBB 8.5. No time?

With Torbutton security slider at safest (standard) or Safer, and Cookies & Site Data = Block; entering a session cookie exception: https://trac.torproject.org (or any site) doesn't allow exception domains to set even 1st party cookies.

It works correctly when cookies are blocked in Fx 60.4esr (linux) & Fx quantum - now v65.0 (linux).

Users shouldn't be forced to allow cookies globally, just to login one site;
nor have to switch Allow / Block cookies back & forth when they don't want cookies allowed globally.

Even if session cookies are allowed, third party cookies shouldn't be enabled by default.
At least, that's the 3rd party cookie setting when Cookies & Site Data is enabled.

That directly contradicts efforts to prevent third party tracking.

comment:3 in reply to:  2 Changed 7 months ago by Thorin

Replying to cypherpunks:

Users shouldn't be forced to allow cookies globally, just to login one site

Cookies are not the problem. All persistent local data of any kind (cookies, localStorage, sessionStorage, SSL Session IDs, site permissions, etc) is cleared when you close Tor Browser or get a new Identity. Note: appCache, indexedDB and serviceWorkers(cache) are not enabled in Tor Browser.

Even if session cookies are allowed, third party cookies shouldn't be enabled by default

There's a *little* thing called First Party Isolation (FPI), read up on it.

Don't play with your food settings. Be like all the other Tor Browser users and use the defaults. Also, sites are less likely to break.

It is true that FPI doesn't protect against a repeat visit to a first party (edit: within that Identity), but the visits are already linked via other means (IP, SSL Session IDs to name a couple)

Learn some OpSec and use the New Identity button

Last edited 7 months ago by Thorin (previous) (diff)

comment:4 Changed 7 months ago by cypherpunks

In TBB 8.5 & earlier (linux), IF torbutton security slider is default "Standard setting," and in preferences - "Accept cookies & site data" is checked, then "Accept third party cookies & site data" is checked & set @ Always - by default.

With torbutton @ Standard security, when 3rd party cookies are allowed Always, it toggles the "privacy.firstparty.isolate" pref to FALSE; and toggles it to True when 3rd party cookies are set to "Never." Then lots of 3rd party cookies are set instantly. I assume 3rd parties' Site Data is also loaded, but I've not checked it yet.

I suggest that it not toggle the firstparty.isolate pref.

In TBB, same settings as above, but 3rd Party Cookies are = "From Visited Sites," it still toggles firstparty.isolate = False (shouldn't), but seems to allow only 1st party cookies. (I haven't checked that on 100's of sites.)

When firstparty.isolate is False & torbutton security setting = Safer, it seems to block 3rd party cookies when Accept 3rd Party cookies = Always. Safer setting - good. But, parts of some sites haven't worked in the past at torbutton Safer setting.

Checked this behavior several times in TBB & regular Fx 60.5esr (Linux)
Both new installs, new profile for regular Fx ESR, no addons installed in the regular Fx ESR; only default addons in TBB.

Same behavior in both of the ESR flavors, whether TBB is restarted / get new identity or not. Yes, it'd delete 3rd party cookies, but they'll come right back unless Accept 3rd party cookies = "Never."

In Firefox 65 (Linux) they've changed the cookie options UI, even from a couple versions ago. In it, disabling ALL cookie blocking (incl. 3rd party) does not toggle "privacy.firstparty.isolate" to False.

comment:5 Changed 7 months ago by Thorin

Why are you playing with your food cookies? Leave them alone.

third party cookies shouldn't be enabled by default

They're not. - a default new Tor Browser & profile (8.0.5) has a slider setting of "standard" and cookies are enabled for 1st party only. network.cookie.cookieBehavior is set at 1, you can see this in about:preferences#privacy where "Accept third party cookies and data" = "Never".

The only reason you have 3rd party cookies at "Always" is because you were playing with the settings. The logic behind the "Accept cookies and site data (recommended)" UI, when changing from unchecked to checked, is to reset the child option for 3rd party cookies to "Always". That's your issue, and it's due to code from Mozilla.

Maybe that's something that TB could address with a patch. Force 3rd party cookie option to always be "Never" and to disable it (the same as the "Keep until" option)

comment:6 in reply to:  2 Changed 6 months ago by gk

Replying to cypherpunks:

It's still not fixed in TBB 8.5. No time?

Yep. But we are happy to review and merge patches!

comment:7 Changed 6 months ago by ilf

Cc: ilf@… added

I am also experiencing this: TBB 8.0.6, NoScript 10.2.1.

TBB about:preferences#privacy

  • Block cookies and site data (may cause websites to break) (network.cookie.cookieBehavior = 2)
  • Cookies and Site Data -> Exceptions -> https://trac.torproject.org/ -> Allow for session

Trying to log in on https://trac.torproject.org/projects/tor/login

Error: Bad Request. Missing or invalid form token. Do you have cookies enabled?

IIRC the exceptions used to override the global settings, and that's the behaviour I would like to achieve. But I am failing to find how.

comment:8 Changed 6 weeks ago by ilf

I just ran into this again, with a fresh TBB 8.5.4 install (and some custom settings). I would really love to disable all cookies globally and only enable them on a few specifically whitelisted domains.

Last edited 6 weeks ago by ilf (previous) (diff)

comment:9 Changed 6 weeks ago by cypherpunks

This is not recommended/supported. But if you want that anyway, then learn how cookies look like with FPI enabled.

Note: See TracTickets for help on using tickets.