Opened 6 weeks ago

Closed 4 weeks ago

#30171 closed defect (fixed)

Always accepting third party cookies seems to break first party isolation

Reported by: gk Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: TorBrowserTeam201904R, tbb-linkability
Cc: acat Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Not that many folks would do this intentionally but always enabling third-party cookies seems to break first-party isolation as the domain being used for isolating is just always "--unknown" See https://blog.torproject.org/comment/280689#comment-280689 for the report (many thanks Torlion). As that one is extra awesome I'll quote it here fully:

As I've experienced this issue several times again, I had another try to find out, what causes this problem. I've found a way to reproduce the issue and how to solve the problem. It's a bit difficult to explain, that's why I'll try by giving an example:

Go on Wikipedia (https://en.wikipedia.org/wiki/Main_Page)

Try the following changes concerning third-party cookies. On the left you see the setting, after the dashes you see the result of the exit node shown in the circuit. After changing the settings, you have to refresh the page or click on “New Circuit for this Site”:

Go on “options” - Privacy and Security” - “Accept third-party cookies and site data” and
set the following for third-party cookies:

“Never” – exit node is ok – wikipedia.org
“From visited” – exit node is ok – wikipedia.org
“Always” – exit node is not ok “--unknown--”
“From visited” – exit node is not ok “--unknown--”

If you change the settings from “Never” to “From visited”, the circuit shows the correct exit node. If you change the settings from “Always” back to “From visited” you will get the “--unknown--” issue.

Stay on Wikipedia (wikipedia.org) and try the following. After changing the settings, you have to refresh the page or click on “New Circuit for this Site”:

First Step:

Set the following for third-party cookies:

“Never” – exit node is ok – wikipedia.org

Now, choose “Block cookies and site data (may cause websites to break)”

Go back to wikipedia.org and refresh page or click on “New Circuit for this Site”

Result: exit node in circuit is ok – says “ wikipedia.org”

Second Step:

Go on “options” - Privacy and Security” - “Accept third-party cookies and site data”.

Set the following for third-party cookies:

“Always” – not ok – “--unknown--”

Now, choose “Block cookies and site data (may cause websites to break)”

Go back to wikipedia.org and refresh page or click on “New Circuit for this Site”

Result: exit node in circuit is not ok – says “--unknown--”

In both steps you have “Block cookies and site data (may cause websites to break)” and “Accept third-party cookies and site data Never” (greyed out). So it seems to be identical, however, setting “Always” for third-party cookies and then clicking on “ Block cookies and site data (may cause websites to break)” will cause the “--unknown--” issue, whereas setting “Never” for third-party cookies and then clicking on “Block cookies and site data (may cause websites to break)”will not cause the “--unknown--” issue”, and in the last case you will see the correct exit node in the circuit (which is “wikipedia.org_” in my example).

Go on options and set “Accept third-party cookies and site data Never”. Close Tor Browser and open again. Go on Wikipedia (https://en.wikipedia.org/wiki/Main_Page). Check circuit. Exit node is ok – says “wikipedia.org”

Go on options and set “Accept third-party cookies and site data Always”. Close Tor Browser and open again. Go on Wikipedia (https://en.wikipedia.org/wiki/Main_Page). Check circuit. Exit node is circuit is not ok – says “--unknown--”

Go on options and set “Accept third-party cookies and site data “Never” and then click on “Block cookies and site data (may cause websites to break)”. Close Tor Browser and open again. Go on Wikipedia (https://en.wikipedia.org/wiki/Main_Page). Check circuit. Exit node is ok – says “wikipedia.org”

Go on options and set “Accept third-party cookies and site data “Always” and then click on “Block cookies and site data (may cause websites to break)”. Close Tor Browser and open again. Go on Wikipedia (https://en.wikipedia.org/wiki/Main_Page). Check circuit. Exit node is not ok – says “--unknown--”

At this point the user gets stucked, because when having a look into the Options now, under “Privacy & Security” and “Cookies and Site Data”, you will see that cookies are blocked, but also the greyed out “Accept third-party cookies and site data “Never”. Now click again on “Accept third-party cookies and site data (recommended)“ and the greyed out “Never” changes into a black “Always”.

Solution:

Go on “Options” - “Privacy & Security” and “Cookies and Site Data”, change the black “Always” into “Never”. Go back to the page, where you have experienced the “--unknown--” issue (in my example “Wikipedia”), refresh the page or click on “New Circuit for this Site” and the “--unknown--” issue is gone. In my example you will see “wikipedia.org” again.

If you now wish to block cookies again, make sure you have set “Accept third-party cookies and site data “Never” and NOT “Always”. Even if you close and reopen Tor Browser you won't get the “--unknown--” issue any longer.

I really can't tell you why changing the settings for cookies influences the circuit. Maybe the developers of Tor Browser can find out what is all behind this or maybe one of you computer techies. I'm sorry for not having the technical knowledge to find out what is wrong. The only thing possible for me was to find out that quite obviously the settings for cookies changes something in the circuit. I hope I could help nevertheless.

Child Tickets

Change History (5)

comment:1 Changed 6 weeks ago by gk

acat, you have been looking into linkability/circuit display issues lately. :) So, this one is worriesome enough to get fixed, even though this is not a "standard" usage scenario.

comment:2 Changed 5 weeks ago by acat

I think this is coming from the pref observer in torbutton.js.

It keeps in sync several prefs, amongst them network.cookie.cookieBehavior and privacy.firstparty.isolate. In this case, changing the network.cookie.cookieBehaviour via UI is indirectly flipping privacy.firstparty.isolate. And if the latter is false then firstPartyDomain is not populated and circuit display will always show --unknown--, the catch-all circuit.

Is this pref syncing still logic necessary? If that's not the case, here is a patch which just removes this dependency between those two prefs, which should solve this issue: https://github.com/acatarineu/torbutton/commit/30171

comment:3 in reply to:  2 ; Changed 5 weeks ago by mcs

Replying to acat:

Is this pref syncing still logic necessary? If that's not the case, here is a patch which just removes this dependency between those two prefs, which should solve this issue: https://github.com/acatarineu/torbutton/commit/30171

The patch looks good to me and Kathy (brade). Georg should confirm, but we think you are correct that the syncing logic is no longer necessary (especially since — as far as I know — in recent versions of Tor Browser there is no GUI to allow someone to set privacy.firstparty.isolate to false).

comment:4 in reply to:  3 Changed 5 weeks ago by Thorin

Replying to mcs:

... as far as I know — in recent versions of Tor Browser there is no GUI to allow someone to set privacy.firstparty.isolate to false

And no GUI for it (or RFP) in Firefox either: upstream FYI

This UI is a long way off, so you'll be sweet until at least ESR76

comment:5 in reply to:  2 Changed 4 weeks ago by gk

Keywords: TorBrowserTeam201904R added; TorBrowserTeam201904 removed
Resolution: fixed
Status: newclosed

Replying to acat:

I think this is coming from the pref observer in torbutton.js.

It keeps in sync several prefs, amongst them network.cookie.cookieBehavior and privacy.firstparty.isolate. In this case, changing the network.cookie.cookieBehaviour via UI is indirectly flipping privacy.firstparty.isolate. And if the latter is false then firstPartyDomain is not populated and circuit display will always show --unknown--, the catch-all circuit.

Is this pref syncing still logic necessary? If that's not the case, here is a patch which just removes this dependency between those two prefs, which should solve this issue: https://github.com/acatarineu/torbutton/commit/30171

Ugh. Thanks for the patch and, yes, we should get rid of that footgun. Merged to master (commit 053c98697a4b00171a31e86399137ecb6f47ddfc).

Note: See TracTickets for help on using tickets.