[tbb-bugs] #21905 [Applications/Tor Browser]: Allow third-party cookies as we are isolating them to the first party in ESR52
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Aug 24 19:04:19 UTC 2017
#21905: Allow third-party cookies as we are isolating them to the first party in
ESR52
---------------------------------------------+--------------------------
Reporter: gk | Owner: tbb-team
Type: enhancement | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-usability-website, ff52-esr | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
---------------------------------------------+--------------------------
Comment (by pastly):
pastly said more things on IRC.
{{{
[18:08:23] <pastly> Some guy that was really really sure of himself kept
asserting that '3rd party' cookies aren't always third party or could
somehow still be sent depending on special flags in a JavaScript request
function. Idk. I made a PoC and tested with FF, Chrome, and TB. But think
found that JS func and gave up trying to figure out if I was right or if
he
was right.
[18:08:47] <pastly> s/But think found/but then I found/
[18:09:40] <pastly>
https://developer.mozilla.org/en-
US/docs/Web/API/XMLHttpRequest/withCredent
ials
[18:10:08] <pastly> I guess it allows 3rd party cookies to be sent as long
as the sites are colluding with Access-Control-Allow-Origin
[18:11:00] <ANON> I would guess that an ad site might ask the browser
to request the first party site in such a way that passes information such
that the first party deposits a cookie that contains information from the
ad site.
[18:11:28] <ANON> is that what ACAO does?
[18:11:41] <pastly> Dunno. I stopped thinking about it. :p
}}}
This may not be new to you smart browser people.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21905#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list