[tbb-bugs] #21537 [Applications/Tor Browser]: Consider ignoring secure cookies for .onion addresses
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Apr 2 23:16:18 UTC 2018
#21537: Consider ignoring secure cookies for .onion addresses
-------------------------------------------------+-------------------------
Reporter: micah | Owner: tbb-
| team
Type: enhancement | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-usability, | Actual Points:
TorBrowserTeam201803, GeorgKoppen201803 |
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by micah):
To test this, I've set up a test site.
In a current (broken) TBB browser visit the following page:
http://cookie.revolt.org
You will see 'no cookie value set, refresh the page'. If you refresh the
page, while on http, the cookie value will continue to *not* be set. That
is because of secure cookies, and the connection not being on https. This
is expected.
Now, visit https://cookie.revolt.org and then refresh the page, you will
see a cookie value set.
Now click the 'reset cookies' link, and visit the onion link and refresh
the page. You will see the behavior is exactly the same as the http
connection, no cookie value gets set.
If TBB is fixed, then when you visit the onion link and refresh the page,
it will set a cookie and show that it is set, just like in the https case
above.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21537#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list