[tbb-bugs] #30171 [Applications/Tor Browser]: Always accepting third party cookies seems to break first party isolation
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Apr 12 20:15:31 UTC 2019
#30171: Always accepting third party cookies seems to break first party isolation
-------------------------------------+-------------------------------------
Reporter: gk | Owner: tbb-team
Type: defect | Status: new
Priority: High | Milestone:
Component: Applications/Tor | Version:
Browser | Keywords: TorBrowserTeam201904,
Severity: Normal | tbb-linkability
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
-------------------------------------+-------------------------------------
Not that many folks would do this intentionally but always enabling third-
party cookies seems to break first-party isolation as the domain being
used for isolating is just always "--unknown" See
https://blog.torproject.org/comment/280689#comment-280689 for the report
(many thanks Torlion). As that one is extra awesome I'll quote it here
fully:
{{{
As I've experienced this issue several times again, I had another try to
find out, what causes this problem. I've found a way to reproduce the
issue and how to solve the problem. It's a bit difficult to explain,
that's why I'll try by giving an example:
Go on Wikipedia (https://en.wikipedia.org/wiki/Main_Page)
Try the following changes concerning third-party cookies. On the left you
see the setting, after the dashes you see the result of the exit node
shown in the circuit. After changing the settings, you have to refresh the
page or click on “New Circuit for this Site”:
Go on “options” - Privacy and Security” - “Accept third-party cookies and
site data” and
set the following for third-party cookies:
“Never” – exit node is ok – wikipedia.org
“From visited” – exit node is ok – wikipedia.org
“Always” – exit node is not ok “--unknown--”
“From visited” – exit node is not ok “--unknown--”
If you change the settings from “Never” to “From visited”, the circuit
shows the correct exit node. If you change the settings from “Always” back
to “From visited” you will get the “--unknown--” issue.
Stay on Wikipedia (wikipedia.org) and try the following. After changing
the settings, you have to refresh the page or click on “New Circuit for
this Site”:
First Step:
Set the following for third-party cookies:
“Never” – exit node is ok – wikipedia.org
Now, choose “Block cookies and site data (may cause websites to break)”
Go back to wikipedia.org and refresh page or click on “New Circuit for
this Site”
Result: exit node in circuit is ok – says “ wikipedia.org”
Second Step:
Go on “options” - Privacy and Security” - “Accept third-party cookies and
site data”.
Set the following for third-party cookies:
“Always” – not ok – “--unknown--”
Now, choose “Block cookies and site data (may cause websites to break)”
Go back to wikipedia.org and refresh page or click on “New Circuit for
this Site”
Result: exit node in circuit is not ok – says “--unknown--”
In both steps you have “Block cookies and site data (may cause websites to
break)” and “Accept third-party cookies and site data Never” (greyed out).
So it seems to be identical, however, setting “Always” for third-party
cookies and then clicking on “ Block cookies and site data (may cause
websites to break)” will cause the “--unknown--” issue, whereas setting
“Never” for third-party cookies and then clicking on “Block cookies and
site data (may cause websites to break)”will not cause the “--unknown--”
issue”, and in the last case you will see the correct exit node in the
circuit (which is “wikipedia.org_” in my example).
Go on options and set “Accept third-party cookies and site data Never”.
Close Tor Browser and open again. Go on Wikipedia
(https://en.wikipedia.org/wiki/Main_Page). Check circuit. Exit node is ok
– says “wikipedia.org”
Go on options and set “Accept third-party cookies and site data Always”.
Close Tor Browser and open again. Go on Wikipedia
(https://en.wikipedia.org/wiki/Main_Page). Check circuit. Exit node is
circuit is not ok – says “--unknown--”
Go on options and set “Accept third-party cookies and site data “Never”
and then click on “Block cookies and site data (may cause websites to
break)”. Close Tor Browser and open again. Go on Wikipedia
(https://en.wikipedia.org/wiki/Main_Page). Check circuit. Exit node is ok
– says “wikipedia.org”
Go on options and set “Accept third-party cookies and site data “Always”
and then click on “Block cookies and site data (may cause websites to
break)”. Close Tor Browser and open again. Go on Wikipedia
(https://en.wikipedia.org/wiki/Main_Page). Check circuit. Exit node is not
ok – says “--unknown--”
At this point the user gets stucked, because when having a look into the
Options now, under “Privacy & Security” and “Cookies and Site Data”, you
will see that cookies are blocked, but also the greyed out “Accept third-
party cookies and site data “Never”. Now click again on “Accept third-
party cookies and site data (recommended)“ and the greyed out “Never”
changes into a black “Always”.
Solution:
Go on “Options” - “Privacy & Security” and “Cookies and Site Data”, change
the black “Always” into “Never”. Go back to the page, where you have
experienced the “--unknown--” issue (in my example “Wikipedia”), refresh
the page or click on “New Circuit for this Site” and the “--unknown--”
issue is gone. In my example you will see “wikipedia.org” again.
If you now wish to block cookies again, make sure you have set “Accept
third-party cookies and site data “Never” and NOT “Always”. Even if you
close and reopen Tor Browser you won't get the “--unknown--” issue any
longer.
I really can't tell you why changing the settings for cookies influences
the circuit. Maybe the developers of Tor Browser can find out what is all
behind this or maybe one of you computer techies. I'm sorry for not having
the technical knowledge to find out what is wrong. The only thing possible
for me was to find out that quite obviously the settings for cookies
changes something in the circuit. I hope I could help nevertheless.
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30171>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list