[tor-bugs] #3246 [Firefox Patch Issues]: Apply third party cookie patch
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Jul 1 21:27:15 UTC 2014
#3246: Apply third party cookie patch
-------------------------------------+-------------------------------------
Reporter: mikeperry | Owner: mikeperry
Type: enhancement | Status: new
Priority: major | Milestone:
Component: Firefox Patch | Version:
Issues | Keywords: backport-to-mozilla,
Resolution: | tbb-linkability, tbb-usability-
Actual Points: | website, tbb-bounty,
Points: | TorBrowserTeam201407
| Parent ID:
-------------------------------------+-------------------------------------
Comment (by michael):
Replying to [comment:23 gk]:
> Replying to [comment:22 michael]:
> > The desired outcome from patch application is to interpret double
keyed cookies as first party when they refer to foreign hosts but
originate from content associated with the domain of the 'URL bar.'
> >
> > This allows us to forego changing cookie policy to 'accept all cookies
by default' and instead keep it to 'only accept from the originating site
(block third party cookies)' while transmitting double key matched cookies
to foreign hosts.
>
> The cookie from facebook.com is still a third party cookie even if we
bind it to the URL bar. So, my initial feeling is that we should have the
option "Allow all cookies" checked (we want to allow all of them but need
to bind the third party ones to the URL bar domain (too)) as we want the
ones from other domains, too. That said, the logic governing whatever
option we choose should be, of course, the double-keying logic.
The outcome of our different approaches is equivalent. I like your idea
best, to set "Allow all cookies" but still reject third party cookies not
associated with the URL bar domain. By the way, looks like the (presently
defective) code to test this is in
netwerk/cookie/nsCookieService.cpp:nsCookieService::CheckPrefs().
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3246#comment:24>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list