[tor-bugs] #3246 [Firefox Patch Issues]: Apply third party cookie patch
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Jun 30 17:44:36 UTC 2014
#3246: Apply third party cookie patch
-------------------------------------+-------------------------------------
Reporter: mikeperry | Owner: mikeperry
Type: enhancement | Status: new
Priority: major | Milestone:
Component: Firefox Patch | Version:
Issues | Keywords: backport-to-mozilla,
Resolution: | tbb-linkability, tbb-usability-
Actual Points: | website, tbb-bounty,
Points: | TorBrowserTeam201407
| Parent ID:
-------------------------------------+-------------------------------------
Comment (by michael):
Replying to [comment:19 michael]:
> After applying msvb3246-306bbfd_a1, building, running firefox(1),
logging in to the Facebook, browsing to a huffingtonpost.com page and
clicking the 'Comment' button of the 'Add a comment...' Facebook widget at
the bottom, nothing happens (as if a third party cookie transmission were
stopped.)
>
On application of the newer msvb3246-d006262_a2, cookie transmission
starts working again but only when cookie policy is set to 'accept all
cookies by default' which is not what we want.
== OBJECTIVE ==
The desired outcome from patch application is to interpret double keyed
cookies as first party when they refer to foreign hosts but originate from
content associated with the domain of the 'URL bar.'
This allows us to forego changing cookie policy to 'accept all cookies by
default' and instead keep it to 'only accept from the originating site
(block third party cookies)' while transmitting double key matched cookies
to foreign hosts.
Assuming a URL bar entry 'http://www.huffingtonpost.com/...' and attempt
to add a comment at the bottom of the page after successfully logging in
to the Facebook. Clicking 'Comment' sends a POST to the Facebook, and if
our patchy browser interprets the cookie relation correctly the following
headers are sent:
{{{
POST /ajax/connect/feedback.php HTTP/1.1
Host: www.facebook.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101
Firefox/24.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer:
https://www.facebook.com/plugins/comments.php?api_key=46744042133&channel_url=http%3A%2F%2Fstatic.ak.facebook.com%2Fconnect%2Fxd_arbiter%2FDhmkJ2TR0QN.js%3Fversion%3D41%23cb%3Dfc0b4e0b1f6ffa%26domain%3Dwww.huffingtonpost.com%26origin%3Dhttp%253A%252F%252Fwww.huffingtonpost.com%252Ff31aac803dd199c%26relation%3Dparent.parent&colorscheme=light&href=http%3A%2F%2Fwww.huffingtonpost.com
%2Fjayson-demers%2Fhow-psychology-will-
shape_b_5534545.html&locale=en_US&numposts=10&sdk=joey&skin=light&width=570
Content-Length: 863
Cookie: datr=S5qxU8zgo0o0j9GXcZHsMf0D; c_user=100004777967399;
fr=0NtIaKuN7awUtojsX.AWWJtD9NlL3M3WWPxt_kxkoq9kc.BTsZpa.Em.AAA.AWVegird;
xs=155%3And5eYC31G0PPqA%3A2%3A1404148314%3A3084; csm=2;
s=Aa42d9MBjJhIEcDC.BTsZpa; lu=RgG3RP0d6b5MvtBc9MpH3Z8A
}}}
== PROBLEM ==
Without correct patch logic, the same headers are sent except the cookie
is considered third party for which transmission is blocked (as long as
our default value of block third party cookies holds true.)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3246#comment:22>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list