[tor-bugs] #30171 [Applications/Tor Browser]: Always accepting third party cookies seems to break first party isolation
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Apr 23 09:40:27 UTC 2019
#30171: Always accepting third party cookies seems to break first party isolation
-------------------------------------------------+-------------------------
Reporter: gk | Owner: tbb-
| team
Type: defect | Status: closed
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution: fixed
Keywords: TorBrowserTeam201904R, tbb- | Actual Points:
linkability |
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Changes (by gk):
* status: new => closed
* keywords: TorBrowserTeam201904, tbb-linkability =>
TorBrowserTeam201904R, tbb-linkability
* resolution: => fixed
Comment:
Replying to [comment:2 acat]:
> I think this is coming from the pref observer in torbutton.js.
>
> It keeps in sync several prefs, amongst them
`network.cookie.cookieBehavior` and `privacy.firstparty.isolate`. In this
case, changing the `network.cookie.cookieBehaviour` via UI is indirectly
flipping `privacy.firstparty.isolate`. And if the latter is false then
`firstPartyDomain` is not populated and circuit display will always show
`--unknown--`, the catch-all circuit.
>
> Is this pref syncing still logic necessary? If that's not the case, here
is a patch which just removes this dependency between those two prefs,
which should solve this issue:
https://github.com/acatarineu/torbutton/commit/30171
Ugh. Thanks for the patch and, yes, we should get rid of that footgun.
Merged to `master` (commit 053c98697a4b00171a31e86399137ecb6f47ddfc).
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30171#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list