[tor-bugs] #11206 [Applications/Tor Browser]: Tor Browser will not save Exceptions in the Firefox cookie manager

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Apr 30 07:28:27 UTC 2020 

#11206: Tor Browser will not save Exceptions in the Firefox cookie manager
--------------------------------------+--------------------------
 Reporter:  toruser23                 |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  tbb-torbutton             |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------

Comment (by Thorin):

 Replying to [comment:8 gk]:
 > We need to decide where the bug is, though (I am not sure what the
 expected behavior in vanilla PBM is but I assume cookies can retained
 across sessions.

 No. Cookies (and without double checking, sessionStorage, localStorage) in
 PBMode are memory only. You can test by checking the `cookies.sqlite` file
 in normal mode vs PB mode

 Moot anyway, since this is about permissions, not the actual persistent
 data :)

 The distinction here is persistent "web data" vs "user data/settings" and
 they are different threat models (browsing the web vs having your OS
 compromised): e.g. PBMode allows bookmarks, passwords, site exceptions etc
 to be retained, but not history (AFAIK: there have been changes to PBMode
 in this regard since 68, but I'd have to dig them up). We don't stop
 people creating bookmarks for usability reasons, so why should we stop
 other "user" data.

 I honestly think this should be distinguished (web vs user) and relevant
 pref(s) flipped - maybe in the slider (but `permissions.memory_only` at
 least requires a restart = too messy)

 At the very least, be consistent about disk writes: because it seems like
 a mixed message here.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/11206#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list