Hello list,
Prelimary tests indicate that the double keyed cookie logic from #3246 [1] performs as intended, but there are open questions like:
How close have we covered all requirements (session, persistent, RFC 6265, real world use, maybe CVEs?)
Should we consider modifying 1st/3rd party contexts of DOM stuff to accommodate broader use cases (federated login?)
Which assumptions should we make of ESR network.cookie.* combos ...or should we implement and test for all config combinations?
What would Mozilla require for a backport to ESR?
How should this be 'packaged' with other 3rd party isolation?
...so I'm hoping to clear this up at the next TBB meeting Monday 19:00 UTC.
QUESTION
If anyone has changed their network.cookie.cookiebehavior to 'allow all cookies', please state which website caused the frustration.
[1] https://trac.torproject.org/projects/tor/ticket/3246/
Cheers, Michael