Hello list, Prelimary tests indicate that the double keyed cookie logic from #3246 [1] performs as intended, but there are open questions like: How close have we covered all requirements (session, persistent, RFC 6265, real world use, maybe CVEs?) Should we consider modifying 1st/3rd party contexts of DOM stuff to accommodate broader use cases (federated login?) Which assumptions should we make of ESR network.cookie.* combos ...or should we implement and test for all config combinations? What would Mozilla require for a backport to ESR? How should this be 'packaged' with other 3rd party isolation? ...so I'm hoping to clear this up at the next TBB meeting Monday 19:00 UTC. QUESTION If anyone has changed their network.cookie.cookiebehavior to 'allow all cookies', please state which website caused the frustration. [1] https://trac.torproject.org/projects/tor/ticket/3246/ Cheers, Michael -- Michael Schloh von Bennewitz Software Development Engineer