[tor-bugs] #3246 [Firefox Patch Issues]: Apply third party cookie patch
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Jul 1 07:41:58 UTC 2014
#3246: Apply third party cookie patch
-------------------------------------+-------------------------------------
Reporter: mikeperry | Owner: mikeperry
Type: enhancement | Status: new
Priority: major | Milestone:
Component: Firefox Patch | Version:
Issues | Keywords: backport-to-mozilla,
Resolution: | tbb-linkability, tbb-usability-
Actual Points: | website, tbb-bounty,
Points: | TorBrowserTeam201407
| Parent ID:
-------------------------------------+-------------------------------------
Comment (by gk):
Replying to [comment:22 michael]:
> Replying to [comment:19 michael]:
> > After applying msvb3246-306bbfd_a1, building, running firefox(1),
logging in to the Facebook, browsing to a huffingtonpost.com page and
clicking the 'Comment' button of the 'Add a comment...' Facebook widget at
the bottom, nothing happens (as if a third party cookie transmission were
stopped.)
> >
> On application of the newer msvb3246-d006262_a2, cookie transmission
starts working again but only when cookie policy is set to 'accept all
cookies by default' which is not what we want.
>
> == OBJECTIVE ==
>
> The desired outcome from patch application is to interpret double keyed
cookies as first party when they refer to foreign hosts but originate from
content associated with the domain of the 'URL bar.'
>
> This allows us to forego changing cookie policy to 'accept all cookies
by default' and instead keep it to 'only accept from the originating site
(block third party cookies)' while transmitting double key matched cookies
to foreign hosts.
Well, we actually want accept cookies from third parties. The example in
your last comment is a good one in this regard. The cookie from
facebook.com is still a third party cookie even if we bind it to the URL
bar. So, my initial feeling is that we should have the option "Allow all
cookies" checked (we want to allow all of them but need to bind the third
party ones to the URL bar domain (too)) as we want the ones from other
domains, too. That said, the logic governing whatever option we choose
should be, of course, the double-keying logic.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3246#comment:23>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list