[tor-bugs] #3246 [Firefox Patch Issues]: Apply third party cookie patch

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Jul 1 21:27:15 UTC 2014 

#3246: Apply third party cookie patch
-------------------------------------+-------------------------------------
     Reporter:  mikeperry            |      Owner:  mikeperry
         Type:  enhancement          |     Status:  new
     Priority:  major                |  Milestone:
    Component:  Firefox Patch        |    Version:
  Issues                             |   Keywords:  backport-to-mozilla,
   Resolution:                       |  tbb-linkability, tbb-usability-
Actual Points:                       |  website, tbb-bounty,
       Points:                       |  TorBrowserTeam201407
                                     |  Parent ID:
-------------------------------------+-------------------------------------

Comment (by michael):

 Replying to [comment:23 gk]:
 > Replying to [comment:22 michael]:
 > > The desired outcome from patch application is to interpret double
 keyed cookies as first party when they refer to foreign hosts but
 originate from content associated with the domain of the 'URL bar.'
 > >
 > > This allows us to forego changing cookie policy to 'accept all cookies
 by default' and instead keep it to 'only accept from the originating site
 (block third party cookies)' while transmitting double key matched cookies
 to foreign hosts.
 >
 > The cookie from facebook.com is still a third party cookie even if we
 bind it to the URL bar. So, my initial feeling is that we should have the
 option "Allow all cookies" checked (we want to allow all of them but need
 to bind the third party ones to the URL bar domain (too)) as we want the
 ones from other domains, too. That said, the logic governing whatever
 option we choose should be, of course, the double-keying logic.

 The outcome of our different approaches is equivalent. I like your idea
 best, to set "Allow all cookies" but still reject third party cookies not
 associated with the URL bar domain. By the way, looks like the (presently
 defective) code to test this is in
 netwerk/cookie/nsCookieService.cpp:nsCookieService::CheckPrefs().

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3246#comment:24>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list