[tor-bugs] #10569 [TorBrowserButton]: Tor Browser's Private Browsing Mode breaks sites.

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Mar 3 20:51:48 UTC 2014 

#10569: Tor Browser's Private Browsing Mode breaks sites.
----------------------------------+-----------------------------------
     Reporter:  mttp              |      Owner:  mikeperry
         Type:  defect            |     Status:  new
     Priority:  normal            |  Milestone:
    Component:  TorBrowserButton  |    Version:
   Resolution:                    |   Keywords:  tbb-usability-website
Actual Points:                    |  Parent ID:
       Points:                    |
----------------------------------+-----------------------------------

Comment (by joebt):

 "...''frustrated when they can't log in to certain sites. An example is
 en.mail.qq.com''"

 Another example is https://unseen.is, in the login form at top of page.
 This page was accessible / readable via TBB last week, but not today
 (after site upgrades?).  NOTE:  the site is in ICELAND - country code
 "'''.is'''" - not to be mistaken w/ the word "'''''is'''''."

 With the site whitelisted in NoScript & even w/ Private Browsing mode
 disabled (basically only allowing cookies, or [as a test] also allowing
 "remember browsing history" - at least while accessing a critical site).

 Creating a new Unseen.is email account:  __Before__ Unseen.is "upgraded
 their system" on 3/2/2014, from above URL, with cookies allowed &
 unseen.is whitelisted in !NoScript, it was possible to load the site in
 TBB 3.5.2 (Win).  Data for a new acct could be submitted via TBB & the
 acct __was actually created__.  But once data was submitted & acct
 creation was successful, all that appeared afterward in TBB was a blank
 page w/ "spinning throbber / wheel" - that just sat.

 But the acct was created & could be accessed / used, by other browser.  It
 was also impossible to login to the active acct via TBB.  Again, it seemed
 to accept login data, but then displays only blank screen w/ a throbber or
 "star wheel."

 '''KEY POINT''':  The problem doesn't seem to be NoScript, javascript or
 cookie issues.

 Even (temporarily) disabling or uninstalling in TBB 3.5.2:  NoScript and /
 or: (Torbutton, HTTPS Everywhere), doesn't allow accessing
 HTTPS://unseen.is.  There are apparently? other settings changes made in
 TBB causing the problem.  It may __BE__ valid action by TBB to preserve
 anonymity, but it's still a problem.

 __But...Using regular Fx 27 - Win, with NoScript,__ (and unseen is
 whitelisted), HTTPS Everywhere & only session cookies allowed for
 Unseen.is  (no 3rd party), login works normally.  As w/ TBB, after
 submitting login data, the white "loading mask" page w/ throbber appears a
 few sec., but quickly disappears - allowing access to the acct.

 Separate testing with regular Fx 27, using a "special profile" created by
 the extension "JonDoFox," the __same problem arises__.  Even after the
 extra* addons installed by JonDoFox extension  - for privacy - are
 disabled or removed.  *Extra addons JDF installs are similar to TBB:
 NoScript, HTTPS Everywhere - plus couple others.  But JDF makes some
 similar changes about:config, or in blocking certain browser data to
 reduce browser fingerprinting, as do TBB / Torbutton.

 So far, I've not identified what common changes* made by TBB / Torbutton
 and !JonDoFox (*that AREN'T __directly__ in NoScript, etc.) - that may be
 the problem - if any.  But the issue ''seems'' to point at such __common__
 changes, that aren't part of NoScript, HTTPS Everywhere, etc.

 "''you can disable private browsing mode from Torbutton''"

 Yes, but that still doesn't allow TBB 3.5.2 Win access to
 https://unseen.is.  AFAIK, regardless of what OTHER TBB privacy settings
 are changed, the site's still inaccessible.

 What may be of troubleshooting help is the domain
 https://mail.unseen.is/webmail/ __IS TBB accessible__ & __login works__ -
 at least for me as of 3/3.  To login w/ TBB at this URL, only domain
 unseen.is is whitelisted in NoScript & session cookies for (only) the
 unseen.is domain are required.  So far, several support techs seem unaware
 of this difference for the 2 URLs.

 Note:  Seems __no trackers__ on [https://mail.unseen.is/webmail/
 https://mail.unseen.is/webmail/.]But [https://unseen.is
 https://unseen.is,][https://unseen.is shows tracker
 https://dnn506yrbagrg.cloudfront.net/pages/scripts/0019/2012.js?387188.
 May / may not be significant to the issue.]

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10569#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list