[tor-bugs] #14059 [Tor Browser]: Revision of existing double key cookie logic to meet requirements
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Jan 27 12:26:03 UTC 2015
#14059: Revision of existing double key cookie logic to meet requirements
-----------------------------+----------------------------------
Reporter: michael | Owner: michael
Type: defect | Status: needs_information
Priority: normal | Milestone:
Component: Tor Browser | Version:
Resolution: | Keywords: TorBrowserTeam201501
Actual Points: | Parent ID: #3246
Points: |
-----------------------------+----------------------------------
Comment (by gk):
Replying to [comment:7 michael]:
> R&D is paused, and can procede as soon as questions are answered and
consensus on requirements is reached.
No sure where to put my testing feedback. Given that the patch I tested is
attached in this bug I put my comments here as well. I tested with the
latest nightly + msvb14058-283f7c6.patch on top. In a clean en-US bundle I
did
1) enable third party cookies in Mozilla's privacy settings (the patch
does not contain a special pref I need to toggle as far as I can see)
2) install the Live HTTP Headers to log the traffic
3) restarted and opened the Live HTTP Headers console to log traffic
4) go to http://fundingpoint.net and saved all traffic logs
5) opened in a different tab
https://people.torproject.org/~gk/misc/fundingpoint_iframe.html and saved
all traffic.
6) searched for cookies in the logs.
I get the following in 4)
{{{
http://www.fundingpoint.net/
GET / HTTP/1.1
Host: www.fundingpoint.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101
Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Tue, 27 Jan 2015 11:47:45 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.4.23
Set-Cookie: PHPSESSID=sihiadjk37v8bmvboep6d0gj56; path=/
Set-Cookie:
www_pyrocms=%2FjTZdv72Vxmghi%2F9HPFS1DfgA7%2Fysq5K%2BIfGLyW8TburMfS%2FMxGRVxUtGuwpBFilYQ5Yqj6bDRCj6XQV885b%2BkzcBmWsIqk%2FCyBrqARe2y4ytZ5UKGRdzPrZziPRjXEXZlEjzGA%2B%2FvVjljWB3x%2Ft9P76AxFt8Fm9fVmgbXlhO5b3gZgdGajvY59YyO%2FPr2d1dpARNwA5Xqly%2FEFaJk78mIHRiWIlGFmwtGMRc9eQDpvsW9WEmlwbGRwi9cHZV4o6X1PcHK4LIFJZ5IaFGShYacuwGC4Mxqc%2BH8AXBVl0gL47yeAx3E5bUGzjkohzwbJE48EsccGxVMQgPBbffxskc%2FeCNTHh0RmJnOoD%2FmivHKWJ08tU1HFQ1aqz%2FyskJARW;
path=/; domain=www.fundingpoint.net
Expires: Thu, 19 Nov 1981 08:52:00 GMT
}}}
and I see these too (among others) in 5)
{{{
http://www.fundingpoint.net/
GET / HTTP/1.1
Host: www.fundingpoint.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101
Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=sihiadjk37v8bmvboep6d0gj56;
www_pyrocms=%2FjTZdv72Vxmghi%2F9HPFS1DfgA7%2Fysq5K%2BIfGLyW8TburMfS%2FMxGRVxUtGuwpBFilYQ5Yqj6bDRCj6XQV885b%2BkzcBmWsIqk%2FCyBrqARe2y4ytZ5UKGRdzPrZziPRjXEXZlEjzGA%2B%2FvVjljWB3x%2Ft9P76AxFt8Fm9fVmgbXlhO5b3gZgdGajvY59YyO%2FPr2d1dpARNwA5Xqly%2FEFaJk78mIHRiWIlGFmwtGMRc9eQDpvsW9WEmlwbGRwi9cHZV4o6X1PcHK4LIFJZ5IaFGShYacuwGC4Mxqc%2BH8AXBVl0gL47yeAx3E5bUGzjkohzwbJE48EsccGxVMQgPBbffxskc%2FeCNTHh0RmJnOoD%2FmivHKWJ08tU1HFQ1aqz%2FyskJARW;
_ga=GA1.2.28869478.1422359271; GetResponseComWebform4642401=WebformCookie
Connection: keep-alive
}}}
But that is not expected to happen as the URL bar domain in 5) is
different from the one in 4). It seems to me the patch is not working as
expected or am I missing something here?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/14059#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list