[tor-bugs] #21905 [Applications/Tor Browser]: Allow third-party cookies as we are isolating them to the first party in ESR52

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Aug 24 19:04:19 UTC 2017


#21905: Allow third-party cookies as we are isolating them to the first party in
ESR52
---------------------------------------------+--------------------------
 Reporter:  gk                               |          Owner:  tbb-team
     Type:  enhancement                      |         Status:  new
 Priority:  Medium                           |      Milestone:
Component:  Applications/Tor Browser         |        Version:
 Severity:  Normal                           |     Resolution:
 Keywords:  tbb-usability-website, ff52-esr  |  Actual Points:
Parent ID:                                   |         Points:
 Reviewer:                                   |        Sponsor:
---------------------------------------------+--------------------------

Comment (by pastly):

 pastly said more things on IRC.

 {{{
 [18:08:23] <pastly> Some guy that was really really sure of himself kept
 asserting that '3rd party' cookies aren't always third party or could
 somehow still be sent depending on special flags in a JavaScript request
 function. Idk. I made a PoC and tested with FF, Chrome, and TB. But think
 found that JS func and gave up trying to figure out if I was right or if
 he
 was right.
 [18:08:47] <pastly> s/But think found/but then I found/
 [18:09:40] <pastly>
 https://developer.mozilla.org/en-
 US/docs/Web/API/XMLHttpRequest/withCredent
 ials
 [18:10:08] <pastly> I guess it allows 3rd party cookies to be sent as long
 as the sites are colluding with Access-Control-Allow-Origin
 [18:11:00] <ANON> I would guess that an ad site might ask the browser
 to request the first party site in such a way that passes information such
 that the first party deposits a cookie that contains information from the
 ad site.
 [18:11:28] <ANON> is that what ACAO does?
 [18:11:41] <pastly> Dunno. I stopped thinking about it. :p
 }}}

 This may not be new to you smart browser people.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21905#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list