[tor-bugs] #22481 [- Select a component]: Should TorBrowser preserve cookies across opening a new, different size window for same site?

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat Jun 3 18:50:40 UTC 2017


#22481: Should TorBrowser preserve cookies across opening a new, different size
window for same site?
-------------------------------------+-------------------------------------
     Reporter:  joebt                |      Owner:
         Type:  defect               |     Status:  new
     Priority:  Medium               |  Milestone:
    Component:  - Select a           |    Version:
  component                          |   Keywords:  Tor Browser, cookies,
     Severity:  Normal               |  resized windows, new circuits
Actual Points:                       |  Parent ID:
       Points:                       |   Reviewer:
      Sponsor:                       |
-------------------------------------+-------------------------------------
 In TBB 6.5.2 Linux, if cookie exceptions are set for a site & TBB's window
 borders are accidentally dragged (very easy to do), if you open the / a
 tab in a new window to restore the default window size, the cookies are
 preserved.

 Does this or similar scenarios pose any anonymity or fingerprinting
 concerns?
 A cookie that was set under perhaps unintentionally resized window.
 Within a few seconds, the same cookie is associated w/ a new circuit and a
 '''different''' window size.  Is this a concern?  Not so much because of
 the visited site, but other adversaries / trackers.

 Dragging a tab off Firefox's desktop or opening tab in new window doesn't
 keep the same circuit (by design?) but does preserve cookies.  At least,
 no circuit info shows under Torbutton after moving a connected site to a
 new window.  But it allows establishing a new circuit.

 In tests, under the mis-sized and new correctly resized window (returned
 to default ) the cookie ID values were the same.

 In this case, it seems there's no doubt that the same person viewed the
 exact same material or pages on a website, under two different window
 sizes and two different circuits, from a couple of seconds to a while,
 depending whether you immediately realize the window was accidentally
 resized (not hard to overlook, as no warning when dragging borders).

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22481>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list