[tor-bugs] #21537 [Applications/Tor Browser]: Consider ignoring secure cookies for .onion addresses

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Apr 3 08:33:54 UTC 2018 

#21537: Consider ignoring secure cookies for .onion addresses
-------------------------------------------------+-------------------------
 Reporter:  micah                                |          Owner:  tbb-
                                                 |  team
     Type:  enhancement                          |         Status:  new
 Priority:  Medium                               |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tbb-usability,                       |  Actual Points:
  TorBrowserTeam201804, GeorgKoppen201804        |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------
Changes (by gk):

 * keywords:  tbb-usability, TorBrowserTeam201803, GeorgKoppen201803 => tbb-
     usability, TorBrowserTeam201804, GeorgKoppen201804


Comment:

 Replying to [comment:9 micah]:
 > To test this, I've set up a test site.
 >
 > In a current (broken) TBB browser visit the following page:
 >
 > http://cookie.revolt.org
 >
 > You will see 'no cookie value set, refresh the page'. If you refresh the
 page, while on http, the cookie value will continue to *not* be set. That
 is because of secure cookies, and the connection not being on https. This
 is expected.
 >
 > Now, visit https://cookie.revolt.org and then refresh the page, you will
 see a cookie value set.
 >
 > Now click the 'reset cookies' link, and visit the onion link and refresh
 the page. You will see the behavior is exactly the same as the http
 connection, no cookie value gets set.
 >
 > If TBB is fixed, then when you visit the onion link and refresh the
 page, it will set a cookie and show that it is set, just like in the https
 case above.

 Thanks for this test setup! I spent part of my Easter holidays coming up
 with a patch and tests for it. It seems I have something that fixes this
 bug without breaking anything else (so far). I'll clean up my patch a bit
 and post the patch for review shortly. I think it might make it into the
 next alpha for further testing.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21537#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list