[tor-bugs] #27824 [Applications/Tor Browser]: TorBrowser or NoScript 10 prevents cookies even if cookie exceptions are present

[Tor Bug Tracker & Wiki]

#27824: TorBrowser or NoScript 10 prevents cookies even if cookie exceptions are
present
--------------------------------------------+--------------------------
 Reporter:  joebt                           |          Owner:  tbb-team
     Type:  defect                          |         Status:  new
 Priority:  Medium                          |      Milestone:
Component:  Applications/Tor Browser        |        Version:
 Severity:  Normal                          |     Resolution:
 Keywords:  Tor Browser, NoScript, cookies  |  Actual Points:
Parent ID:                                  |         Points:
 Reviewer:                                  |        Sponsor:
--------------------------------------------+--------------------------

Comment (by cypherpunks):

 In TBB 8.5 & earlier (linux), IF torbutton security slider is default
 **"Standard** setting," and in preferences - **"Accept cookies & site
 data"** is checked, **then** "Accept third party cookies & site data" is
 checked & set @ Always - by default.

 With torbutton @ Standard security, when 3rd party cookies are **allowed
 Always**, it **toggles** the "privacy.firstparty.isolate" pref to FALSE;
 and toggles it to True when 3rd party cookies are set to "Never."  Then
 lots of **3rd party cookies are set** instantly.  I assume 3rd parties'
 Site Data is also loaded, but I've not checked it yet.

 I suggest that it not toggle the firstparty.isolate pref.

 In TBB, same settings as above, but 3rd Party Cookies are = "From Visited
 Sites," it still toggles firstparty.isolate = False (shouldn't), but seems
 to allow only 1st party cookies.  (I haven't checked that on 100's of
 sites.)

 When firstparty.isolate is False & torbutton security setting = Safer, it
 seems to **block** 3rd party cookies when Accept 3rd Party cookies =
 Always.  Safer setting - good.  But, parts of some sites haven't worked in
 the past at torbutton Safer setting.

 Checked this behavior several times in TBB & regular Fx 60.5esr (Linux)
 Both new installs, new profile for regular Fx ESR, no addons installed in
 the regular Fx ESR; only default addons in TBB.

 Same behavior in both of the ESR flavors, whether TBB is restarted / get
 new identity or not.  Yes, it'd delete 3rd party cookies, but they'll come
 right back unless Accept 3rd party cookies  = "Never."

 In Firefox 65 (Linux) they've changed the cookie options UI, even from a
 couple versions ago.  In it, disabling ALL cookie blocking (incl. 3rd
 party) does not toggle "privacy.firstparty.isolate" to False.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27824#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online