[tor-bugs] #33540 [Applications/Tor Browser]: Cookie exceptions are deleted when Tor Browser is closed

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Mar 8 06:21:19 UTC 2020 

#33540: Cookie exceptions are deleted when Tor Browser is closed
--------------------------------------+---------------------------
 Reporter:  silverwolf                |          Owner:  tbb-team
     Type:  defect                    |         Status:  closed
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:  not a bug
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+---------------------------
Changes (by Thorin):

 * status:  reopened => closed
 * resolution:   => not a bug


Comment:

 Tor Browser in non-PB mode is not supported: so this is not a bug, closing

 ---

 FWIW: I had a play around. It seems that cookies are still memory only and
 permissions.sqlite is never created regardless of the prefs. I'm not sure
 why that is, but it's not something we support or recommend.


 {{{
 1. start in normal mode
         = browser.privatebrowsing.autostart = false
 2. keep site permissions
         =  permissions.memory_only = false
 3. delete cookies & site data on close
         = about:preferences#privacy > Cookies and Site Data
         = network.cookie.lifetimePolicy = 2
 4. go to website and add exception
         = right click on the page > View Page Info
         = permissions tab, change "Set Cookies" from default to "Allow"
 5. check exception
         = about:preferences#privacy Exceptions - Cookies and Site Data
         = you should have your entry keyed by Origin Attributes
         = `https://example.com^firstPartyDomain=example.com`
 }}}

 I used https://ghacksuserjs.github.io/TorZillaPrint/sanitizing.html

 After loading the test site, and getting web data set
 - I inspected `cookies.sqlite` and **nothing** was stored
 - I inspected `webappsstore.sqlite` and localStorage was stored
    - note: there may be quirks with async timing and dom.storage.next_gen
 = false
 - I inspected the profile's IDB (../storage/default/) and it had data
 written to disk
    -
 `https+++ghacksuserjs.github.io^firstPartyDomain=ghacksuserjs.github.io`
 - There is **no** `permissions.sqlite` created

 Closed Tor Browser. Restarted. The site exception is gone because
 permissions.sqlite does not exist. Visited my test page, and only the IDB
 entry persisted - which makes sense because unless you made additional
 changes, you're not clearing IDB on close. IDB is not available in PB mode
 and Tor Browser doesn't do anything special with it. **Congrats, you've
 now allowed a persistent tracking mechanism in your setup**. LocalStorage
 is a bit of mess, so ignore that.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33540#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list