#21537: Consider ignoring secure cookies for .onion addresses -------------------------------------------------+------------------------- Reporter: micah | Owner: tbb- | team Type: enhancement | Status: new Priority: Medium | Milestone: Component: Applications/Tor Browser | Version: Severity: Normal | Resolution: Keywords: tbb-usability, | Actual Points: TorBrowserTeam201803, GeorgKoppen201803 | Parent ID: | Points: Reviewer: | Sponsor: -------------------------------------------------+-------------------------
Comment (by micah): To test this, I've set up a test site. In a current (broken) TBB browser visit the following page: http://cookie.revolt.org You will see 'no cookie value set, refresh the page'. If you refresh the page, while on http, the cookie value will continue to *not* be set. That is because of secure cookies, and the connection not being on https. This is expected. Now, visit https://cookie.revolt.org and then refresh the page, you will see a cookie value set. Now click the 'reset cookies' link, and visit the onion link and refresh the page. You will see the behavior is exactly the same as the http connection, no cookie value gets set. If TBB is fixed, then when you visit the onion link and refresh the page, it will set a cookie and show that it is set, just like in the https case above. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21537#comment:9> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs