tag:tenfourfox.tenderapp.com,2012-01-07:/discussions/problems/8834-tenfourfox-fpr15-breaks-3rd-party-cookie-exception-handlingTenFourFox: Discussion 2019-07-14T03:43:53Ztag:tenfourfox.tenderapp.com,2012-01-07:Comment/474322692019-07-12T13:41:45Z2019-07-12T13:41:46ZTenFourFox FPR15 breaks 3rd party cookie exception handling<div><p>I was incorrect, with FPR15 the only way to get 3rd party cookies to work<br>
is to use "always allow" 3rd party cookies. Visited doesn't work if a site<br>
is a broker for another site, to pass site cookies between two sites.</p>
<p>I recommend strongly returning the previous policy of always allowing cookies<br>
from the "always allow cookies" list, since that allows 3rd party cookies to be<br>
turned off, except for trusted sites.</p>
<p>As it is now, 3rd party cookies always needs to be turned on, and that is a horrible security hole.</p></div>Bolo -- Josef T. Burgertag:tenfourfox.tenderapp.com,2012-01-07:Comment/474322692019-07-13T02:39:11Z2019-07-13T02:39:11ZTenFourFox FPR15 breaks 3rd party cookie exception handling<div><p>I haven't made any changes to this. Near as I can tell, cookie management mirrors that of mainline Firefox. If you have a specific site that breaks with the current version, I can look at it (please don't provide login information here).</p></div>Cameron Kaisertag:tenfourfox.tenderapp.com,2012-01-07:Comment/474322692019-07-13T15:32:16Z2019-07-13T15:32:17ZTenFourFox FPR15 breaks 3rd party cookie exception handling<div><p>Cameron, thank you for taking a look.</p>
<p>It is a financial website. Which needs to be logged into with<br>
customer credentials. It looks like they push their credentials<br>
out to some other entities (a federated login type setup),<br>
and voila 3rd party cookie issues.</p>
<p>You found that no changes were made, so I did more debugging:</p>
<p>1) I re-installed TenFourFox-FPR14.1 to see if it was a browser<br>
change or a bank change which caused the issues. It occurs with<br>
FPR14.1 as well.</p>
<p>2) When I try FPR14 it also fails.</p>
<p>3) The latest I was willing to go back was to FPR13.1 ... and it<br>
still doesn't work there.</p>
<p>[ I haven't used that feature in a couple of months, so it was a surpise that it didn't work -- perfectly timed with FPR15's release ]</p>
<p>The bank made some changes to their web, and it looks like the<br>
latest incarnation runs afoul of FireFox's cookie handling.<br>
Ten Four Fox got caught in the middle, and the update was just<br>
at the wrong time.</p>
<p>Doing some more debugging, the browser has to accept cookies from<br>
anywhere to start using the feature. However, once that page<br>
is loaded (and the visited sites have per-session cookies) the<br>
policy can be changed to accept cookies from visited. Then when<br>
the feature is logged out of, cookies never can be re-enabled.</p>
<pre>
<code>Which is a bit of a crappy way to have secure browser,
but better than insecurity.</code>
</pre>
<p>Mea culpa for not trying the previous version before submitting a<br>
trouble report.</p>
<p>Thank you!</p>
<p>Bolo -- Josef T. Burger</p></div>Bolotag:tenfourfox.tenderapp.com,2012-01-07:Comment/474322692019-07-14T03:43:28Z2019-07-14T03:43:53ZTenFourFox FPR15 breaks 3rd party cookie exception handling<div><p>OK. I will try to replicate your report on one of the test systems when I'm back from my business trip (next weekend most likely).</p></div>Cameron Kaiser