TenFourFox FPR15 breaks 3rd party cookie exception handling
The privacy preferences page allows for 3rd party cookies from some sites to always be used.
I allow NO 3rd party cookies .. except for sites specifically enabled by "ALLOW COOKIES ALWAYS".
Starting with FPR15 (may have happened earlier, haven't needed this since may),
the "ALWAYS ALLOW COOKIES" feature no longer works.
This is unfortunate, because now I MUST allow cookies from "visited sites", which also
means that any site I visit can sneak in and use 3rd party cookies on me.
I would hope this would be switched back to the prior method, which was far more security
friendly, since you could guarantee which 3rd party cookies you trusted, instead of having
to accept 3rd party cookies from any visited site.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
1 Posted by Bolo -- Josef T... on 12 Jul, 2019 01:41 PM
I was incorrect, with FPR15 the only way to get 3rd party cookies to work
is to use "always allow" 3rd party cookies. Visited doesn't work if a site
is a broker for another site, to pass site cookies between two sites.
I recommend strongly returning the previous policy of always allowing cookies
from the "always allow cookies" list, since that allows 3rd party cookies to be
turned off, except for trusted sites.
As it is now, 3rd party cookies always needs to be turned on, and that is a horrible security hole.
Support Staff 2 Posted by Cameron Kaiser on 13 Jul, 2019 02:39 AM
I haven't made any changes to this. Near as I can tell, cookie management mirrors that of mainline Firefox. If you have a specific site that breaks with the current version, I can look at it (please don't provide login information here).
3 Posted by Bolo on 13 Jul, 2019 03:32 PM
Cameron, thank you for taking a look.
It is a financial website. Which needs to be logged into with
customer credentials. It looks like they push their credentials
out to some other entities (a federated login type setup),
and voila 3rd party cookie issues.
You found that no changes were made, so I did more debugging:
1) I re-installed TenFourFox-FPR14.1 to see if it was a browser
change or a bank change which caused the issues. It occurs with
FPR14.1 as well.
2) When I try FPR14 it also fails.
3) The latest I was willing to go back was to FPR13.1 ... and it
still doesn't work there.
[ I haven't used that feature in a couple of months, so it was
a surpise that it didn't work -- perfectly timed with FPR15's
release ]
The bank made some changes to their web, and it looks like the
latest incarnation runs afoul of FireFox's cookie handling.
Ten Four Fox got caught in the middle, and the update was just
at the wrong time.
Doing some more debugging, the browser has to accept cookies from
anywhere to start using the feature. However, once that page
is loaded (and the visited sites have per-session cookies) the
policy can be changed to accept cookies from visited. Then when
the feature is logged out of, cookies never can be re-enabled.
Which is a bit of a crappy way to have secure browser,
but better than insecurity.
Mea culpa for not trying the previous version before submitting a
trouble report.
Thank you!
Bolo -- Josef T. Burger
Support Staff 4 Posted by Cameron Kaiser on 14 Jul, 2019 03:43 AM
OK. I will try to replicate your report on one of the test systems when I'm back from my business trip (next weekend most likely).