TenFourFox FPR15 breaks 3rd party cookie exception handling

Bolo -- Josef T. Burger's Avatar

Bolo -- Josef T. Burger

12 Jul, 2019 01:15 PM

The privacy preferences page allows for 3rd party cookies from some sites to always be used.
I allow NO 3rd party cookies .. except for sites specifically enabled by "ALLOW COOKIES ALWAYS".
Starting with FPR15 (may have happened earlier, haven't needed this since may),
the "ALWAYS ALLOW COOKIES" feature no longer works.

This is unfortunate, because now I MUST allow cookies from "visited sites", which also
means that any site I visit can sneak in and use 3rd party cookies on me.

I would hope this would be switched back to the prior method, which was far more security
friendly, since you could guarantee which 3rd party cookies you trusted, instead of having
to accept 3rd party cookies from any visited site.

  1. 1 Posted by Bolo -- Josef T... on 12 Jul, 2019 01:41 PM

    Bolo -- Josef T. Burger's Avatar

    I was incorrect, with FPR15 the only way to get 3rd party cookies to work
    is to use "always allow" 3rd party cookies. Visited doesn't work if a site
    is a broker for another site, to pass site cookies between two sites.

    I recommend strongly returning the previous policy of always allowing cookies
    from the "always allow cookies" list, since that allows 3rd party cookies to be
    turned off, except for trusted sites.

    As it is now, 3rd party cookies always needs to be turned on, and that is a horrible security hole.

  2. Support Staff 2 Posted by Cameron Kaiser on 13 Jul, 2019 02:39 AM

    Cameron Kaiser's Avatar

    I haven't made any changes to this. Near as I can tell, cookie management mirrors that of mainline Firefox. If you have a specific site that breaks with the current version, I can look at it (please don't provide login information here).

  3. 3 Posted by Bolo on 13 Jul, 2019 03:32 PM

    Bolo's Avatar

    Cameron, thank you for taking a look.

    It is a financial website. Which needs to be logged into with
    customer credentials. It looks like they push their credentials
    out to some other entities (a federated login type setup),
    and voila 3rd party cookie issues.

    You found that no changes were made, so I did more debugging:

    1) I re-installed TenFourFox-FPR14.1 to see if it was a browser
    change or a bank change which caused the issues. It occurs with
    FPR14.1 as well.

    2) When I try FPR14 it also fails.

    3) The latest I was willing to go back was to FPR13.1 ... and it
    still doesn't work there.

    [ I haven't used that feature in a couple of months, so it was
      a surpise that it didn't work -- perfectly timed with FPR15's
      release ]

    The bank made some changes to their web, and it looks like the
    latest incarnation runs afoul of FireFox's cookie handling.
    Ten Four Fox got caught in the middle, and the update was just
    at the wrong time.

    Doing some more debugging, the browser has to accept cookies from
    anywhere to start using the feature. However, once that page
    is loaded (and the visited sites have per-session cookies) the
    policy can be changed to accept cookies from visited. Then when
    the feature is logged out of, cookies never can be re-enabled.

    Which is a bit of a crappy way to have secure browser,
    but better than insecurity.

    Mea culpa for not trying the previous version before submitting a
    trouble report.

    Thank you!

    Bolo -- Josef T. Burger

  4. Support Staff 4 Posted by Cameron Kaiser on 14 Jul, 2019 03:43 AM

    Cameron Kaiser's Avatar

    OK. I will try to replicate your report on one of the test systems when I'm back from my business trip (next weekend most likely).

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac