On Fri, 18 Jan 2019 at 21:00, Richard Pospesel <rich...@torproject.org> wrote: > The Double-Keyed Redirect Cookies + 'Domain Promotion' tries to fix this > multiple/hidden session problem by promoting the cookies of double-keyed > websites to first-party status in the case where the originating domain is > positively identified as solely a redirect. In the gogle.com -> google.com > scenario, if Tor Browser could identify that gogle.com is used solely to > redirect to google.com, then we could take the double-keyed > gogle.com|google.com > cookies and move them into the google.com bucket and eliminate the double > session.
How would we detect this? Let's say hypothetically (I haven't checked) gogle.com does not set any cookies; and just sends a 301 permanent redirect. We then perform the upgrade from gogle.com|google.com to google.com If we turn it on its head: google.com decides to redirect you to tracker342451345.google.com with a 301 (and setting no cookies.) We upgrade google.com|tracker342451345.google.com to tracker342451345.google.com and do so for as long as your session is open. Does this enabling a tracking vector? I don't think so; couldn't identify one - but it feels like there might be something here... -tom _______________________________________________ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev