Allow third-party cookies as we are isolating them to the first party in ESR52

Now that 3rd-party cookies get isolated as well we should relax our cookie handling and allow 3rd-party cookies again.

added component::applications/tor browser ff52-esr owner::tbb-team priority::medium severity::normal status::new tbb-usability-website type::enhancement labels

tbb-nightly: TBB throws an error in error console when you switch "3rd-party cookies" in Options on Windows.

Trac:
Cc: N/A to arthuredelstein@gmail.com

As ip-check.info states, this is equal to #21756 (moved) in tracking aspect. So, no problem to enable it. Also torbutton requires some clean up, as it still uses privacy.thirdparty.isolate, resulting in:

15:25:20.836 NS_ERROR_UNEXPECTED: Component returned failure code: 0x8000ffff (NS_ERROR_UNEXPECTED) [nsIPrefBranch.getIntPref] 1 torbutton.js:155
	torbutton_unique_pref_observer.observe chrome://torbutton/content/torbutton.js:155:40
	set_valueFromPreferences chrome://global/content/bindings/preferences.xml:364:13
	_setValue chrome://global/content/bindings/preferences.xml:191:15
	set_value chrome://global/content/bindings/preferences.xml:198:8
	userChangedValue chrome://global/content/bindings/preferences.xml:1281:15
	onxblcommand chrome://global/content/bindings/preferences.xml:1315:9

from

        switch (data) {
            case "network.cookie.cookieBehavior":
                var val = m_tb_prefs.getIntPref("network.cookie.cookieBehavior");
                var block_thirdparty = m_tb_prefs.getIntPref("privacy.thirdparty.isolate") !== 0;
                if (val == 0 && block_thirdparty) // Allow all cookies
                  m_tb_prefs.setIntPref("privacy.thirdparty.isolate", 0);
                else if (val == 1 && !block_thirdparty) // Block third party cookies
                  m_tb_prefs.setIntPref("privacy.thirdparty.isolate", 2);
                break;
            case "privacy.thirdparty.isolate":
                torbutton_update_thirdparty_prefs();
                break;

I was tempted to move this into our first 7.5 alpha build but it seems to me we might want to have some easy way to inspect the cookie isolation. Or do we have that already and I am just not aware of that? The browser UI is still broken it seems (see: #10353 (moved)).

pastly mentioned on IRC that Tor Browser does not protect against https://robinlinus.github.io/socialmedia-leak/ if we allow third-party cookies. But I think it should if third-party cookies are really the means to track users across origins. We need to investigate that more thoroughly before flipping the switch.

Trac:
Cc: arthuredelstein@gmail.com to arthuredelstein@gmail.com, pastly

pastly said more things on IRC.

[18:08:23] <pastly> Some guy that was really really sure of himself kept
asserting that '3rd party' cookies aren't always third party or could
somehow still be sent depending on special flags in a JavaScript request
function. Idk. I made a PoC and tested with FF, Chrome, and TB. But think
found that JS func and gave up trying to figure out if I was right or if he
was right.
[18:08:47] <pastly> s/But think found/but then I found/
[18:09:40] <pastly>
https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredent
ials
[18:10:08] <pastly> I guess it allows 3rd party cookies to be sent as long
as the sites are colluding with Access-Control-Allow-Origin
[18:11:00] <ANON> I would guess that an ad site might ask the browser
to request the first party site in such a way that passes information such
that the first party deposits a cookie that contains information from the
ad site.
[18:11:28] <ANON> is that what ACAO does?
[18:11:41] <pastly> Dunno. I stopped thinking about it. :p

This may not be new to you smart browser people.

mentioned in issue #26345 (moved)

mentioned in issue #32002 (moved)

moved to tpo/applications/tor-browser#21905 (closed)

mentioned in issue tpo/applications/tor-browser#32002