Always accepting third party cookies seems to break first party isolation
Not that many folks would do this intentionally but always enabling third-party cookies seems to break first-party isolation as the domain being used for isolating is just always "--unknown" See https://blog.torproject.org/comment/280689#comment-280689 for the report (many thanks Torlion). As that one is extra awesome I'll quote it here fully:
As I've experienced this issue several times again, I had another try to find out, what causes this problem. I've found a way to reproduce the issue and how to solve the problem. It's a bit difficult to explain, that's why I'll try by giving an example:
Go on Wikipedia (https://en.wikipedia.org/wiki/Main_Page)
Try the following changes concerning third-party cookies. On the left you see the setting, after the dashes you see the result of the exit node shown in the circuit. After changing the settings, you have to refresh the page or click on “New Circuit for this Site”:
Go on “options” - Privacy and Security” - “Accept third-party cookies and site data” and
set the following for third-party cookies:
“Never” – exit node is ok – wikipedia.org
“From visited” – exit node is ok – wikipedia.org
“Always” – exit node is not ok “--unknown--”
“From visited” – exit node is not ok “--unknown--”
If you change the settings from “Never” to “From visited”, the circuit shows the correct exit node. If you change the settings from “Always” back to “From visited” you will get the “--unknown--” issue.
Stay on Wikipedia (wikipedia.org) and try the following. After changing the settings, you have to refresh the page or click on “New Circuit for this Site”:
First Step:
Set the following for third-party cookies:
“Never” – exit node is ok – wikipedia.org
Now, choose “Block cookies and site data (may cause websites to break)”
Go back to wikipedia.org and refresh page or click on “New Circuit for this Site”
Result: exit node in circuit is ok – says “ wikipedia.org”
Second Step:
Go on “options” - Privacy and Security” - “Accept third-party cookies and site data”.
Set the following for third-party cookies:
“Always” – not ok – “--unknown--”
Now, choose “Block cookies and site data (may cause websites to break)”
Go back to wikipedia.org and refresh page or click on “New Circuit for this Site”
Result: exit node in circuit is not ok – says “--unknown--”
In both steps you have “Block cookies and site data (may cause websites to break)” and “Accept third-party cookies and site data Never” (greyed out). So it seems to be identical, however, setting “Always” for third-party cookies and then clicking on “ Block cookies and site data (may cause websites to break)” will cause the “--unknown--” issue, whereas setting “Never” for third-party cookies and then clicking on “Block cookies and site data (may cause websites to break)”will not cause the “--unknown--” issue”, and in the last case you will see the correct exit node in the circuit (which is “wikipedia.org_” in my example).
Go on options and set “Accept third-party cookies and site data Never”. Close Tor Browser and open again. Go on Wikipedia (https://en.wikipedia.org/wiki/Main_Page). Check circuit. Exit node is ok – says “wikipedia.org”
Go on options and set “Accept third-party cookies and site data Always”. Close Tor Browser and open again. Go on Wikipedia (https://en.wikipedia.org/wiki/Main_Page). Check circuit. Exit node is circuit is not ok – says “--unknown--”
Go on options and set “Accept third-party cookies and site data “Never” and then click on “Block cookies and site data (may cause websites to break)”. Close Tor Browser and open again. Go on Wikipedia (https://en.wikipedia.org/wiki/Main_Page). Check circuit. Exit node is ok – says “wikipedia.org”
Go on options and set “Accept third-party cookies and site data “Always” and then click on “Block cookies and site data (may cause websites to break)”. Close Tor Browser and open again. Go on Wikipedia (https://en.wikipedia.org/wiki/Main_Page). Check circuit. Exit node is not ok – says “--unknown--”
At this point the user gets stucked, because when having a look into the Options now, under “Privacy & Security” and “Cookies and Site Data”, you will see that cookies are blocked, but also the greyed out “Accept third-party cookies and site data “Never”. Now click again on “Accept third-party cookies and site data (recommended)“ and the greyed out “Never” changes into a black “Always”.
Solution:
Go on “Options” - “Privacy & Security” and “Cookies and Site Data”, change the black “Always” into “Never”. Go back to the page, where you have experienced the “--unknown--” issue (in my example “Wikipedia”), refresh the page or click on “New Circuit for this Site” and the “--unknown--” issue is gone. In my example you will see “wikipedia.org” again.
If you now wish to block cookies again, make sure you have set “Accept third-party cookies and site data “Never” and NOT “Always”. Even if you close and reopen Tor Browser you won't get the “--unknown--” issue any longer.
I really can't tell you why changing the settings for cookies influences the circuit. Maybe the developers of Tor Browser can find out what is all behind this or maybe one of you computer techies. I'm sorry for not having the technical knowledge to find out what is wrong. The only thing possible for me was to find out that quite obviously the settings for cookies changes something in the circuit. I hope I could help nevertheless.