Skip to content
This repository has been archived by the owner. It is now read-only.

FxA does not work with the Tor browser #4609

Closed
shane-tomlinson opened this issue Jan 11, 2017 · 4 comments

Comments

Projects
None yet
2 participants
@shane-tomlinson
Copy link
Member

commented Jan 11, 2017

There are two problems even with the default "low" settings.

  1. cross-domain POSTs are restricted by noscript - noscript.filterXPost is set to true.
  2. the Authorization header is not sent to 3rd parties.

These can both be worked around by clicking the green onion, clicking the "Privacy and Security Settings" menu item, then de-selecting "Restrict 3rd party cookies and other tracking data".

Just don't forget to re-select the option when done with FxA or browsing to any other sites or else Tor's privacy & security is greatly diminished.

@rfk

This comment has been minimized.

Copy link
Member

commented Jan 23, 2017

I wonder about our use of multiple domains from time-to-time, as it's something that causes a bit of pain in the dev environment as well. Would this all "just work" in TOR if we served our API from a path under the main domain? Something like e.g.:

https://accounts.firefox.com/api/auth/v1/account/create

Rather than the current scheme of:

https://api.accounts.firefox.com/v1/account/create

For comparison, Google does it this way, making backend calls to JSON endpoints underneath https://accounts.google.com.

(I'm not suggesting this with any particular urgency, just wondering out loud)

@shane-tomlinson

This comment has been minimized.

Copy link
Member Author

commented Jan 23, 2017

@rfk - yeah, that was the conclusion I came to too, prod would act more like fxa-dev boxes instead of the other way around. We could still keep static files on a 3rd party CDN because we don't send any cookies/Auth headers with those resources anyways.

@shane-tomlinson

This comment has been minimized.

Copy link
Member Author

commented Aug 24, 2017

It's not possible to open the Sync menu on the Tor browser. Closing.

@shane-tomlinson

This comment has been minimized.

Copy link
Member Author

commented Aug 24, 2017

Oh, there is a menu option in the tor bowser. We just don't work. Still keeping this closed.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.