403 Forbidden when third party cookies is disallowed

Question

403 Forbidden when third party cookies is disallowed

Closed this issue 7 years ago · 6 comments

Hi!

When adding magnet link i get 403 error.
Looking at the code in background.js i'm thinking cookies are taken from wrong page. Perhaps "browser.cookies.getAll({url: tabUrl}).then(cookies => {" should instead be "browser.cookies.getAll({url: qbtUrl}).then(cookies => {"?

Answer 1 · 2018-04-03T12:38:54.000Z

It is correct since I need to get all cookies that is associated with the tab, and include it into the POST request to the qbittorent server. This is for cases where you need auth cookies from the tab's site when downloading the torrent file from the site. When the extension sends the POST XHR, the auth cookie for qbittorrent server should be included automatically. So the only explanation that I can give you is that you are not authorized for some reason, could be issue on the server itself.

I can suggest a temporary fix: try to enable "Bypass authentication for clients in these IP subnets (CIDR notation)" option on the server.

Can you give me step by step to reproduce this? Please be specific (did you redirected to your server's url to login? what magnet url are you adding?) so I can diagnose the problem.

Answer 2 · 2018-04-04T13:58:18.000Z

Thanks for looking into this!
I found the problem is caused due to disallowing all third party cookies in FF settings. Setting it to "Always" or "From visited" makes it work.
Neither solution (cookie policy or auth bypass for ip) is a good one from privacy and security viewpoint.

Answer 3 · 2018-04-04T16:44:33.000Z

Well, then this is hard to fix. I cannot set the server's auth cookie directly on the XHR request. It will require modifying cookie header and it's forbidden because of security reasons.

…

On Wed, Apr 4, 2018, 8:58 PM slemmnord ***@***.***> wrote: Thanks for looking into this! I found the problem is caused due to disallowing all third party cookies in FF settings. Setting it to "Always" or "From visited" makes it work. Neither solution (cookie policy or auth bypass for ip) is a good one from privacy and security viewpoint. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#1 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAtuKp8ar-gwz6IfZpbQ4a9oVaygDU9Xks5tlNF7gaJpZM4TCXpu> .

Answer 4 · 2018-04-04T17:09:57.000Z

I suggest create new settings to store Qbt WebUI username and password and do a login when 403 is returned. Perhaps cache the returned cookie in session-storage to reduce subsequent logins.

Answer 5 · 2018-04-05T02:28:30.000Z

Yes, it is possible, but still won't solve the problem. I can write a login procedure, and it will return auth cookie, but I still can't apply that cookie to the XHR request since it's forbidden to set or modify cookie for any request.

Answer 6 · 2018-04-07T07:06:23.000Z

Here are the options:

I can query for the third party cookie option to notify users, but it will need privacy permission, adding extraneous permission that is not directly used in the main functionality.
I can change the third party cookie option, it also need privacy permission, but it feels way overstepping the boundary.
I can add a disclaimer at start or at addon page, that users need to allow third party cookie or it won't work properly.

Currently I prefer option #3