Project

General

Profile

[workaround] to stay signed into protonmail

Added by ask low 8 months ago

For Proton Mail to work, I have enabled DOM, JS & cookies for the following domains:
proton.me
account.proton.me
mail.proton.me
But for some weird reason, I get signed out after an hour of use. I usually bookmark mail.proton.me to directly head to my mailing lists. But it redirects me back account.proton.me to relog.
I've even looked up "Keep me signed in" check mark multiple times. But peanut browser just can't able to store the cookies for much longer.

I've even checked the active sessions in settings > security section. Turns out that all of those older sessions still running.

One workaround in this situation I found, is to avoid switching to other tab while proton tab existings. As soon as my work done with proton mail, closing that tab seems to retain cookies the next time I open mail.proton.me in a new tab (by holding the bookmark).

It's somewhat counterproductive, but works for some reason.


Replies (24)

RE: can't stay signed into proton - Added by ask low 8 months ago

Nah. Both are different issues btw. The other thread is not a big issue, as reloading usually accesses cookies again. In proton mail case, it's not the case. I permanently get signed out.

RE: can't stay signed into proton - Added by Soren Stoutner 8 months ago

They might be more related that one would initially suspect. You might also want to take a look at #788.

RE: can't stay signed into proton - Added by ask low 8 months ago

I mean, this sorta correlates to the other forum discussion. But that's not what's happening with proton mail. The issue you linked to me (#788) was when proton mail had their old domain *protonmail.com*. Now they have proton.me, and sub domains running under it.

And yup. The site's kicking me out. But, if this is like the other issue, then it should log me back in, as soon as the webview detects older cookies. But the issue is, it does not log back in.

RE: can't stay signed into proton - Added by ask low 8 months ago

The cookies get lost somewhere. I donno how. Maybe this is proton's security feature, like if it detects some informal nature of the site, then it might log me out. Maybe I should test protonmail on any other browser.

RE: can't stay signed into proton - Added by ask low 8 months ago

I do have tutanota mail handle too. This doesn't happen with it though. That means something's wrong with the protonmail web client itself. Maybe I am missing some domain settings.

RE: can't stay signed into proton - Added by ask low 8 months ago

Another weird issue is, when I change the tabs, this happens...
The domain settings are intact. But web client boars me this warning.

RE: can't stay signed into proton - Added by Soren Stoutner 8 months ago

I think that what is happening is that Proton Mail is maintaining some sort of ongoing, periodic communication in the background. With each request it sends the login cookie. But, when you switch to a tab that has cookies disabled, that disables them for the Proton Mail tab also. So, the next time it sends its periodic communication, the cookies it not included. Proton Mail then throws this error and redirects you to a different URL. Once that happens, sending a new request with the login cookie does not automatically log you back it.

The way that last bit of behavior works (not logging you back in when you send the login cookie after you have been logged out and redirected) is something the developers of Proton Mail have decided to do. Different websites can choose to behave differently.

RE: can't stay signed into proton - Added by ask low 8 months ago

Sad. Some questions though:

  • Do each tab has it's own sandboxed environment or not ?
  • Why would other tab's domain settings interfere with ongoing communicative sites ?
  • Is this the webview's limitation, or is there any way to mitigate this ?
  • Do you think they (pm devs) did this for a security reason ?

WORKAROUND - Added by ask low 8 months ago

One workaround in this situation I found, is to avoid switching to other tab while proton tab existings. As soon as my work done with proton mail, closing that tab seems to retain cookies the next time I open mail.proton.me in a new tab (by holding the bookmark).

It's somewhat counterproductive, but works for some reason.

RE: can't stay signed into proton - Added by Soren Stoutner 8 months ago

ask low wrote in RE: can't stay signed into proton:

  • Do each tab has it's own sandboxed environment or not ?

No. Not currently on Privacy Browser Android. Although I should note that they currently do on Privacy Browser PC.

  • Why would other tab's domain settings interfere with ongoing communicative sites ?

Because Cookie settings are an app-wide setting, meaning that when you enable cookies it enables them for all WebViews in the app and when you disable cookies it disables them for all WebViews in the app. This is documented in the Guide inside the app under the section for Local Storage and is the only domain setting that works this way.

  • Is this the webview's limitation, or is there any way to mitigate this ?

This is a limitation in Android's System WebView.

See https://developer.android.com/reference/android/webkit/CookieManager#setAcceptCookie(boolean)

  • Do you think they (pm devs) did this for a security reason ?

My guess is that the Android developers were just being lazy.

RE: WORKAROUND - Added by Soren Stoutner 8 months ago

ask low wrote in WORKAROUND:

One workaround in this situation I found, is to avoid switching to other tab while proton tab existings. As soon as my work done with proton mail, closing that tab seems to retain cookies the next time I open mail.proton.me in a new tab (by holding the bookmark).

It's somewhat counterproductive, but works for some reason.

Yes, I would expect that to work. Although, for privacy and security reasons, I would recommend using an email client with local encryption key storage, like K-9 Mail with OpenKeychain, instead of accessing email in a web browser.

RE: [workaround] to stay signed into protonmail - Added by ask low 8 months ago

No. Not currently on Privacy Browser Android. Although I should note that they currently do on Privacy Browser PC.

Will it be possible through Privacy Webview in the future ?

I would recommend using an email client with local encryption key storage, like K-9 Mail with OpenKeychain, instead of accessing email in a web browser.

I know I should be using IMAP, but unfortunately protonmail on free tier doesn't have that ability. Neither I felt had a reason to pay for it, nor I use pm for daily work. I only use it for scheduled mails, where I check them manually everyday at a certain time. Hence no need for a push notification.
Tutanota is what I daily drive. It doesn't have IMAP/POP for some weird security reasons defined by their devs. They have their own protocol that works through pgp. Fortunately, it's web client works properly on PB Android unlike protonmail.

RE: [workaround] to stay signed into protonmail - Added by Soren Stoutner 8 months ago

Yes, in the 4.x series with Privacy WebView it will be possible to completely sandbox each tab. However, that might involve some fairly invasive changes to WebView, so it is likely that many of the other, easier, privacy-focused changes will happen first in the 4.x series.

RE: [workaround] to stay signed into protonmail - Added by ask low 8 months ago

Although you might consider other changes first, but still, sandboxing gives ample protection for site isolation. It should have to be a greater priority security model.

RE: [workaround] to stay signed into protonmail - Added by Soren Stoutner 8 months ago

I do understand that this is a highly desirable feature. But it is also highly complex and prone to break a lot of things. I tend to pick off the easy things first because I can do twenty or thirty of them in the amount of time it would probably take to implement and test full sandboxing.

RE: [workaround] to stay signed into protonmail - Added by ask low 8 months ago

highly complex and prone to break a lot of things

I thought blink had enough documentation to support sandbox environment. But do clarify me whether Android Webview is based on the same ? (or it isn't ?)

because I can do twenty or thirty of them in the amount of time it would probably take to implement and test full sandboxing.

I tend to lean on perfecting something first before shipping, instead of rushing it out. If it takes a lot of effort, but if the results will benefit, then I guess the wait is worth !

RE: [workaround] to stay signed into protonmail - Added by Soren Stoutner 8 months ago

They are all based on the Chromium codebase. However, there are a lot of modifications to the WebView build compared to what ships in Chrome. Not only do I need to figure out how to patch the code in a way that exposes functionality that is either disabled or hidden, but I need to do it in such a way that it is easy to rebase those patches for each new Chromium release.

This is a daunting enough task that most people who have considered it have either never attempted it or given up.

RE: [workaround] to stay signed into protonmail - Added by ask low 8 months ago

Strange. The same project (chromium) of a reputed megacorpo, ported from one platform to another (desktop to mobile), decided to deviate from it's one of the core security features, god knows for what reasons ;P

Do you think firefox mobile kept sandboxing out of the box ?

WebView and GeckoView - Added by Soren Stoutner 8 months ago

I would imagine that both Chrome and Firefox have some degree of sandboxing on Android. Note that it takes more RAM to run multiple sandboxed tabs. Also note that there is a huge range of what people consider sandboxing. For example, on Privacy Browser PC, every tab has a separate cookie store (and cache, and DOM storage, and IndexedDB, and service workers) as part of the sandboxing. What this means is that if you are logged into a website in one tab and open that website in a second tab you will not be logged in there. It also means that you can be logged into the same website as multiple users in different tabs.

This level of sandboxing is what most browsers call a private browsing tab and goes beyond what most browsers consider sandboxing, which is usually just the running of each tab in a separate process but still accessing the same shared datastores. That still requires more RAM, which is why it isn't enabled by default on WebView for Android. But you can enable this weaker level of sandboxing, known as site isolation, which does prevent some rogue JavaScript that is able to exploit some vulnerability from having easy access to the RAM of other tabs, using WebView DevTools as described at:

https://www.stoutner.com/webview-devtools/

WebView is to Chrome what GeckoView is to Firefox. Google does not expose private browsing functionality in WebView. Mozilla might or might not expose the same level of controls in GeckoView. You can read a bit more about my feelings regarding GeckoView at:

https://www.stoutner.com/geckoview/

RE: [workaround] to stay signed into protonmail - Added by ask low 5 months ago

DivestOS Browser comparisons states that all webview based browsers lack Site Isolation. Could this be a main reason for Proton Services to not work ? Caz they rely on sandboxing heavily.

RE: [workaround] to stay signed into protonmail - Added by Soren Stoutner 5 months ago

1. No, that has nothing to do with it.
2. You can enable site isolation if you like in Privacy Browser. See https://www.stoutner.com/webview-devtools/.

RE: [workaround] to stay signed into protonmail - Added by ask low 5 months ago

Interesting. I didn't knew about DevTools flags, even though I tried them once. Now that I knew, I mentioned this to the DivestOS Team

    (1-24/24)