Open Bug 1174797 Opened 7 years ago Updated 2 months ago

handle OAuth not working with cookies/javascript disabled

Categories

(MailNews Core :: Networking: IMAP, defect)

Unspecified
All
defect
Not set
normal

Tracking

(thunderbird_esr38+ affected)

Tracking Status
thunderbird_esr38 + affected

People

(Reporter: rkent, Unassigned, NeedInfo)

References

()

Details

(Keywords: ux-error-prevention)

I think you want tracking esr
Context: if you disabled cookies, trying to do OAuth2 authentication for gmail will show a "Oops! Your browser seems to have cookies disabled. Make sure cookies are enabled or try opening a new browser window. [?] " message in the OAuth dialog. 

I'm not so sure it's ok to add it silently though, as that lets google track you elsewhere (to a limited extent) - which is probably one of the reasons you disabled cookies in the first place.
(In reply to Magnus Melin from comment #3)
> Context: if you disabled cookies, trying to do OAuth2 authentication for
> gmail will show a "Oops! Your browser seems to have cookies disabled. Make
> sure cookies are enabled or try opening a new browser window. [?] " message
> in the OAuth dialog. 

Also, even if cookies are enabled, if you have two different google oauth accounts, there may be conflicts (at least this has happened for twitter). For twitter, the cookies are removed once oauth is complete, cf. https://dxr.mozilla.org/comm-central/source/chat/protocols/twitter/twitter.js#866.

> I'm not so sure it's ok to add it silently though, as that lets google track
> you elsewhere (to a limited extent) - which is probably one of the reasons
> you disabled cookies in the first place.

Cleaning up the cookies on completion would also help with that issue.
i would prefer sticking to imap only or making oauth opt-in. i have disabled google 2-factor-authentication for a reason. Adding a cookie exception for gmail seems to be violating privacy by design principles.

How about we offer to enable the cookies for gmail instead of just telling the user they need to. That meets both requirements for user choice and good user experience.

See Also: → 1678722
Duplicate of this bug: 1643021
OS: Unspecified → All
See Also: → 1576799, 1310389
Duplicate of this bug: 1687247
See Also: → 1591782
Duplicate of this bug: 1671809
Duplicate of this bug: 1678722

(In reply to Matt from comment #6)

How about we offer to enable the cookies for gmail instead of just telling the user they need to. That meets both requirements for user choice and good user experience.

Duplicate of this bug: 1358567

What do you think about putting resolving this on the plate for the next version?

Ref https://www.reddit.com/r/Thunderbird/comments/p39sau/does_gmail_oauth_work/

Flags: needinfo?(bugzilla2007)

On reflection, I think we should offer to enable cookies yes or no, rather than just the ones for Gmail. While those servers currently used is reasonably well known, they are not part of some API that Google publish and are probably subject to change without notice. A maintenance issue going forward.

I think just offer to enable everything. If the user want to restrict the cookies to a particular server or set of servers, that should be something they do manually after saying no to enabling cookies.

See Also: → 1757713
Summary: Add a cookie exception for GMail OAuth → handle OAuth not working with cookies/javascript disabled
See Also: → 1748416
You need to log in before you can comment on or make changes to this bug.