Open Bug 1174797 Opened 8 years ago Updated 5 months ago

handle OAuth not working with cookies/javascript disabled

Categories

(MailNews Core :: Networking: IMAP, defect)

Product:
MailNews Core
Component:
Networking: IMAP
Platform:
Unspecified
All
Type:
defect

Tracking

(thunderbird_esr38+ affected)

Tracking Flags:
Tracking Status
thunderbird_esr38 + affected

People

(Reporter: rkent, Unassigned, NeedInfo)

References

(
URL
)

Details

(Keywords: ux-error-prevention) 

I think you want tracking esr
status-thunderbird_esr38: --- → affected
tracking-thunderbird_esr38: --- → ?
Context: if you disabled cookies, trying to do OAuth2 authentication for gmail will show a "Oops! Your browser seems to have cookies disabled. Make sure cookies are enabled or try opening a new browser window. [?] " message in the OAuth dialog. 

I'm not so sure it's ok to add it silently though, as that lets google track you elsewhere (to a limited extent) - which is probably one of the reasons you disabled cookies in the first place.
(In reply to Magnus Melin from comment #3)
> Context: if you disabled cookies, trying to do OAuth2 authentication for
> gmail will show a "Oops! Your browser seems to have cookies disabled. Make
> sure cookies are enabled or try opening a new browser window. [?] " message
> in the OAuth dialog. 

Also, even if cookies are enabled, if you have two different google oauth accounts, there may be conflicts (at least this has happened for twitter). For twitter, the cookies are removed once oauth is complete, cf. https://dxr.mozilla.org/comm-central/source/chat/protocols/twitter/twitter.js#866.

> I'm not so sure it's ok to add it silently though, as that lets google track
> you elsewhere (to a limited extent) - which is probably one of the reasons
> you disabled cookies in the first place.

Cleaning up the cookies on completion would also help with that issue.
i would prefer sticking to imap only or making oauth opt-in. i have disabled google 2-factor-authentication for a reason. Adding a cookie exception for gmail seems to be violating privacy by design principles.

How about we offer to enable the cookies for gmail instead of just telling the user they need to. That meets both requirements for user choice and good user experience.

See Also: → 1678722
OS: Unspecified → All
See Also: → 1576799, 1310389
Keywords: ux-error-prevention
See Also: → 1591782

(In reply to Matt from comment #6)

How about we offer to enable the cookies for gmail instead of just telling the user they need to. That meets both requirements for user choice and good user experience.

What do you think about putting resolving this on the plate for the next version?

Ref https://www.reddit.com/r/Thunderbird/comments/p39sau/does_gmail_oauth_work/

Flags: needinfo?(bugzilla2007)

On reflection, I think we should offer to enable cookies yes or no, rather than just the ones for Gmail. While those servers currently used is reasonably well known, they are not part of some API that Google publish and are probably subject to change without notice. A maintenance issue going forward.

I think just offer to enable everything. If the user want to restrict the cookies to a particular server or set of servers, that should be something they do manually after saying no to enabling cookies.

See Also: → 1757713
Summary: Add a cookie exception for GMail OAuth → handle OAuth not working with cookies/javascript disabled
See Also: → 1748416
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.