Open Bug 1235978 Opened 9 years ago Updated 22 days ago

Tracking protection basic breaks redditp.com

Categories

(Core :: Privacy: Anti-Tracking, defect, P3)

62 Branch
x86_64
Windows 10
defect

Tracking

()

ASSIGNED
Tracking Status
firefox101 --- affected
firefox110 --- affected

People

(Reporter: ubershmekel, Assigned: twisniewski)

References

(Blocks 1 open bug, )

Details

(Keywords: webcompat:needs-diagnosis, Whiteboard: [tp-ads][tp-social][tp-yellowlist-active][tp-site-unusable])

User Story

reddit.com
googleapis.com

Attachments

(3 files)

User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36

Steps to reproduce:

1. New Private Window
2. Browse to http://redditp.com
3. See in the console  "The resource at "http://www.reddit.com/.json?jsonp=jQuery191009076678373860347_1451544464726&&_=1451544464727" was blocked because tracking protection is enabled."


Actual results:

Redditp failed to load ajax request of reddit links. A black screen with no slides is seen.


Expected results:

Seeing a presentation of images.
Blocks: tp-breakage
Component: DOM: Security → Safe Browsing
Product: Core → Toolkit
It breaks this too: http://web.uforio.com/#r/worldnews
Component: Safe Browsing → Tracking Protection
Product: Toolkit → Firefox
Version: 43 Branch → unspecified
It also breaks http://reddpics.com/
Severity: normal → major
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: tp-base tp-product
Priority: -- → P3
Whiteboard: tp-base tp-product → tp-base
I recieve the same error on a website I am developing for the request https://www.reddit.com/api/v1/access_token?grant_type=https%3A%2F%2Foauth.reddit.com%2Fgrants%2Finstalled_client&device_id=DO_NOT_TRACK_THIS_DEVICE.

This should not be blocked because, acrodding to reddit,
> Clients that wish to remain anonymous should use the value DO_NOT_TRACK_THIS_DEVICE.
http://redditp.com/ still fails to load content on 58.0a1 with TP enabled.
Whiteboard: tp-base → tp-needsrepro
The issue is still reproducible and it is related to `trackingprotection` breakage.
It is reproducible while Tracking Protection BASIC is enabled.

[Environment:]
Browser / Version: Firefox Nightly 63.0a1 (2018-08-06)
Operating System: Windows 10 Pro
URL: http://redditp.com

Looking at the devtools console, here are the blocked resources:
The resource at “https://www.google-analytics.com/analytics.js” was blocked because tracking protection is enabled.
The resource at “https://www.reddit.com/.json?jsonp=jQuery22004023343830486257_1533648577411&&_=1533648577412” was blocked because tracking protection is enabled.

So below are the domains to test:
- www.google-analytics.com
- www.reddit.com

I opened the URL in a fresh browser profile (Firefox Nightly 63, uMatrix installed, normal mode) and loaded the page. The page is black.

I disabled the Spoof Referrer option in uMatrix and then WHITELISTED:
- reddit.com (including all related domains)
and the images in the slideshow ware not shown.

Since there was an error related to Ajax ("Failed ajax, Firefox try to disable tracking protection from the shield in the URL bar") I whitelisted:
- ajax.googleapis.com 
and the image were shown and slideshow started.

The other resource (www.google-analytics.com) didn't help. 

So in conclusion:
- reddit.com - Social = [tp-social]
- googleapis.com - Content = [tp-content]

----------------------------------------------------------------------------------------------------------------------------

[Note1:]
For URL: http://web.uforio.com/#r/worldnews: 
- whitelisting the `reddit.com` domain, the posts are loaded.

[Note2:]
For URL: http://reddpics.com/
- whitelisting the `reddit.com` and `ajax.googleapis.com` domains, the images are loaded.
Blocks: tpimages
User Story: (updated)
Component: Tracking Protection → Desktop
OS: Unspecified → Windows 10
Product: Firefox → Tech Evangelism
Hardware: Unspecified → x86_64
Summary: Tracking protection breaks redditp.com → Tracking protection basic breaks redditp.com
Whiteboard: tp-needsrepro → [tp-ads][tp-social]
Version: unspecified → Firefox 62
Attached image Screenshot_1.png
Added uMatrix results for URL: ttp://redditp.com
Attached image Screenshot_2.png
Added uMatrix results for URL: http://web.uforio.com/#r/worldnews
Attached image Screenshot_3.png
Added uMatrix results for URL: http://reddpics.com/
See Also: → 1484638
No longer blocks: tp-breakage
Product: Tech Evangelism → Web Compatibility

Is it true that the "turn off blocking for this site" button is gone in newer versions of Firefox?

https://github.com/ubershmekel/redditp/issues/73#issuecomment-527743988

We will need to unblock/sandbox/proxy https://www.reddit.com/.json for this page to be able to load its content from Reddit.

Blocks: tp-reddit
No longer blocks: tpimages
Whiteboard: [tp-ads][tp-social] → [tp-ads][tp-social][tp-yellowlist-active][tp-site-unusable]

I think this ticket could be generalized into "Tracking protection basic breaks any site interacting with Reddit API". Reddit has a nice CORS-compatible JSON API that works well from other browsers.

Whitelisting https://www.reddit.com/<anything>.json CORS calls would be a good idea. (For the record I'm also impacted: I'm developing a site that allows people to verify their social profiles)

Another note about reddit's api is that there are a few endpoints that don't work with the CORS calls and only work with the JSONP calls. For example:

https://www.reddit.com/r/random/.json returns a 301 redirect to https://www.reddit.com/r/Arcade1Up/.json

This causes the CORS request to fail.

ETP Shims?

Assignee: nobody → twisniewski

In this case shims might be able to at least provide an opt-in placeholder, like a click-to-play user interface. We're investigating how to implement such a feature, and I'll update here as that investigation progresses.

In private window the issue is still reproducible with ETP - Standard and Strict.
https://prnt.sc/exOdaVIHuz8n

In normal windows the issue is reproducible only with ETP - Strict.
https://prnt.sc/Uj6P9b3i5Wnh

Tested with:
Browser / Version: Firefox Nightly 101.0a1 (2022-04-07)
Operating System: Windows 10 Pro

In the process of migrating remaining bugs to the new severity system, the severity for this bug cannot be automatically determined. Please retriage this bug using the new severity system.

Severity: major → --

I can confirm that this breaks with ETP set to STRICT, in Normal Mode, and with ETP set to STANDARD in PRIVATE Mode.

Tom, since the behavior is different here, can we move this issue to the relevant Component?

Tested with:

Browser / Version: Firefox Nightly 110.0a1 (2023-01-11) (64-bit) Chrome Version 109.0.5414.75 (Official Build) (64-bit)
Operating System: Windows 10 PRO x64

Flags: needinfo?(twisniewski)
Status: NEW → ASSIGNED

Yes, done. Thanks Raul!

Component: Desktop → Privacy: Anti-Tracking
Flags: needinfo?(twisniewski)
Product: Web Compatibility → Core
Version: Firefox 62 → 62 Branch
Severity: -- → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: