Closed
Bug 1240640
Opened 9 years ago
Closed 7 years ago
Stop and Shop coupons don't load with tracking protection enabled
Categories
(Web Compatibility :: Privacy: Site Reports, defect)
Web Compatibility
Privacy: Site Reports
Tracking
(Not tracked)
RESOLVED
WORKSFORME
People
(Reporter: rn10950, Unassigned)
References
(Blocks 1 open bug, )
Details
(Whiteboard: tp-base)
Attachments
(1 file)
|
221.30 KB,
image/png
|
Details |
a comparison of the website with tracking protection enabled and disabled
User Agent: Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0
Build ID: 20160105164030
Steps to reproduce:
- Log in to the Stop and Shop website
- Click on the "View my offers" link
(It's worth noting that even though uBlock Origin is installed, it is turned off)
Actual results:
The coupons did not load, there is a static throbber in the center of the page that appears like it should move. (see top image)
Expected results:
The coupons should have displayed like the bottom image.
JS Files Loaded:
============
The following JS files are loaded into the page:
> https://dev.visualwebsiteoptimizer.com/va-ce94f92ab1f10796d366c565bae3aef4.js
> https://dev.visualwebsiteoptimizer.com/analysis/opa-5caa951bb6ec0310b081e0542970d222.js
> https://images.stopandshop.com/static/common/js/jquery-2.1.3.min.js
> https://images.stopandshop.com/static/common/js/compiled.min.a178abae5d03bda6.js
> https://images.stopandshop.com/static/common/js/modernizr-2.8.2.min.js?v=1
> https://libs.coremetrics.com/eluminate.js
> https://s3.amazonaws.com/ki.js/54991/cig.js
> https://stopandshop.com/dashboard/coupons-deals/ (in-content JS)
> https://use.typekit.net/qjx4rwy.js
> https://www.google-analytics.com/analytics.js
> https://www.google-analytics.com/plugins/ua/linkid.js
|
||
Updated•9 years ago
|
|
||
Comment 1•9 years ago
|
||
Used the following build to reproduce the original issue:
- build id: 20160118030338 changeset: 8cb42e7a16b4
Enabled "security.csp.debug;true" and received the following errors under the browser console:
* The resource at "https://libs.coremetrics.com/eluminate.js" was blocked because tracking protection is enabled.
* ReferenceError: cmSetClientID is not defined
* The resource at "https://www.google-analytics.com/analytics.js" was blocked because tracking protection is enabled.
* Loading mixed (insecure) display content "http://cdn.peapod.com/site/38/0/0/0/4059ced0-b696-474b-aa26-108f0222e8d2.jpg" on a secure page
* GET http://cdn.peapod.com/site/38/0/0/0/4059ced0-b696-474b-aa26-108f0222e8d2.jpg
* TypeError: window.cmCreatePageviewTag is not a function
* Loading mixed (insecure) display content "http://cdn.peapod.com/site/38/0/0/0/4059ced0-b696-474b-aa26-108f0222e8d2.jpg" on a secure page
Seems like coremetrics.com is another analytic solution that tracks user behavior and appears on disconnect.me block lists [1]. I'm not sure if that's the reason the coupons are not loading but it seems like the script fetches a "coupon" dashboard which then displays on the website via the fx dev tools.
Francois, it seems like this is working as expected but I'm not 100%.. mind taking a quick look?
[1] https://disconnect.me/trackerprotection/blocked
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(francois)
|
||
Comment 2•9 years ago
|
||
(In reply to Kamil Jozwiak [:kjozwiak] from comment #1)
> Enabled "security.csp.debug;true"
Out of curiosity, does that pref give you any more info? The TP messages are not gated by that.
> Seems like coremetrics.com is another analytic solution that tracks user
> behavior and appears on disconnect.me block lists [1]. I'm not sure if
> that's the reason the coupons are not loading but it seems like the script
> fetches a "coupon" dashboard which then displays on the website via the fx
> dev tools.
>
> Francois, it seems like this is working as expected but I'm not 100%.. mind
> taking a quick look?
You're right, that script gets blocked since it's on the list (https://github.com/mozilla-services/shavar-prod-lists/blob/e9a2e6364ad93f4d94e8ee8b2134a7b54656f17b/disconnect-blacklist.json#L6523).
It could also be google-analytics.com since developers don't always write safe code when using these tools:
https://developer.mozilla.org/en-US/Firefox/Privacy/Tracking_Protection
Of course, in this case it's also possible they did this on purpose if they only offer you discounts in exchange for being able to collect your info and track you :)
Flags: needinfo?(francois)
|
||
Updated•9 years ago
|
Component: DOM: Security → Safe Browsing
Product: Core → Toolkit
|
|
||
Comment 3•9 years ago
|
||
(In reply to François Marier [:francois] from comment #2)
> Out of curiosity, does that pref give you any more info? The TP messages are
> not gated by that.
Apologies François, I must have missed your question when I was originally going through this. It looks like security.csp.debug doesn't offer any extra information. I went through the use case above with and without security.csp.debug;true and got the same exact error messages under the browser console. I usually look under about:config to see if the particular feature has a logging pref, habit I guess!
|
|
||
Updated•9 years ago
|
Component: Safe Browsing → Tracking Protection
Product: Toolkit → Firefox
Version: 43 Branch → unspecified
|
|
||
Updated•7 years ago
|
Component: Tracking Protection → Desktop
Product: Firefox → Tech Evangelism
Whiteboard: tp-base
|
||
Comment 4•7 years ago
|
||
Tested on 58.0a1 with TP enabled. Link above navigates to the link below. All content and links display and work correctly.
https://stopandshop.com/coupons-weekly-circular/digital-coupons/#/available
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WORKSFORME
|
Assignee | |
Updated•6 years ago
|
Product: Tech Evangelism → Web Compatibility
|
||
Updated•5 months ago
|
Component: Site Reports → Privacy: Site Reports
You need to log in
before you can comment on or make changes to this bug.
Description
•