bugzilla.mozilla.org will be intermittently unavailable on Saturday, March 24th, from 16:00 until 20:00 UTC.
221.30 KB, image/png
Created attachment 8709218 [details] a comparison of the website with tracking protection enabled and disabled User Agent: Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0 Build ID: 20160105164030 Steps to reproduce: - Log in to the Stop and Shop website - Click on the "View my offers" link (It's worth noting that even though uBlock Origin is installed, it is turned off) Actual results: The coupons did not load, there is a static throbber in the center of the page that appears like it should move. (see top image) Expected results: The coupons should have displayed like the bottom image. JS Files Loaded: ============ The following JS files are loaded into the page: > https://dev.visualwebsiteoptimizer.com/va-ce94f92ab1f10796d366c565bae3aef4.js > https://dev.visualwebsiteoptimizer.com/analysis/opa-5caa951bb6ec0310b081e0542970d222.js > https://images.stopandshop.com/static/common/js/jquery-2.1.3.min.js > https://images.stopandshop.com/static/common/js/compiled.min.a178abae5d03bda6.js > https://images.stopandshop.com/static/common/js/modernizr-2.8.2.min.js?v=1 > https://libs.coremetrics.com/eluminate.js > https://s3.amazonaws.com/ki.js/54991/cig.js > https://stopandshop.com/dashboard/coupons-deals/ (in-content JS) > https://use.typekit.net/qjx4rwy.js > https://www.google-analytics.com/analytics.js > https://www.google-analytics.com/plugins/ua/linkid.js
Used the following build to reproduce the original issue: - build id: 20160118030338 changeset: 8cb42e7a16b4 Enabled "security.csp.debug;true" and received the following errors under the browser console: * The resource at "https://libs.coremetrics.com/eluminate.js" was blocked because tracking protection is enabled. * ReferenceError: cmSetClientID is not defined * The resource at "https://www.google-analytics.com/analytics.js" was blocked because tracking protection is enabled. * Loading mixed (insecure) display content "http://cdn.peapod.com/site/38/0/0/0/4059ced0-b696-474b-aa26-108f0222e8d2.jpg" on a secure page * GET http://cdn.peapod.com/site/38/0/0/0/4059ced0-b696-474b-aa26-108f0222e8d2.jpg * TypeError: window.cmCreatePageviewTag is not a function * Loading mixed (insecure) display content "http://cdn.peapod.com/site/38/0/0/0/4059ced0-b696-474b-aa26-108f0222e8d2.jpg" on a secure page Seems like coremetrics.com is another analytic solution that tracks user behavior and appears on disconnect.me block lists . I'm not sure if that's the reason the coupons are not loading but it seems like the script fetches a "coupon" dashboard which then displays on the website via the fx dev tools. Francois, it seems like this is working as expected but I'm not 100%.. mind taking a quick look?  https://disconnect.me/trackerprotection/blocked
Status: UNCONFIRMED → NEW
Ever confirmed: true
(In reply to Kamil Jozwiak [:kjozwiak] from comment #1) > Enabled "security.csp.debug;true" Out of curiosity, does that pref give you any more info? The TP messages are not gated by that. > Seems like coremetrics.com is another analytic solution that tracks user > behavior and appears on disconnect.me block lists . I'm not sure if > that's the reason the coupons are not loading but it seems like the script > fetches a "coupon" dashboard which then displays on the website via the fx > dev tools. > > Francois, it seems like this is working as expected but I'm not 100%.. mind > taking a quick look? You're right, that script gets blocked since it's on the list (https://github.com/mozilla-services/shavar-prod-lists/blob/e9a2e6364ad93f4d94e8ee8b2134a7b54656f17b/disconnect-blacklist.json#L6523). It could also be google-analytics.com since developers don't always write safe code when using these tools: https://developer.mozilla.org/en-US/Firefox/Privacy/Tracking_Protection Of course, in this case it's also possible they did this on purpose if they only offer you discounts in exchange for being able to collect your info and track you :)
Component: DOM: Security → Safe Browsing
Product: Core → Toolkit
(In reply to François Marier [:francois] from comment #2) > Out of curiosity, does that pref give you any more info? The TP messages are > not gated by that. Apologies François, I must have missed your question when I was originally going through this. It looks like security.csp.debug doesn't offer any extra information. I went through the use case above with and without security.csp.debug;true and got the same exact error messages under the browser console. I usually look under about:config to see if the particular feature has a logging pref, habit I guess!
Component: Safe Browsing → Tracking Protection
Product: Toolkit → Firefox
Version: 43 Branch → unspecified
Component: Tracking Protection → Desktop
Product: Firefox → Tech Evangelism
Tested on 58.0a1 with TP enabled. Link above navigates to the link below. All content and links display and work correctly. https://stopandshop.com/coupons-weekly-circular/digital-coupons/#/available
Status: NEW → RESOLVED
Last Resolved: 5 months ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.