Tracking protection incorrectly renders blocked images on jetbrains.com

RESOLVED WORKSFORME

Status

()

Firefox
Tracking Protection
P2
normal
RESOLVED WORKSFORME
2 years ago
9 months ago

People

(Reporter: mcomella, Unassigned)

Tracking

(Blocks: 1 bug)

45 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: tp-entitylist, URL)

Attachments

(2 attachments)

Page: http://info.jetbrains.com/Kotlin-Night-2016.html

With tracking protection, the image overlaps the registration fields, preventing you from registering. Without, the images appear as expected.

Comment 1

2 years ago
I can't reproduce. Can you provide a screenshot?

Tanvi, is there a designated place for these kinds of bugs yet?
Flags: needinfo?(tanvi)
Flags: needinfo?(michael.l.comella)
Created attachment 8744101 [details]
w/o TP (not broken)

Worth noting I'm running dev edition v47 on OS X.
Flags: needinfo?(michael.l.comella)

Comment 4

2 years ago
(In reply to :Gijs Kruitbosch from comment #1)
> Tanvi, is there a designated place for these kinds of bugs yet?

I'm not sure.  Let's ask Javaun.
Flags: needinfo?(tanvi) → needinfo?(jmoradi)
I believe we just mark these bugs as blocking the meta bug 1101005. That said, I couldn't reproduce this on either Nightly or Developer Edition, with either of the two block lists. Michael, do you have any ad blocker add-ons installed? Have you tried to reproduce with a clean profile?
Blocks: 1101005
Component: General → Tracking Protection
Flags: needinfo?(jmoradi)
It appears the issue is caused by HTTPSEverywhere (I could not reproduce in safe mode).

Does that mean this should be closed?
Thanks for the update Michael. You might want to move your bug report to https://github.com/EFForg/https-everywhere
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → INVALID
A thought: HTTPSEverywhere is trying to upgrade resources which are are HTTPS friendly (e.g. it works without tracking protection) but break under tracking protection (presumably because the resources are not mixed content or something – I'm not sure how TP works). Could that be considered a tracking protection bug?

Also, this could be the way the page declares the content, but isn't it also on Firefox that, when the resources are blocked, they render incorrectly?
(In reply to Michael Comella (:mcomella) from comment #8)
> A thought: HTTPSEverywhere is trying to upgrade resources which are are
> HTTPS friendly (e.g. it works without tracking protection) but break under
> tracking protection (presumably because the resources are not mixed content
> or something – I'm not sure how TP works). Could that be considered a
> tracking protection bug?

What is happening is that http://info.jetbrains.com/Kotlin-Night-2016.html has relative links like "/rs/426-QVD-114/images/Kotlin_Night_2016.png" for its images and that 

  http://info.jetbrains.com/rs/426-QVD-114/images/Kotlin_Night_2016.png

gets changed to

  https://na-lon02.marketo.com/rs/426-QVD-114/images/Kotlin_Night_2016.png

when using HTTPS Everywhere because of the following rule:

	<rule from="^http://info\.jetbrains\.com/"
		to="https://na-lon02.marketo.com/" />

See: https://gitweb.torproject.org/https-everywhere.git/tree/src/chrome/content/rules/JetBrains.xml?id=4332e67208f50fb38cf270d93a4c765182b86c14#n159

And because marketo.com is on the TP list, it gets blocked. Without HTTPS Everywhere, the image gets served over HTTP from the info.jetbrains.com domain which is the same origin as the page and doesn't even show up on the TP list.

Also interesting is that

  https://info.jetbrains.com/rs/426-QVD-114/images/Kotlin_Night_2016.png

gives us a TLS name mismatch error:

  info.jetbrains.com uses an invalid security certificate.
  
  The certificate is only valid for the following names: *.marketo.com,
  marketo.com

  Error code: SSL_ERROR_BAD_CERT_DOMAIN

It does look like jetbrains and marketo belong to the same company. So it might be worth asking Disconnect to get "jetbrains.com" added to the "properties" section of "Marketo" on the entity list:

  https://github.com/mozilla-services/shavar-prod-lists/blob/d53e8167a9a6c4ada9ecc3c397c61540dcd53228/disconnect-entitylist.json#L4457-L4461

which would prevent blocking marketo.com resources from pages on the jetbrains.com domain.

Feedback can be submitted to Disconnect using this form:

  https://disconnect.me/trackerprotection#feedback
Status: RESOLVED → REOPENED
Resolution: INVALID → ---
Summary: Tracking protection incorrectly renders blocked images on page → Tracking protection incorrectly renders blocked images on jetbrains.com
Priority: -- → P2
Whiteboard: tp-whitelist
Whiteboard: tp-whitelist → tp-entitylist
Tested on 58.0a1 with TP enabled. Page content, images, videos, links all function correctly.
Status: REOPENED → RESOLVED
Last Resolved: 2 years ago9 months ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.