Open Bug 1316019 Opened 8 years ago Updated 2 years ago

[FirstPartyIsolation] Failed to sign in to the


(Core :: DOM: Security, defect, P3)





(Reporter: cynthiatang, Unassigned)


(Blocks 1 open bug)


(Whiteboard: [tor][domsecurity-active])

Preference setting:
 1. privacy.firstparty.isolate;true
 2. network.predictor.enable-prefetch;false
 3. network.predictor.enabled;false

 1. Launch Firefox browser
 2. Go to
 3. Sign in with your Pixnet's ID and password

Actual result:
 - Failed to sign in
 - The account field and password field will be empty
 - Please see the video 

Reproduction Rate: 10/10

Other test results:
 - Firefox without FPI: Passed
 - Tor browser: Failed to sign in 

Firefox version: 52.0a1 (2016-11-07) (64-bit)
Priority: -- → P2
Assignee: nobody → tihuang
Assignee: artines1 → nobody
Priority: P2 → P3
The login flow of this website works like this:

  * Clicking on the login link takes you to  Note that this page is hosted on not

  * Filling in the form and submitting it makes a POST request to which sets session cookies on like this:
PIXCCSESSION=foo; path=/;

  * That page redirects to  session cookies are sent along that request.  That page redirects back to and the login flow is complete.  Now we're back on

So far there is no difference between the FPI case and the non-FPI case.  However when the main page is loaded, the page makes an XHR request to URLs like to try to check whether the user is logged in.  When FPI is turned off, this request can see the cookies set by, therefore the request is submitted with three cookies named PIXSID, PIXCCSESSION and pix-easy-login-level-key.  When FPI is turned off, the request is submitted without any cookies, and in response the API sets the PIXSID and PIXCCSESSION cookies.  The response body of this request also differs in between the two cases and in the non-FPI case the page incorrectly thinks the user is logged out due to this API call.

Not sure what would be the best way to fix this...
See Also: → 1616585
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.