Open
Bug 1316019
Opened 8 years ago
Updated 2 years ago
[FirstPartyIsolation] Failed to sign in to the pixnet.net
Categories
(Core :: DOM: Security, defect, P3)
Core
DOM: Security
Tracking
()
NEW
People
(Reporter: cynthiatang, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [tor][domsecurity-active])
Preference setting:
1. privacy.firstparty.isolate;true
2. network.predictor.enable-prefetch;false
3. network.predictor.enabled;false
Step:
1. Launch Firefox browser
2. Go to pixnet.net
3. Sign in with your Pixnet's ID and password
Actual result:
- Failed to sign in
- The account field and password field will be empty
- Please see the video https://youtu.be/OP_tZe-BsQU
Reproduction Rate: 10/10
Other test results:
- Firefox without FPI: Passed
- Tor browser: Failed to sign in
Firefox version: 52.0a1 (2016-11-07) (64-bit)
Updated•8 years ago
|
Priority: -- → P2
Updated•8 years ago
|
Assignee: nobody → tihuang
Updated•7 years ago
|
Assignee: artines1 → nobody
Priority: P2 → P3
Comment 1•7 years ago
|
||
The login flow of this website works like this:
* Clicking on the login link takes you to https://panel.pixnet.cc/login/openid?done=www.pixnet.net&openid=https%3A%2F%2Fmember.pixnet.cc%2Flogin&easy_login=1&from_service=Blog. Note that this page is hosted on pixnet.cc not pixnet.net.
* Filling in the form and submitting it makes a POST request to https://member.pixnet.cc/login/check which sets session cookies on pixnet.cc like this:
PIXCCSESSION=foo; path=/; domain=pixnet.cc
* That page redirects to https://panel.pixnet.cc/login/finishopenid?done=www.pixnet.net&from_service=Blog&MORE_GET_ARGS_HERE.... session cookies are sent along that request. That page redirects back to https://www.pixnet.net/?done=www.pixnet.net&openid_only=1 and the login flow is complete. Now we're back on pixnet.net.
So far there is no difference between the FPI case and the non-FPI case. However when the main page is loaded, the page makes an XHR request to URLs like https://api.pixnet.cc/api/checklogin.php?js=1&unique=1627352471×tamp=1524782009&type=3 to try to check whether the user is logged in. When FPI is turned off, this request can see the cookies set by pixnet.cc, therefore the request is submitted with three cookies named PIXSID, PIXCCSESSION and pix-easy-login-level-key. When FPI is turned off, the request is submitted without any cookies, and in response the API sets the PIXSID and PIXCCSESSION cookies. The response body of this request also differs in between the two cases and in the non-FPI case the page incorrectly thinks the user is logged out due to this API call.
Not sure what would be the best way to fix this...
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•