Open Bug 1316019 Opened 6 years ago Updated 2 years ago

[FirstPartyIsolation] Failed to sign in to the pixnet.net

Categories

(Core :: DOM: Security, defect, P3)

defect

Tracking

()

People

(Reporter: cynthiatang, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [tor][domsecurity-active])

Preference setting:
 1. privacy.firstparty.isolate;true
 2. network.predictor.enable-prefetch;false
 3. network.predictor.enabled;false

Step:
 1. Launch Firefox browser
 2. Go to pixnet.net
 3. Sign in with your Pixnet's ID and password

Actual result:
 - Failed to sign in
 - The account field and password field will be empty
 - Please see the video https://youtu.be/OP_tZe-BsQU 

Reproduction Rate: 10/10

Other test results:
 - Firefox without FPI: Passed
 - Tor browser: Failed to sign in 

Firefox version: 52.0a1 (2016-11-07) (64-bit)
Priority: -- → P2
Assignee: nobody → tihuang
Assignee: artines1 → nobody
Priority: P2 → P3
The login flow of this website works like this:

  * Clicking on the login link takes you to https://panel.pixnet.cc/login/openid?done=www.pixnet.net&openid=https%3A%2F%2Fmember.pixnet.cc%2Flogin&easy_login=1&from_service=Blog.  Note that this page is hosted on pixnet.cc not pixnet.net.

  * Filling in the form and submitting it makes a POST request to https://member.pixnet.cc/login/check which sets session cookies on pixnet.cc like this:
PIXCCSESSION=foo; path=/; domain=pixnet.cc

  * That page redirects to https://panel.pixnet.cc/login/finishopenid?done=www.pixnet.net&from_service=Blog&MORE_GET_ARGS_HERE....  session cookies are sent along that request.  That page redirects back to https://www.pixnet.net/?done=www.pixnet.net&openid_only=1 and the login flow is complete.  Now we're back on pixnet.net.

So far there is no difference between the FPI case and the non-FPI case.  However when the main page is loaded, the page makes an XHR request to URLs like https://api.pixnet.cc/api/checklogin.php?js=1&unique=1627352471&timestamp=1524782009&type=3 to try to check whether the user is logged in.  When FPI is turned off, this request can see the cookies set by pixnet.cc, therefore the request is submitted with three cookies named PIXSID, PIXCCSESSION and pix-easy-login-level-key.  When FPI is turned off, the request is submitted without any cookies, and in response the API sets the PIXSID and PIXCCSESSION cookies.  The response body of this request also differs in between the two cases and in the non-FPI case the page incorrectly thinks the user is logged out due to this API call.

Not sure what would be the best way to fix this...
See Also: → 1616585
You need to log in before you can comment on or make changes to this bug.