Closed
Bug 1319756
Opened 8 years ago
Closed 7 years ago
Login on Instagram using facebook social network stuck on Fx with FPI
Categories
(Core :: DOM: Security, defect, P3)
Tracking
()
RESOLVED
WORKSFORME
| Tracking | Status | |
|---|---|---|
| firefox50 | --- | unaffected |
| firefox51 | --- | unaffected |
| firefox52 | --- | unaffected |
| firefox53 | --- | affected |
People
(Reporter: bmaris, Unassigned)
References
(Blocks 2 open bugs)
Details
(Whiteboard: [tor][domsecurity-backlog1][dfpi-ok])
Attachments
(2 files)
Screenshot showing the issue
[Note]:
- Prerequisits:
Enable perf "privacy.firstparty.isolate"
Disable perf "network.predictor.enabled"
Disable perf "network.predictor.enable-prefetch"
[Affected versions]:
- latest Nightly 53.0a1
[Affected platforms]:
- Ubuntu 16.04 32bit
[Steps to reproduce]:
1. Visit instagram.com
2. Login to instagram using facebook social network
[Expected result]:
- Fx successfully completes the login process.
[Actual result]:
- Login page loads indefinitely.
[Regression range]:
- This is not a regression, It's still an experimental feature not enabled by default in any official build.
[Additional notes]:
- Screenshot attached showing the error.
|
Reporter | |
Updated•8 years ago
|
Has Regression Range: --- → no
Has STR: --- → yes
QA Whiteboard: [qe-fpi]
|
|
Reporter | |
Comment 1•8 years ago
|
||
[Additional notes]:
- I should have mentioned that I did not encounter the same issue on Tor Browser.
|
||
Comment 2•8 years ago
|
||
I can reproduce this bug on Mac OS as well.
|
|
||
Updated•8 years ago
|
Priority: -- → P1
Whiteboard: [tor] → [tor][domsecurity-backlog1]
|
|
||
Comment 3•8 years ago
|
||
Tim, please check if the root cause of this bug is the same as bug 1319761.
Assignee: nobody → tihuang
|
||
Comment 4•7 years ago
|
||
This also reproduces on mobile with FPI on
Fennec 55 Beta 5
|
|
||
Updated•7 years ago
|
Blocks: FirstPartyIsolationQAFennec
|
||
Comment 5•7 years ago
|
||
(In reply to Ethan Tseng [:ethan] from comment #2)
> I can reproduce this bug on Mac OS as well.
Ethan, just making sure, is this a P1 bug or should it be P3 and backlog1?
Flags: needinfo?(ettseng)
|
|
||
Comment 6•7 years ago
|
||
This one is not super urgent, but would be nice to have to attain better Web compatibility.
Tim, this bug is pending for a while. Do we have any progress?
I know you don't have much bandwidth at this moment, should we ask CS to help the investigation into it?
Flags: needinfo?(ettseng) → needinfo?(tihuang)
Priority: P1 → P2
|
||
Comment 7•7 years ago
|
||
Sorry for late reply, I have no spare cycle at the current moment for this. So, I suggest that CS can help on investigating on this and I am very glad to help him in this investigation.
Assignee: tihuang → nobody
Flags: needinfo?(tihuang)
|
||
Updated•7 years ago
|
Assignee: nobody → cfu
Flags: needinfo?(cfu)
|
|
||
Comment 9•7 years ago
|
||
At a brief glance, login information is stored under Facebook's first party domain so Instagram can't access it.
Note that even Instagram fails to log in, if you open Facebook and you will find Facebook has logged in.
So I believe something is successfully saved by Facebook but just isolated from Instagram.
I will trace the script to figure out why it gets stuck after being redirected from Facebook login page back to Instagram.
Hi Arthur,
I think this is not a bug but what we expect first party isolation to achieve.
Does it seem to be a reasonable result to you that logging in with Facebook fails?
Flags: needinfo?(arthuredelstein)
|
|
||
Comment 10•7 years ago
|
||
After being redirected, Instagram calls the Facebook API FB.getLoginStatus but it only handles the connected status.
When first party isolation is enabled, the response from the API is always {status: 'unknown', authResponse: null}.
The page then gets stuck due to unexpected login status.
Here is the formatted code segment
> r.getLoginStatus(function (r) {
> p.a.clearTimeout(d);
> 'connected' === r.status && (f.a.setReady(), e && n.i(g.default) (n.i(s.a) ().catch (function (e) {
> return {}
> }).then(function (e) {
> t(i(e.igAccount))
> })));
> t(o(r.status, r.authResponse))
> });
Reference:
Facebook Docs https://developers.facebook.com/docs/facebook-login/web?locale=en_US
|
||
Comment 11•7 years ago
|
||
(In reply to Chung-Sheng Fu [:cfu] from comment #9)
> At a brief glance, login information is stored under Facebook's first party
> domain so Instagram can't access it.
> Note that even Instagram fails to log in, if you open Facebook and you will
> find Facebook has logged in.
> So I believe something is successfully saved by Facebook but just isolated
> from Instagram.
> I will trace the script to figure out why it gets stuck after being
> redirected from Facebook login page back to Instagram.
>
> Hi Arthur,
> I think this is not a bug but what we expect first party isolation to
> achieve.
> Does it seem to be a reasonable result to you that logging in with Facebook
> fails?
Hi Chung-Sheng,
It sounds plausible that Facebook might fail in this situation. It might be useful to investigate the underlying mechanism: is facebook.com attempting to set a cookie or some other kind of supercookie to pass the login state to instagram? Then we could consider whether there is any way to make this style of third-party authentication possible while still being consistent with the goals of first-party isolation.
Flags: needinfo?(arthuredelstein)
|
||
Updated•7 years ago
|
Assignee: cfu → nobody
Priority: P2 → P3
|
||
Comment 12•7 years ago
|
||
This can no longer be reproduced on instagram...
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WORKSFORME
|
||
Updated•5 years ago
|
Whiteboard: [tor][domsecurity-backlog1] → [tor][domsecurity-backlog1][dfpi-ok]
You need to log in
before you can comment on or make changes to this bug.
Description
•