Closed Bug 1319756 Opened 6 years ago Closed 4 years ago

Login on Instagram using facebook social network stuck on Fx with FPI

Categories

(Core :: DOM: Security, defect, P3)

53 Branch
All
Linux
defect

Tracking

()

RESOLVED WORKSFORME
Tracking Status
firefox50 --- unaffected
firefox51 --- unaffected
firefox52 --- unaffected
firefox53 --- affected

People

(Reporter: bogdan_maris, Unassigned)

References

(Blocks 2 open bugs)

Details

(Whiteboard: [tor][domsecurity-backlog1][dfpi-ok])

Attachments

(2 files)

[Note]:
- Prerequisits:
Enable perf "privacy.firstparty.isolate"
Disable perf "network.predictor.enabled"
Disable perf "network.predictor.enable-prefetch"

[Affected versions]:
- latest Nightly 53.0a1

[Affected platforms]:
- Ubuntu 16.04 32bit

[Steps to reproduce]:
1. Visit instagram.com
2. Login to instagram using facebook social network

[Expected result]:
- Fx successfully completes the login process.

[Actual result]:
- Login page loads indefinitely.

[Regression range]:
- This is not a regression, It's still an experimental feature not enabled by default in any official build.

[Additional notes]:
- Screenshot attached showing the error.
Has Regression Range: --- → no
Has STR: --- → yes
QA Whiteboard: [qe-fpi]
[Additional notes]:
- I should have mentioned that I did not encounter the same issue on Tor Browser.
I can reproduce this bug on Mac OS as well.
Priority: -- → P1
Whiteboard: [tor] → [tor][domsecurity-backlog1]
Tim, please check if the root cause of this bug is the same as bug 1319761.
Assignee: nobody → tihuang
Attached image ScreenShot
This also reproduces on mobile with FPI on 
Fennec 55 Beta 5
(In reply to Ethan Tseng [:ethan] from comment #2)
> I can reproduce this bug on Mac OS as well.

Ethan, just making sure, is this a P1 bug or should it be P3 and backlog1?
Flags: needinfo?(ettseng)
This one is not super urgent, but would be nice to have to attain better Web compatibility.

Tim, this bug is pending for a while. Do we have any progress?
I know you don't have much bandwidth at this moment, should we ask CS to help the investigation into it?
Flags: needinfo?(ettseng) → needinfo?(tihuang)
Priority: P1 → P2
Sorry for late reply, I have no spare cycle at the current moment for this. So, I suggest that CS can help on investigating on this and I am very glad to help him in this investigation.
Assignee: tihuang → nobody
Flags: needinfo?(tihuang)
CS, please help to look into this bug, thanks.
Flags: needinfo?(cfu)
Assignee: nobody → cfu
Flags: needinfo?(cfu)
At a brief glance, login information is stored under Facebook's first party domain so Instagram can't access it.
Note that even Instagram fails to log in, if you open Facebook and you will find Facebook has logged in.
So I believe something is successfully saved by Facebook but just isolated from Instagram.
I will trace the script to figure out why it gets stuck after being redirected from Facebook login page back to Instagram.

Hi Arthur,
I think this is not a bug but what we expect first party isolation to achieve.
Does it seem to be a reasonable result to you that logging in with Facebook fails?
Flags: needinfo?(arthuredelstein)
After being redirected, Instagram calls the Facebook API FB.getLoginStatus but it only handles the connected status.
When first party isolation is enabled, the response from the API is always {status: 'unknown', authResponse: null}.
The page then gets stuck due to unexpected login status.
Here is the formatted code segment

> r.getLoginStatus(function (r) {
>   p.a.clearTimeout(d);
>   'connected' === r.status && (f.a.setReady(), e && n.i(g.default) (n.i(s.a) ().catch (function (e) {
>     return {}
>   }).then(function (e) {
>     t(i(e.igAccount))
>   })));
>   t(o(r.status, r.authResponse))
> });

Reference:
Facebook Docs https://developers.facebook.com/docs/facebook-login/web?locale=en_US
(In reply to Chung-Sheng Fu [:cfu] from comment #9)
> At a brief glance, login information is stored under Facebook's first party
> domain so Instagram can't access it.
> Note that even Instagram fails to log in, if you open Facebook and you will
> find Facebook has logged in.
> So I believe something is successfully saved by Facebook but just isolated
> from Instagram.
> I will trace the script to figure out why it gets stuck after being
> redirected from Facebook login page back to Instagram.
> 
> Hi Arthur,
> I think this is not a bug but what we expect first party isolation to
> achieve.
> Does it seem to be a reasonable result to you that logging in with Facebook
> fails?

Hi Chung-Sheng,

It sounds plausible that Facebook might fail in this situation. It might be useful to investigate the underlying mechanism: is facebook.com attempting to set a cookie or some other kind of supercookie to pass the login state to instagram? Then we could consider whether there is any way to make this style of third-party authentication possible while still being consistent with the goals of first-party isolation.
Flags: needinfo?(arthuredelstein)
Assignee: cfu → nobody
Priority: P2 → P3
This can no longer be reproduced on instagram...
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WORKSFORME
Whiteboard: [tor][domsecurity-backlog1] → [tor][domsecurity-backlog1][dfpi-ok]
You need to log in before you can comment on or make changes to this bug.