Login on Instagram using facebook social network stuck on Fx with FPI

RESOLVED WORKSFORME

Status

()

Core
DOM: Security
P3
normal
RESOLVED WORKSFORME
2 years ago
3 months ago

People

(Reporter: bogdan_maris, Unassigned)

Tracking

(Blocks: 2 bugs)

53 Branch
All
Linux
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox50 unaffected, firefox51 unaffected, firefox52 unaffected, firefox53 affected)

Details

(Whiteboard: [tor][domsecurity-backlog1])

Attachments

(2 attachments)

Created attachment 8813636 [details]
Screenshot showing the issue

[Note]:
- Prerequisits:
Enable perf "privacy.firstparty.isolate"
Disable perf "network.predictor.enabled"
Disable perf "network.predictor.enable-prefetch"

[Affected versions]:
- latest Nightly 53.0a1

[Affected platforms]:
- Ubuntu 16.04 32bit

[Steps to reproduce]:
1. Visit instagram.com
2. Login to instagram using facebook social network

[Expected result]:
- Fx successfully completes the login process.

[Actual result]:
- Login page loads indefinitely.

[Regression range]:
- This is not a regression, It's still an experimental feature not enabled by default in any official build.

[Additional notes]:
- Screenshot attached showing the error.
Has Regression Range: --- → no
Has STR: --- → yes
QA Whiteboard: [qe-fpi]
[Additional notes]:
- I should have mentioned that I did not encounter the same issue on Tor Browser.

Comment 2

2 years ago
I can reproduce this bug on Mac OS as well.

Updated

2 years ago
Priority: -- → P1
Whiteboard: [tor] → [tor][domsecurity-backlog1]

Comment 3

2 years ago
Tim, please check if the root cause of this bug is the same as bug 1319761.
Assignee: nobody → tihuang

Comment 4

a year ago
Created attachment 8883950 [details]
ScreenShot

This also reproduces on mobile with FPI on 
Fennec 55 Beta 5

Updated

a year ago
Blocks: 1357346
(In reply to Ethan Tseng [:ethan] from comment #2)
> I can reproduce this bug on Mac OS as well.

Ethan, just making sure, is this a P1 bug or should it be P3 and backlog1?
Flags: needinfo?(ettseng)
This one is not super urgent, but would be nice to have to attain better Web compatibility.

Tim, this bug is pending for a while. Do we have any progress?
I know you don't have much bandwidth at this moment, should we ask CS to help the investigation into it?
Flags: needinfo?(ettseng) → needinfo?(tihuang)
Priority: P1 → P2
Sorry for late reply, I have no spare cycle at the current moment for this. So, I suggest that CS can help on investigating on this and I am very glad to help him in this investigation.
Assignee: tihuang → nobody
Flags: needinfo?(tihuang)
CS, please help to look into this bug, thanks.
Flags: needinfo?(cfu)
Assignee: nobody → cfu
Flags: needinfo?(cfu)
At a brief glance, login information is stored under Facebook's first party domain so Instagram can't access it.
Note that even Instagram fails to log in, if you open Facebook and you will find Facebook has logged in.
So I believe something is successfully saved by Facebook but just isolated from Instagram.
I will trace the script to figure out why it gets stuck after being redirected from Facebook login page back to Instagram.

Hi Arthur,
I think this is not a bug but what we expect first party isolation to achieve.
Does it seem to be a reasonable result to you that logging in with Facebook fails?
Flags: needinfo?(arthuredelstein)
After being redirected, Instagram calls the Facebook API FB.getLoginStatus but it only handles the connected status.
When first party isolation is enabled, the response from the API is always {status: 'unknown', authResponse: null}.
The page then gets stuck due to unexpected login status.
Here is the formatted code segment

> r.getLoginStatus(function (r) {
>   p.a.clearTimeout(d);
>   'connected' === r.status && (f.a.setReady(), e && n.i(g.default) (n.i(s.a) ().catch (function (e) {
>     return {}
>   }).then(function (e) {
>     t(i(e.igAccount))
>   })));
>   t(o(r.status, r.authResponse))
> });

Reference:
Facebook Docs https://developers.facebook.com/docs/facebook-login/web?locale=en_US
(In reply to Chung-Sheng Fu [:cfu] from comment #9)
> At a brief glance, login information is stored under Facebook's first party
> domain so Instagram can't access it.
> Note that even Instagram fails to log in, if you open Facebook and you will
> find Facebook has logged in.
> So I believe something is successfully saved by Facebook but just isolated
> from Instagram.
> I will trace the script to figure out why it gets stuck after being
> redirected from Facebook login page back to Instagram.
> 
> Hi Arthur,
> I think this is not a bug but what we expect first party isolation to
> achieve.
> Does it seem to be a reasonable result to you that logging in with Facebook
> fails?

Hi Chung-Sheng,

It sounds plausible that Facebook might fail in this situation. It might be useful to investigate the underlying mechanism: is facebook.com attempting to set a cookie or some other kind of supercookie to pass the login state to instagram? Then we could consider whether there is any way to make this style of third-party authentication possible while still being consistent with the goals of first-party isolation.
Flags: needinfo?(arthuredelstein)

Updated

6 months ago
Assignee: cfu → nobody
Priority: P2 → P3

Comment 12

3 months ago
This can no longer be reproduced on instagram...
Status: NEW → RESOLVED
Last Resolved: 3 months ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.