Closed Bug 1417921 Opened 6 years ago Closed 3 years ago

AMP embedded tweets not loading with strict tracking protection

Categories

(Web Compatibility :: Desktop, defect, P3)

Firefox 62
x86_64
Windows 10
defect

Tracking

(firefox59 affected, firefox85 affected)

RESOLVED DUPLICATE of bug 1627345
Tracking Status
firefox59 --- affected
firefox85 --- affected

People

(Reporter: abovens, Unassigned)

References

()

Details

(Keywords: webcompat:needs-diagnosis, Whiteboard: [tp-social][tp-yellowlist-active][tp-shim-content][tp-embedded-media])

User Story

twitter.com

Attachments

(2 files)

Go to https://www.bbc.co.uk/news/amp/world-asia-42009839

Embedded tweets are not shown. Compare with Chrome.
Looking in Inspector, it seems like `<twitterwidget>` is missing.
This is caused by Tracking Protection being on. I'm not sure what component this should be moved to (if any).
Flags: needinfo?(abovens)
Oh, you're right. Is this a case of TP being too strict, or is there indeed a good reason for blocking tweet embedding?
Flags: needinfo?(abovens) → needinfo?(overholt)
I'm not sure but I'll move this to the TP component and we'll see.
Component: DOM → Tracking Protection
Flags: needinfo?(overholt)
Product: Core → Firefox
Version: 59 Branch → unspecified
Priority: -- → P3
Whiteboard: tp-needsrepro
The issue is still reproducible and it is related to `trackingprotection` breakage.
It is reproducible while Tracking Protection BASIC is enabled.

[Environment:]
Browser / Version: Firefox Nightly 63.0a1 (2018-08-06)
Operating System: Windows 10 Pro

Looking at the devtools console, here are the blocked resources:
The resource at “https://platform.twitter.com/widgets.js” was blocked because tracking protection is enabled.
The resource at “https://sb.scorecardresearch.com/b?c1=2&c2=17986528&cs_pv=8656&c12=amp-uURuzAcY8Kocdpn4WTcI8A&rn=0.011430080201365156&c8=Apology%20after%20Japanese%20train%20departs%2020%20seconds%20early%20-%20BBC%20News&c7=http%3A%2F%2Fwww.bbc.com%2Fnews%2Fworld-asia-42009839&c9=&cs_c7amp=https%3A%2F%2Fwww.bbc.co.uk%2Fnews%2Famp%2Fworld-asia-42009839&comscorekw=amp” was blocked because tracking protection is enabled.
The resource at “https://ping.chartbeat.net/ping?h=bbc.co.uk&p=%2Fnews%2Fworld-asia-42009839&u=amp-x9qak31B3PCHhHGFEWdspw&d=www.bbc.com&g=50924&g0=Asia&g1=&g2=&g3=&g4=&c=120&x=0&y=3315&j=30&R=1&W=0&I=0&E=0&r=&t=8656amp-x9qak31B3PCHhHGFEWdspw&b=517&i=Apology%20after%20Japanese%20train%20departs%2020%20seconds%20early%20-%20BBC%20News&T=1533732646819&tz=-180&C=2&_” was blocked because tracking protection is enabled.

So below are the domains to test:
- platform.twitter.com
- sb.scorecardresearch.com
- ping.chartbeat.net

I opened the URL in a fresh browser profile (Firefox Nightly 63, uMatrix installed, normal mode) and loaded the page. The embedded tweets were not displayed. 

I disabled the Spoof Referrer option in uMatrix and then WHITELISTED:
- ampproject.net (including all frames and related domains)
- twitter.com (including all frames and related domains)
- twimg.com  (including all related domains)
and the embedded tweets were shown.

The other resource (sb.scorecardresearch.com, ping.chartbeat.net) didn't help. 

So in conclusion:
- twitter.com - Disconnect = [tp-social]
- twimg.com - Disconnect = [tp-social]
- ampproject.net - not listed
User Story: (updated)
Component: Tracking Protection → Desktop
OS: Unspecified → Windows 10
Product: Firefox → Tech Evangelism
Hardware: Unspecified → x86_64
Summary: Embedded tweets not loading → Embedded tweets not loading while Tracking Protection Basic is enabled
Whiteboard: tp-needsrepro → [tp-social]
Version: unspecified → Firefox 62
Attached image NotTweetsTPOn.png
Added page with no embedded tweets - TP Basic on.
Attached image uMatrixResults.png
Added uMatrix results.
See Also: → 1526695

FWIW, loaded https://en.support.wordpress.com/twitter/twitter-embeds/ in Brave, and although they claim to block ads and trackers, it appears to load the embeds by default.

My guess is that this is not "protected", but they are doing this to not break things.

Opened bug 1526695 with an idea to enable whitelisting of Twitter embeds by users if they are okay with being tracked by certain trackers but don't want to disable TP for a domain.

Product: Tech Evangelism → Web Compatibility

AMP is using the promise-based Twitter widget.js APIs to create tweets/moments/timelines (twttr.widgets.createTweet and so on). But it does that for each Twitter element in its own iframe, inside of a custom amp-twitter element in the main page.

This gives us some options, depending on the placeholder UI we'd like to use. But for quick testing, I just modified my shim in https://bugzilla.mozilla.org/show_bug.cgi?id=1486471#c6 to mock the createTweet methods to return a promise which is only resolved after the user clicks a placeholder and the widgets.js loads. It also detects that the shimmed widgets.js is being loaded in an AMP iframe, and puts a placeholder over the entire iframe's body.

With that approach users would need to click each individual tweet in an iframe to load it, but this can of course be refined (or a different approach used entirely).

Blocks: tp-comments-twitter
No longer blocks: tp-breakage
Summary: Embedded tweets not loading while Tracking Protection Basic is enabled → AMP embedded tweets not loading with strict tracking protection
Whiteboard: [tp-social] → [tp-social][tp-yellowlist-active][tp-shim-content][tp-embedded-media]

This issue still occurs with ETP - Strict enabled.
https://prnt.sc/vmwpol

Tested with:
Browser / Version: Firefox Nightly 85.0a1 (2020-11-19)
Operating System: Windows 10 Pro

If embedded Twitter contents require cookies from twitter.com (third party cookie) to embed contents, this is the right behavior.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
No longer blocks: tp-comments-twitter
You need to log in before you can comment on or make changes to this bug.