1417921 - AMP embedded tweets not loading with strict tracking protection

Status: RESOLVED DUPLICATE of bug 1627345

(Web Compatibility :: Site Reports, defect, P3)

Description

[Andreas Bovens [:abovens]]

Go to https://www.bbc.co.uk/news/amp/world-asia-42009839

Embedded tweets are not shown. Compare with Chrome.
Looking in Inspector, it seems like `<twitterwidget>` is missing.

Comment 1

[Andrew Overholt [:overholt]]

This is caused by Tracking Protection being on. I'm not sure what component this should be moved to (if any).

Comment 2

[Andreas Bovens [:abovens]]

Oh, you're right. Is this a case of TP being too strict, or is there indeed a good reason for blocking tweet embedding?

Comment 3

[Andrew Overholt [:overholt]]

I'm not sure but I'll move this to the TP component and we'll see.

Comment 4

[Oana Arbuzov [:oanaarbuzov]]

The issue is still reproducible and it is related to `trackingprotection` breakage.
It is reproducible while Tracking Protection BASIC is enabled.

[Environment:]
Browser / Version: Firefox Nightly 63.0a1 (2018-08-06)
Operating System: Windows 10 Pro

Looking at the devtools console, here are the blocked resources:
The resource at “https://platform.twitter.com/widgets.js” was blocked because tracking protection is enabled.
The resource at “https://sb.scorecardresearch.com/b?c1=2&c2=17986528&cs_pv=8656&c12=amp-uURuzAcY8Kocdpn4WTcI8A&rn=0.011430080201365156&c8=Apology%20after%20Japanese%20train%20departs%2020%20seconds%20early%20-%20BBC%20News&c7=http%3A%2F%2Fwww.bbc.com%2Fnews%2Fworld-asia-42009839&c9=&cs_c7amp=https%3A%2F%2Fwww.bbc.co.uk%2Fnews%2Famp%2Fworld-asia-42009839&comscorekw=amp” was blocked because tracking protection is enabled.
The resource at “https://ping.chartbeat.net/ping?h=bbc.co.uk&p=%2Fnews%2Fworld-asia-42009839&u=amp-x9qak31B3PCHhHGFEWdspw&d=www.bbc.com&g=50924&g0=Asia&g1=&g2=&g3=&g4=&c=120&x=0&y=3315&j=30&R=1&W=0&I=0&E=0&r=&t=8656amp-x9qak31B3PCHhHGFEWdspw&b=517&i=Apology%20after%20Japanese%20train%20departs%2020%20seconds%20early%20-%20BBC%20News&T=1533732646819&tz=-180&C=2&_” was blocked because tracking protection is enabled.

So below are the domains to test:
- platform.twitter.com
- sb.scorecardresearch.com
- ping.chartbeat.net

I opened the URL in a fresh browser profile (Firefox Nightly 63, uMatrix installed, normal mode) and loaded the page. The embedded tweets were not displayed. 

I disabled the Spoof Referrer option in uMatrix and then WHITELISTED:
- ampproject.net (including all frames and related domains)
- twitter.com (including all frames and related domains)
- twimg.com  (including all related domains)
and the embedded tweets were shown.

The other resource (sb.scorecardresearch.com, ping.chartbeat.net) didn't help. 

So in conclusion:
- twitter.com - Disconnect = [tp-social]
- twimg.com - Disconnect = [tp-social]
- ampproject.net - not listed

Comment 5

[Oana Arbuzov [:oanaarbuzov]]

Attachment: NotTweetsTPOn.png

Added page with no embedded tweets - TP Basic on.

Comment 6

[Oana Arbuzov [:oanaarbuzov]]

Attachment: uMatrixResults.png

Added uMatrix results.

Comment 7

[Asif Youssuff]

FWIW, loaded https://en.support.wordpress.com/twitter/twitter-embeds/ in Brave, and although they claim to block ads and trackers, it appears to load the embeds by default.

My guess is that this is not "protected", but they are doing this to not break things.

Opened bug 1526695 with an idea to enable whitelisting of Twitter embeds by users if they are okay with being tracked by certain trackers but don't want to disable TP for a domain.

Comment 8

[Thomas Wisniewski [:twisniewski]]

AMP is using the promise-based Twitter widget.js APIs to create tweets/moments/timelines (twttr.widgets.createTweet and so on). But it does that for each Twitter element in its own iframe, inside of a custom amp-twitter element in the main page.

This gives us some options, depending on the placeholder UI we'd like to use. But for quick testing, I just modified my shim in https://bugzilla.mozilla.org/show_bug.cgi?id=1486471#c6 to mock the createTweet methods to return a promise which is only resolved after the user clicks a placeholder and the widgets.js loads. It also detects that the shimmed widgets.js is being loaded in an AMP iframe, and puts a placeholder over the entire iframe's body.

With that approach users would need to click each individual tweet in an iframe to load it, but this can of course be refined (or a different approach used entirely).

Comment 9

[Oana Arbuzov [:oanaarbuzov]]

This issue still occurs with ETP - Strict enabled.
https://prnt.sc/vmwpol

Tested with:
Browser / Version: Firefox Nightly 85.0a1 (2020-11-19)
Operating System: Windows 10 Pro

Comment 10

[Takanori MATSUURA]

If embedded Twitter contents require cookies from twitter.com (third party cookie) to embed contents, this is the right behavior.