Closed
Bug 1425672
Opened 6 years ago
Closed 6 years ago
(csp), (web-workers) Tweetdeck has stopped playing videos
Categories
(Core :: DOM: Security, defect, P2)
Core
DOM: Security
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: xirconuk, Unassigned)
References
Details
(Whiteboard: [parity-Chrome])
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0 Build ID: 20171215220126 Steps to reproduce: Open Tweetdeck (either in a ta or sidebar), click to pay an attached video. Actual results: Video does not play, message "The media could not be played." on a black background. Video plays fine on Twitter main site. Expected results: Video should play. Stopped working yesterday, was working as expected before then. Works: Palemoon Vivaldi Chrome
Reporter | ||
Updated•6 years ago
|
Version: 58 Branch → Trunk
Comment 1•6 years ago
|
||
Hi Reporter, Thanks for reporting this bug. Can you help use mozregression[1] to find the possible patch to cause this problem? [1]http://mozilla.github.io/mozregression/
Keywords: regression,
regressionwindow-wanted
Updated•6 years ago
|
Priority: -- → P2
Reporter | ||
Comment 2•6 years ago
|
||
Tried a few dates - none of them play (went back to 12th), perhaps a Linux update or a tweetdeck change is to blame?
Comment 3•6 years ago
|
||
(In reply to xirconuk@gmail.com from comment #2) > Tried a few dates - none of them play (went back to 12th), perhaps a Linux > update or a tweetdeck change is to blame? Thanks for this information. I am going to close this bug. If you still can see this bug again, please feel free to reopen it.
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → WORKSFORME
Comment 4•6 years ago
|
||
Sorry... I misunderstood your comment.
Status: RESOLVED → REOPENED
Ever confirmed: true
Resolution: WORKSFORME → ---
Comment 5•6 years ago
|
||
You could try to install Firefox released version, 57, to see if you can reproduce this bug. If not, then it could be a Firefox bug.
Comment 6•6 years ago
|
||
I can reproduce on Nightly59.01, 58.0b11, 57.0.2 and ESR52.5.2 x64 windows10. XML Parsing Error: no root element found Location: https://tweetdeck.twitter.com/metrics Line Number 1, Column 1: metrics:1:1 Content Security Policy: Ignoring ‘x-frame-options’ because of ‘frame-ancestors’ directive. (unknown) TypeError: this.sink is null[Learn More] network-monitor.js:527:5 Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src 'unsafe-eval' https://twitter.com http://localhost:* http://localhost.twitter.com:* https://*.twitter.com https://*.twimg.com https://vine.co https://*.vine.co https://*.periscope.tv https://*.pscp.tv”). Source: onfocusin attribute on DIV element. 942244379179155456 Content Security Policy: The page’s settings blocked the loading of a resource at blob:https://twitter.com/b8193684-89ed-4c97-8e08-87572c94c42b (“script-src 'unsafe-eval' https://twitter.com http://localhost:* http://localhost.twitter.com:* https://*.twitter.com https://*.twimg.com https://vine.co https://*.vine.co https://*.periscope.tv https://*.pscp.tv”). (unknown) And setting security.csp.enable = false fixes the problem.
Reporter | ||
Comment 7•6 years ago
|
||
Confirmed - changing setting security.csp.enable = false - fixes the problem (Manjaro Linux) Bug also occurs in FF57 - 57.0.2-2
Comment 8•6 years ago
|
||
Edge on windows10 also fails to play back. Only Chrome works.
Status: REOPENED → NEW
Component: Audio/Video: Playback → DOM: Security
Keywords: regression,
regressionwindow-wanted
Whiteboard: [parity-Chrome]
Updated•6 years ago
|
Summary: Tweetdeck has stopped playing videos → (csp) Tweetdeck has stopped playing videos
Comment 9•6 years ago
|
||
CSP2 says blob: needs to be explicitly listed as an origin in the policy. That's what we've always enforced so this can't be a regression; could be a site change. CSP3 is far less clear. It's possible that chrome is using the fact that the definition of blob: urls has chnaged to include the origin of the data and whitelisting based on that. (I'm assuming the problem is the second CSP error, not the blocked onfocusin event because Chrome should behave the same as us on that one.)
Comment 12•6 years ago
|
||
It is definitely not working in Firefox Quantum 57.0.3. It was working until a couple of updates ago.
Comment 13•6 years ago
|
||
In 57.0.3 doesn't work, even changing security.csp.enable to false
Comment 14•6 years ago
|
||
disable dom.workers.enabled also fix the problem. WROKAROUND: we should switch to chrome/chromium based browser.
Summary: (csp) Tweetdeck has stopped playing videos → (csp), (web-workers) Tweetdeck has stopped playing videos
Comment 15•6 years ago
|
||
(In reply to Alice0775 White from comment #14) > disable dom.workers.enabled also fix the problem. > > > WROKAROUND: we should switch to chrome/chromium based browser. With dom.workers.enabled to false also doesn't work. I think i will return to chrome/chromieum, thank you.
Comment 16•6 years ago
|
||
workaround |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0 20171231100350 Workaround, tested without modifying CSP or workers in about:config: 1. https://addons.mozilla.org/firefox/addon/header-editor/ 2. Click either the Header Editor toolbar button, or the Options button next to Header Editor in the Add-ons Manager. 3. Click the circled (+) button in the bottom right. Name: enter something descriptive, like CSP - Twitter Rule type: Modify the response header Match type: URL prefix Exclude rule: Match rules: https://twitter.com/i/videos/tweet/ Execute type: Normal Header name: content-security-policy Header value: 4. Click the icon in the top right to save your new rule. 5. If you were trying to view an embedded tweet on a page, reload it bypassing the cache (Ctrl+Shift+R or Command+Shift+R).
Comment 17•6 years ago
|
||
(In reply to Gingerbread Man from comment #16) > Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 > Firefox/59.0 > 20171231100350 > > Workaround, tested without modifying CSP or workers in about:config: > > 1. https://addons.mozilla.org/firefox/addon/header-editor/ > 2. Click either the Header Editor toolbar button, or the Options button next > to Header Editor in the Add-ons Manager. > 3. Click the circled (+) button in the bottom right. > Name: enter something descriptive, like CSP - Twitter > Rule type: Modify the response header > Match type: URL prefix > Exclude rule: > Match rules: https://twitter.com/i/videos/tweet/ > Execute type: Normal > Header name: content-security-policy > Header value: > 4. Click the icon in the top right to save your new rule. > 5. If you were trying to view an embedded tweet on a page, reload it > bypassing the cache (Ctrl+Shift+R or Command+Shift+R). Doesn't work sorry ;-(
Comment 18•6 years ago
|
||
This is what I did and it appears to have worked. Many thanks. (In reply to josejoa59 from comment #13) > In 57.0.3 doesn't work, even changing security.csp.enable to false
Comment 19•6 years ago
|
||
I was facing the same thing. Tried changing security.csp.enable to false and it worked. Reset it to true, and it stopped working again. MacOS High Sierra 10.13.2 Firefox 58.0b13 (64-bit) Interestingly enough, videos from youtube work properly. Only videos embedded from other sources that don't work. The errors in console are: Warning: Content Security Policy: Ignoring ‘x-frame-options’ because of ‘frame-ancestors’ directive. Error: Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src 'unsafe-eval' https://twitter.com http://localhost:* http://localhost.twitter.com:* https://*.twitter.com https://*.twimg.com https://vine.co https://*.vine.co https://*.periscope.tv https://*.pscp.tv”). Source: onfocusin attribute on DIV element. 948658261791830016 Error: Content Security Policy: The page’s settings blocked the loading of a resource at blob:https://twitter.com/35ed81b6-682c-724f-beee-24d19a165df8 (“script-src 'unsafe-eval' https://twitter.com http://localhost:* http://localhost.twitter.com:* https://*.twitter.com https://*.twimg.com https://vine.co https://*.vine.co https://*.periscope.tv https://*.pscp.tv”).
Comment 20•6 years ago
|
||
(In reply to Felipe Nascimento from comment #19) > I was facing the same thing. > Tried changing security.csp.enable to false and it worked. > Reset it to true, and it stopped working again. > > MacOS High Sierra > 10.13.2 > Firefox 58.0b13 (64-bit) > > Interestingly enough, videos from youtube work properly. Only videos > embedded from other sources that don't work. > > The errors in console are: > > Warning: Content Security Policy: Ignoring ‘x-frame-options’ because of > ‘frame-ancestors’ directive. > Error: Content Security Policy: The page’s settings blocked the loading of a > resource at self (“script-src 'unsafe-eval' https://twitter.com > http://localhost:* http://localhost.twitter.com:* https://*.twitter.com > https://*.twimg.com https://vine.co https://*.vine.co https://*.periscope.tv > https://*.pscp.tv”). Source: onfocusin attribute on DIV element. > 948658261791830016 > Error: Content Security Policy: The page’s settings blocked the loading of a > resource at blob:https://twitter.com/35ed81b6-682c-724f-beee-24d19a165df8 > (“script-src 'unsafe-eval' https://twitter.com http://localhost:* > http://localhost.twitter.com:* https://*.twitter.com https://*.twimg.com > https://vine.co https://*.vine.co https://*.periscope.tv https://*.pscp.tv”). Last version is 57.03, you have some beta version, the official version doesn't work with security.csp.enable to false. It seems that in Mozilla don't use twitter at all.
Comment 21•6 years ago
|
||
Tweetdeck seems to have solved the issue.
Comment 22•6 years ago
|
||
(In reply to Severin Wünsch from comment #21) > Tweetdeck seems to have solved the issue. Still not https://screenshots.firefox.com/wcKjig5G3BAsvhfQ/twitter.com https://screenshots.firefox.com/cCXSpw13QYo4MYE4/tweetdeck.twitter.com
Comment 23•6 years ago
|
||
The second video on https://www.twitch.tv/p/extensions cannot be played either. The same error: content security policy. setting security.csp.enable false fixes the problem on the latest nightly, 59.0a1 (2018-01-15). Hi Christoph, It looks like many websites are impacted. Do we have any plans to fix this? Or this is not a real bug?
Flags: needinfo?(ckerschb)
Comment 24•6 years ago
|
||
I am currently running 57.0.4 on linux. And I can watch the second video. I think this looks like a real bug to me.
Comment 25•6 years ago
|
||
(In reply to Blake Wu [:bwu][:blakewu] from comment #23) > The second video on https://www.twitch.tv/p/extensions cannot be played > either. The same error: content security policy. Both videos work fine for me, as do videos on twitter and tweetdeck. I'm not seeing any CSP errors. How can we reproduce this?
Comment 26•6 years ago
|
||
If the error is about blob: URL then it's a site problem: their CSP should include "blob:" according to CSP2 which both Firefox and Edge have implemented. I'm not sure why Chrome is working as I thought we were on the same page there, but in practical terms that would be a site issue since Chrome isn't the only browser out there. If it's sending different content to different browsers then that, too, would be a site problem. But since we can't reproduce this and no one has presented clear STR it's hard to know where to go next here. For example, the screenshots in comment 22 are concerning, but there's no URL for those pages and they don't look like what I see when I do anything twitter searches for the person mentioned in the screenshot.
Comment 27•6 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #25) > (In reply to Blake Wu [:bwu][:blakewu] from comment #23) > > The second video on https://www.twitch.tv/p/extensions cannot be played > > either. The same error: content security policy. > > Both videos work fine for me, as do videos on twitter and tweetdeck. I'm not > seeing any CSP errors. How can we reproduce this? Same for me, I can't reproduce. Also given that Edge and Firefox show that error, I am not sure that Chrome is correct. Without being able to reproduce it's hard to make guesses. If I would have to guess though, then my guess is that those pages are not explicitly whitelisting blob within their CSP as the spec requires.
Flags: needinfo?(ckerschb)
Comment 28•6 years ago
|
||
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #27) > (In reply to Daniel Veditz [:dveditz] from comment #25) > > (In reply to Blake Wu [:bwu][:blakewu] from comment #23) > > > The second video on https://www.twitch.tv/p/extensions cannot be played > > > either. The same error: content security policy. > > > > Both videos work fine for me, as do videos on twitter and tweetdeck. I'm not > > seeing any CSP errors. How can we reproduce this? > > Same for me, I can't reproduce. Also given that Edge and Firefox show that > error, I am not sure that Chrome is correct. Without being able to reproduce > it's hard to make guesses. If I would have to guess though, then my guess is > that those pages are not explicitly whitelisting blob within their CSP as > the spec requires. Test this video: https://twitter.com/Juanmi_News/status/953001162277605377 Edge and Chrome reproduce the video, only fails Firefox.
Comment 29•6 years ago
|
||
(In reply to josejoa59 from comment #28) > > Test this video: https://twitter.com/Juanmi_News/status/953001162277605377 > > Edge and Chrome reproduce the video, only fails Firefox. My Firefox 57.0.4 installation does play this video. Maybe it is a add-on issue?
Comment 30•6 years ago
|
||
(In reply to Severin Wünsch from comment #29) > (In reply to josejoa59 from comment #28) > > > > Test this video: https://twitter.com/Juanmi_News/status/953001162277605377 > > > > Edge and Chrome reproduce the video, only fails Firefox. > > My Firefox 57.0.4 installation does play this video. Maybe it is a add-on > issue? I have 57.0.4 (64 bits) and added an exception for twitter in adblocker lite, but doesn't play the video. Anyway i don't mind, i use Chrome now.
Comment 31•6 years ago
|
||
I cannot reproduce this bug anymore after setting security.csp.enable false, using a clean profile, using my original profile with disabling all add-ons and enabling all add-ons... So weird..
Comment 32•6 years ago
|
||
I used to be able to reproduce this with security.csp.enable to TRUE, on tweetdeck.twitter.com and just looking for some tweet with an embedded video. I can't reproduce this anymore and the videos work now. This is on Nightly.
Comment 33•6 years ago
|
||
(In reply to Blake Wu [:bwu][:blakewu] from comment #31) > I cannot reproduce this bug anymore after setting security.csp.enable false, [...] The bug claims CSP is the problem (based on console log messages) so this setting bypasses the reported bug. Tom's comment 32 is more to the point. I cannot reproduce the issue using the video in comment 29. Tried Nightly and 57.0.4, with a bunch of addons (including ad blockers) and a clean profile. Can anyone still reproduce this? Can Jose still reproduce this with the video in comment 31? Could it be serving different regional content?
Flags: needinfo?(josejoa59)
Comment 34•6 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #33) > (In reply to Blake Wu [:bwu][:blakewu] from comment #31) > > I cannot reproduce this bug anymore after setting security.csp.enable false, [...] > > The bug claims CSP is the problem (based on console log messages) so this > setting bypasses the reported bug. Tom's comment 32 is more to the point. > > I cannot reproduce the issue using the video in comment 29. Tried Nightly > and 57.0.4, with a bunch of addons (including ad blockers) and a clean > profile. Can anyone still reproduce this? Can Jose still reproduce this with > the video in comment 31? Could it be serving different regional content? With both security.csp.enable to true and false, in Firefox 58.0 (64-bit) for this video: https://twitter.com/Juanmi_News/status/953001162277605377 Here is the reproduced bug in a pic https://screenshots.firefox.com/kTdfJgVyt7DglovS/twitter.com
Flags: needinfo?(josejoa59)
Comment 35•6 years ago
|
||
Works for us: Christoph and I were using Linux and Mac, from the US and Europe, Firefox 58 and Nightly (60) (tested multiple configs each). I even tried disabling widevine in case it was a DRM thing. Don't know how to make any progress here.
Updated•6 years ago
|
Status: NEW → RESOLVED
Closed: 6 years ago → 6 years ago
Resolution: --- → INCOMPLETE
You need to log in
before you can comment on or make changes to this bug.
Description
•