(csp), (web-workers) Tweetdeck has stopped playing videos

NEW
Unassigned

Status

()

Core
DOM: Security
P2
normal
a month ago
4 days ago

People

(Reporter: xirconuk@gmail.com, Unassigned)

Tracking

Trunk
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [parity-Chrome])

(Reporter)

Description

a month ago
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0
Build ID: 20171215220126

Steps to reproduce:

Open Tweetdeck (either in a ta or sidebar), click to pay an attached video.


Actual results:

Video does not play, message "The media could not be played." on a black background.  Video plays fine on Twitter main site.


Expected results:

Video should play.  Stopped working yesterday, was working as expected before then.

Works:
Palemoon
Vivaldi
Chrome
(Reporter)

Updated

a month ago
Version: 58 Branch → Trunk

Updated

a month ago
Component: Untriaged → Audio/Video: Playback
Product: Firefox → Core
Hi Reporter,

Thanks for reporting this bug.
Can you help use mozregression[1] to find the possible patch to cause this problem?

[1]http://mozilla.github.io/mozregression/
Keywords: regression, regressionwindow-wanted
Priority: -- → P2
(Reporter)

Comment 2

a month ago
Tried a few dates - none of them play (went back to 12th), perhaps a Linux update or a tweetdeck change is to blame?
(In reply to xirconuk@gmail.com from comment #2)
> Tried a few dates - none of them play (went back to 12th), perhaps a Linux
> update or a tweetdeck change is to blame?
Thanks for this information. 
I am going to close this bug. If you still can see this bug again, please feel free to reopen it.
Status: UNCONFIRMED → RESOLVED
Last Resolved: a month ago
Resolution: --- → WORKSFORME
Sorry... I misunderstood your comment.
Status: RESOLVED → REOPENED
Ever confirmed: true
Resolution: WORKSFORME → ---
You could try to install Firefox released version, 57, to see if you can reproduce this bug. If not, then it could be a Firefox bug.

Comment 6

a month ago
I can reproduce on Nightly59.01, 58.0b11, 57.0.2 and ESR52.5.2 x64 windows10.


XML Parsing Error: no root element found
Location: https://tweetdeck.twitter.com/metrics
Line Number 1, Column 1:  metrics:1:1
Content Security Policy: Ignoring ‘x-frame-options’ because of ‘frame-ancestors’ directive.  (unknown)
TypeError: this.sink is null[Learn More]  network-monitor.js:527:5
Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src 'unsafe-eval' https://twitter.com http://localhost:* http://localhost.twitter.com:* https://*.twitter.com https://*.twimg.com https://vine.co https://*.vine.co https://*.periscope.tv https://*.pscp.tv”). Source: onfocusin attribute on DIV element.  942244379179155456
Content Security Policy: The page’s settings blocked the loading of a resource at blob:https://twitter.com/b8193684-89ed-4c97-8e08-87572c94c42b (“script-src 'unsafe-eval' https://twitter.com http://localhost:* http://localhost.twitter.com:* https://*.twitter.com https://*.twimg.com https://vine.co https://*.vine.co https://*.periscope.tv https://*.pscp.tv”).  (unknown)



And setting security.csp.enable = false fixes the problem.
(Reporter)

Comment 7

a month ago
Confirmed - changing setting security.csp.enable = false - fixes the problem (Manjaro Linux)

Bug also occurs in FF57 - 57.0.2-2

Comment 8

a month ago
Edge on windows10 also fails to play back. Only Chrome works.
Status: REOPENED → NEW
Component: Audio/Video: Playback → DOM: Security
Keywords: regression, regressionwindow-wanted
Whiteboard: [parity-Chrome]

Updated

a month ago
Summary: Tweetdeck has stopped playing videos → (csp) Tweetdeck has stopped playing videos
CSP2 says blob: needs to be explicitly listed as an origin in the policy. That's what we've always enforced so this can't be a regression; could be a site change.

CSP3 is far less clear. It's possible that chrome is using the fact that the definition of blob: urls has chnaged to include the origin of the data and whitelisting based on that. (I'm assuming the problem is the second CSP error, not the blocked onfocusin event because Chrome should behave the same as us on that one.)
Duplicate of this bug: 1426911

Updated

28 days ago
Duplicate of this bug: 1426272

Comment 12

23 days ago
It is definitely not working in Firefox Quantum 57.0.3. It was working until a couple of updates ago.

Comment 13

21 days ago
In 57.0.3 doesn't work, even changing security.csp.enable to false

Comment 14

21 days ago
disable dom.workers.enabled also fix the problem.


WROKAROUND: we should switch to chrome/chromium based browser.
Summary: (csp) Tweetdeck has stopped playing videos → (csp), (web-workers) Tweetdeck has stopped playing videos

Comment 15

21 days ago
(In reply to Alice0775 White from comment #14)
> disable dom.workers.enabled also fix the problem.
> 
> 
> WROKAROUND: we should switch to chrome/chromium based browser.

With dom.workers.enabled to false also doesn't work. I think i will return to chrome/chromieum, thank you.

Comment 16

21 days ago
workaround
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
20171231100350

Workaround, tested without modifying CSP or workers in about:config:

1. https://addons.mozilla.org/firefox/addon/header-editor/
2. Click either the Header Editor toolbar button, or the Options button next to Header Editor in the Add-ons Manager.
3. Click the circled (+) button in the bottom right.
   Name: enter something descriptive, like CSP - Twitter
   Rule type: Modify the response header
   Match type: URL prefix
   Exclude rule:
   Match rules: https://twitter.com/i/videos/tweet/
   Execute type: Normal
   Header name: content-security-policy
   Header value:
4. Click the icon in the top right to save your new rule.
5. If you were trying to view an embedded tweet on a page, reload it bypassing the cache (Ctrl+Shift+R or Command+Shift+R).

Comment 17

21 days ago
(In reply to Gingerbread Man from comment #16)
> Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101
> Firefox/59.0
> 20171231100350
> 
> Workaround, tested without modifying CSP or workers in about:config:
> 
> 1. https://addons.mozilla.org/firefox/addon/header-editor/
> 2. Click either the Header Editor toolbar button, or the Options button next
> to Header Editor in the Add-ons Manager.
> 3. Click the circled (+) button in the bottom right.
>    Name: enter something descriptive, like CSP - Twitter
>    Rule type: Modify the response header
>    Match type: URL prefix
>    Exclude rule:
>    Match rules: https://twitter.com/i/videos/tweet/
>    Execute type: Normal
>    Header name: content-security-policy
>    Header value:
> 4. Click the icon in the top right to save your new rule.
> 5. If you were trying to view an embedded tweet on a page, reload it
> bypassing the cache (Ctrl+Shift+R or Command+Shift+R).

Doesn't work sorry ;-(

Comment 18

21 days ago
This is what I did and it appears to have worked. Many thanks. 



(In reply to josejoa59 from comment #13)
> In 57.0.3 doesn't work, even changing security.csp.enable to false

Comment 19

18 days ago
I was facing the same thing.
Tried changing security.csp.enable to false and it worked.
Reset it to true, and it stopped working again.

MacOS High Sierra
10.13.2
Firefox 58.0b13 (64-bit)

Interestingly enough, videos from youtube work properly. Only videos embedded from other sources that don't work.

The errors in console are:

Warning: Content Security Policy: Ignoring ‘x-frame-options’ because of ‘frame-ancestors’ directive.
Error: Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src 'unsafe-eval' https://twitter.com http://localhost:* http://localhost.twitter.com:* https://*.twitter.com https://*.twimg.com https://vine.co https://*.vine.co https://*.periscope.tv https://*.pscp.tv”). Source: onfocusin attribute on DIV element.
948658261791830016
Error: Content Security Policy: The page’s settings blocked the loading of a resource at blob:https://twitter.com/35ed81b6-682c-724f-beee-24d19a165df8 (“script-src 'unsafe-eval' https://twitter.com http://localhost:* http://localhost.twitter.com:* https://*.twitter.com https://*.twimg.com https://vine.co https://*.vine.co https://*.periscope.tv https://*.pscp.tv”).

Comment 20

17 days ago
(In reply to Felipe Nascimento from comment #19)
> I was facing the same thing.
> Tried changing security.csp.enable to false and it worked.
> Reset it to true, and it stopped working again.
> 
> MacOS High Sierra
> 10.13.2
> Firefox 58.0b13 (64-bit)
> 
> Interestingly enough, videos from youtube work properly. Only videos
> embedded from other sources that don't work.
> 
> The errors in console are:
> 
> Warning: Content Security Policy: Ignoring ‘x-frame-options’ because of
> ‘frame-ancestors’ directive.
> Error: Content Security Policy: The page’s settings blocked the loading of a
> resource at self (“script-src 'unsafe-eval' https://twitter.com
> http://localhost:* http://localhost.twitter.com:* https://*.twitter.com
> https://*.twimg.com https://vine.co https://*.vine.co https://*.periscope.tv
> https://*.pscp.tv”). Source: onfocusin attribute on DIV element.
> 948658261791830016
> Error: Content Security Policy: The page’s settings blocked the loading of a
> resource at blob:https://twitter.com/35ed81b6-682c-724f-beee-24d19a165df8
> (“script-src 'unsafe-eval' https://twitter.com http://localhost:*
> http://localhost.twitter.com:* https://*.twitter.com https://*.twimg.com
> https://vine.co https://*.vine.co https://*.periscope.tv https://*.pscp.tv”).

Last version is 57.03, you have some beta version, the official version doesn't work with security.csp.enable to false. It seems that in Mozilla don't use twitter at all.

Comment 21

10 days ago
Tweetdeck seems to have solved the issue.

Comment 22

9 days ago
(In reply to Severin Wünsch from comment #21)
> Tweetdeck seems to have solved the issue.
Still not 
https://screenshots.firefox.com/wcKjig5G3BAsvhfQ/twitter.com
https://screenshots.firefox.com/cCXSpw13QYo4MYE4/tweetdeck.twitter.com
The second video on https://www.twitch.tv/p/extensions cannot be played either. The same error: content security policy. 
setting security.csp.enable false fixes the problem on the latest nightly, 59.0a1 (2018-01-15). 
Hi Christoph,
It looks like many websites are impacted. Do we have any plans to fix this? Or this is not a real bug?
Flags: needinfo?(ckerschb)

Comment 24

5 days ago
I am currently running 57.0.4 on linux. And I can watch the second video.
I think this looks like a real bug to me.
(In reply to Blake Wu [:bwu][:blakewu] from comment #23)
> The second video on https://www.twitch.tv/p/extensions cannot be played
> either. The same error: content security policy. 

Both videos work fine for me, as do videos on twitter and tweetdeck. I'm not seeing any CSP errors. How can we reproduce this?
If the error is about blob: URL then it's a site problem: their CSP should include "blob:" according to CSP2 which both Firefox and Edge have implemented. I'm not sure why Chrome is working as I thought we were on the same page there, but in practical terms that would be a site issue since Chrome isn't the only browser out there.

If it's sending different content to different browsers then that, too, would be a site problem.

But since we can't reproduce this and no one has presented clear STR it's hard to know where to go next here. For example, the screenshots in comment 22 are concerning, but there's no URL for those pages and they don't look like what I see when I do anything twitter searches for the person mentioned in the screenshot.
(In reply to Daniel Veditz [:dveditz] from comment #25)
> (In reply to Blake Wu [:bwu][:blakewu] from comment #23)
> > The second video on https://www.twitch.tv/p/extensions cannot be played
> > either. The same error: content security policy. 
> 
> Both videos work fine for me, as do videos on twitter and tweetdeck. I'm not
> seeing any CSP errors. How can we reproduce this?

Same for me, I can't reproduce. Also given that Edge and Firefox show that error, I am not sure that Chrome is correct. Without being able to reproduce it's hard to make guesses. If I would have to guess though, then my guess is that those pages are not explicitly whitelisting blob within their CSP as the spec requires.
Flags: needinfo?(ckerschb)

Comment 28

5 days ago
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #27)
> (In reply to Daniel Veditz [:dveditz] from comment #25)
> > (In reply to Blake Wu [:bwu][:blakewu] from comment #23)
> > > The second video on https://www.twitch.tv/p/extensions cannot be played
> > > either. The same error: content security policy. 
> > 
> > Both videos work fine for me, as do videos on twitter and tweetdeck. I'm not
> > seeing any CSP errors. How can we reproduce this?
> 
> Same for me, I can't reproduce. Also given that Edge and Firefox show that
> error, I am not sure that Chrome is correct. Without being able to reproduce
> it's hard to make guesses. If I would have to guess though, then my guess is
> that those pages are not explicitly whitelisting blob within their CSP as
> the spec requires.

Test this video: https://twitter.com/Juanmi_News/status/953001162277605377

Edge and Chrome reproduce the video, only fails Firefox.

Comment 29

5 days ago
(In reply to josejoa59 from comment #28)
> 
> Test this video: https://twitter.com/Juanmi_News/status/953001162277605377
> 
> Edge and Chrome reproduce the video, only fails Firefox.

My Firefox 57.0.4 installation does play this video. Maybe it is a add-on issue?

Comment 30

5 days ago
(In reply to Severin Wünsch from comment #29)
> (In reply to josejoa59 from comment #28)
> > 
> > Test this video: https://twitter.com/Juanmi_News/status/953001162277605377
> > 
> > Edge and Chrome reproduce the video, only fails Firefox.
> 
> My Firefox 57.0.4 installation does play this video. Maybe it is a add-on
> issue?

I have 57.0.4 (64 bits) and added an exception for twitter in adblocker lite, but doesn't play the video. Anyway i don't mind, i use Chrome now.
I cannot reproduce this bug anymore after setting security.csp.enable false, using a clean profile, using my original profile with disabling all add-ons and enabling all add-ons... So weird..
I used to be able to reproduce this with security.csp.enable to TRUE, on tweetdeck.twitter.com and just looking for some tweet with an embedded video. I can't reproduce this anymore and the videos work now. This is on Nightly.
You need to log in before you can comment on or make changes to this bug.