Closed Bug 1425672 Opened 6 years ago Closed 6 years ago

(csp), (web-workers) Tweetdeck has stopped playing videos

Categories

(Core :: DOM: Security, defect, P2)

Product:
Core
Component:
DOM: Security
Type:
defect

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: xirconuk, Unassigned)

References

Details

(Whiteboard: [parity-Chrome]) 

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0
Build ID: 20171215220126

Steps to reproduce:

Open Tweetdeck (either in a ta or sidebar), click to pay an attached video.


Actual results:

Video does not play, message "The media could not be played." on a black background.  Video plays fine on Twitter main site.


Expected results:

Video should play.  Stopped working yesterday, was working as expected before then.

Works:
Palemoon
Vivaldi
Chrome
Version: 58 Branch → Trunk
Component: Untriaged → Audio/Video: Playback
Product: Firefox → Core
Hi Reporter,

Thanks for reporting this bug.
Can you help use mozregression[1] to find the possible patch to cause this problem?

[1]http://mozilla.github.io/mozregression/
Keywords: regression, regressionwindow-wanted
Priority: -- → P2
Tried a few dates - none of them play (went back to 12th), perhaps a Linux update or a tweetdeck change is to blame?
(In reply to xirconuk@gmail.com from comment #2)
> Tried a few dates - none of them play (went back to 12th), perhaps a Linux
> update or a tweetdeck change is to blame?
Thanks for this information. 
I am going to close this bug. If you still can see this bug again, please feel free to reopen it.
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → WORKSFORME
Sorry... I misunderstood your comment.
Status: RESOLVED → REOPENED
Ever confirmed: true
Resolution: WORKSFORME → ---
You could try to install Firefox released version, 57, to see if you can reproduce this bug. If not, then it could be a Firefox bug.
I can reproduce on Nightly59.01, 58.0b11, 57.0.2 and ESR52.5.2 x64 windows10.


XML Parsing Error: no root element found
Location: https://tweetdeck.twitter.com/metrics
Line Number 1, Column 1:  metrics:1:1
Content Security Policy: Ignoring ‘x-frame-options’ because of ‘frame-ancestors’ directive.  (unknown)
TypeError: this.sink is null[Learn More]  network-monitor.js:527:5
Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src 'unsafe-eval' https://twitter.com http://localhost:* http://localhost.twitter.com:* https://*.twitter.com https://*.twimg.com https://vine.co https://*.vine.co https://*.periscope.tv https://*.pscp.tv”). Source: onfocusin attribute on DIV element.  942244379179155456
Content Security Policy: The page’s settings blocked the loading of a resource at blob:https://twitter.com/b8193684-89ed-4c97-8e08-87572c94c42b (“script-src 'unsafe-eval' https://twitter.com http://localhost:* http://localhost.twitter.com:* https://*.twitter.com https://*.twimg.com https://vine.co https://*.vine.co https://*.periscope.tv https://*.pscp.tv”).  (unknown)



And setting security.csp.enable = false fixes the problem.
Confirmed - changing setting security.csp.enable = false - fixes the problem (Manjaro Linux)

Bug also occurs in FF57 - 57.0.2-2
Edge on windows10 also fails to play back. Only Chrome works.
Status: REOPENED → NEW
Component: Audio/Video: Playback → DOM: Security
Keywords: regression, regressionwindow-wanted
Whiteboard: [parity-Chrome]
Summary: Tweetdeck has stopped playing videos → (csp) Tweetdeck has stopped playing videos
CSP2 says blob: needs to be explicitly listed as an origin in the policy. That's what we've always enforced so this can't be a regression; could be a site change.

CSP3 is far less clear. It's possible that chrome is using the fact that the definition of blob: urls has chnaged to include the origin of the data and whitelisting based on that. (I'm assuming the problem is the second CSP error, not the blocked onfocusin event because Chrome should behave the same as us on that one.)
It is definitely not working in Firefox Quantum 57.0.3. It was working until a couple of updates ago.
In 57.0.3 doesn't work, even changing security.csp.enable to false
disable dom.workers.enabled also fix the problem.


WROKAROUND: we should switch to chrome/chromium based browser.
Summary: (csp) Tweetdeck has stopped playing videos → (csp), (web-workers) Tweetdeck has stopped playing videos
(In reply to Alice0775 White from comment #14)
> disable dom.workers.enabled also fix the problem.
> 
> 
> WROKAROUND: we should switch to chrome/chromium based browser.

With dom.workers.enabled to false also doesn't work. I think i will return to chrome/chromieum, thank you.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
20171231100350

Workaround, tested without modifying CSP or workers in about:config:

1. https://addons.mozilla.org/firefox/addon/header-editor/
2. Click either the Header Editor toolbar button, or the Options button next to Header Editor in the Add-ons Manager.
3. Click the circled (+) button in the bottom right.
   Name: enter something descriptive, like CSP - Twitter
   Rule type: Modify the response header
   Match type: URL prefix
   Exclude rule:
   Match rules: https://twitter.com/i/videos/tweet/
   Execute type: Normal
   Header name: content-security-policy
   Header value:
4. Click the icon in the top right to save your new rule.
5. If you were trying to view an embedded tweet on a page, reload it bypassing the cache (Ctrl+Shift+R or Command+Shift+R).
(In reply to Gingerbread Man from comment #16)
> Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101
> Firefox/59.0
> 20171231100350
> 
> Workaround, tested without modifying CSP or workers in about:config:
> 
> 1. https://addons.mozilla.org/firefox/addon/header-editor/
> 2. Click either the Header Editor toolbar button, or the Options button next
> to Header Editor in the Add-ons Manager.
> 3. Click the circled (+) button in the bottom right.
>    Name: enter something descriptive, like CSP - Twitter
>    Rule type: Modify the response header
>    Match type: URL prefix
>    Exclude rule:
>    Match rules: https://twitter.com/i/videos/tweet/
>    Execute type: Normal
>    Header name: content-security-policy
>    Header value:
> 4. Click the icon in the top right to save your new rule.
> 5. If you were trying to view an embedded tweet on a page, reload it
> bypassing the cache (Ctrl+Shift+R or Command+Shift+R).

Doesn't work sorry ;-(
This is what I did and it appears to have worked. Many thanks. 



(In reply to josejoa59 from comment #13)
> In 57.0.3 doesn't work, even changing security.csp.enable to false
I was facing the same thing.
Tried changing security.csp.enable to false and it worked.
Reset it to true, and it stopped working again.

MacOS High Sierra
10.13.2
Firefox 58.0b13 (64-bit)

Interestingly enough, videos from youtube work properly. Only videos embedded from other sources that don't work.

The errors in console are:

Warning: Content Security Policy: Ignoring ‘x-frame-options’ because of ‘frame-ancestors’ directive.
Error: Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src 'unsafe-eval' https://twitter.com http://localhost:* http://localhost.twitter.com:* https://*.twitter.com https://*.twimg.com https://vine.co https://*.vine.co https://*.periscope.tv https://*.pscp.tv”). Source: onfocusin attribute on DIV element.
948658261791830016
Error: Content Security Policy: The page’s settings blocked the loading of a resource at blob:https://twitter.com/35ed81b6-682c-724f-beee-24d19a165df8 (“script-src 'unsafe-eval' https://twitter.com http://localhost:* http://localhost.twitter.com:* https://*.twitter.com https://*.twimg.com https://vine.co https://*.vine.co https://*.periscope.tv https://*.pscp.tv”).
(In reply to Felipe Nascimento from comment #19)
> I was facing the same thing.
> Tried changing security.csp.enable to false and it worked.
> Reset it to true, and it stopped working again.
> 
> MacOS High Sierra
> 10.13.2
> Firefox 58.0b13 (64-bit)
> 
> Interestingly enough, videos from youtube work properly. Only videos
> embedded from other sources that don't work.
> 
> The errors in console are:
> 
> Warning: Content Security Policy: Ignoring ‘x-frame-options’ because of
> ‘frame-ancestors’ directive.
> Error: Content Security Policy: The page’s settings blocked the loading of a
> resource at self (“script-src 'unsafe-eval' https://twitter.com
> http://localhost:* http://localhost.twitter.com:* https://*.twitter.com
> https://*.twimg.com https://vine.co https://*.vine.co https://*.periscope.tv
> https://*.pscp.tv”). Source: onfocusin attribute on DIV element.
> 948658261791830016
> Error: Content Security Policy: The page’s settings blocked the loading of a
> resource at blob:https://twitter.com/35ed81b6-682c-724f-beee-24d19a165df8
> (“script-src 'unsafe-eval' https://twitter.com http://localhost:*
> http://localhost.twitter.com:* https://*.twitter.com https://*.twimg.com
> https://vine.co https://*.vine.co https://*.periscope.tv https://*.pscp.tv”).

Last version is 57.03, you have some beta version, the official version doesn't work with security.csp.enable to false. It seems that in Mozilla don't use twitter at all.
Tweetdeck seems to have solved the issue.
(In reply to Severin Wünsch from comment #21)
> Tweetdeck seems to have solved the issue.
Still not 
https://screenshots.firefox.com/wcKjig5G3BAsvhfQ/twitter.com
https://screenshots.firefox.com/cCXSpw13QYo4MYE4/tweetdeck.twitter.com
The second video on https://www.twitch.tv/p/extensions cannot be played either. The same error: content security policy. 
setting security.csp.enable false fixes the problem on the latest nightly, 59.0a1 (2018-01-15). 
Hi Christoph,
It looks like many websites are impacted. Do we have any plans to fix this? Or this is not a real bug?
Flags: needinfo?(ckerschb)
I am currently running 57.0.4 on linux. And I can watch the second video.
I think this looks like a real bug to me.
(In reply to Blake Wu [:bwu][:blakewu] from comment #23)
> The second video on https://www.twitch.tv/p/extensions cannot be played
> either. The same error: content security policy. 

Both videos work fine for me, as do videos on twitter and tweetdeck. I'm not seeing any CSP errors. How can we reproduce this?
If the error is about blob: URL then it's a site problem: their CSP should include "blob:" according to CSP2 which both Firefox and Edge have implemented. I'm not sure why Chrome is working as I thought we were on the same page there, but in practical terms that would be a site issue since Chrome isn't the only browser out there.

If it's sending different content to different browsers then that, too, would be a site problem.

But since we can't reproduce this and no one has presented clear STR it's hard to know where to go next here. For example, the screenshots in comment 22 are concerning, but there's no URL for those pages and they don't look like what I see when I do anything twitter searches for the person mentioned in the screenshot.
(In reply to Daniel Veditz [:dveditz] from comment #25)
> (In reply to Blake Wu [:bwu][:blakewu] from comment #23)
> > The second video on https://www.twitch.tv/p/extensions cannot be played
> > either. The same error: content security policy. 
> 
> Both videos work fine for me, as do videos on twitter and tweetdeck. I'm not
> seeing any CSP errors. How can we reproduce this?

Same for me, I can't reproduce. Also given that Edge and Firefox show that error, I am not sure that Chrome is correct. Without being able to reproduce it's hard to make guesses. If I would have to guess though, then my guess is that those pages are not explicitly whitelisting blob within their CSP as the spec requires.
Flags: needinfo?(ckerschb)
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #27)
> (In reply to Daniel Veditz [:dveditz] from comment #25)
> > (In reply to Blake Wu [:bwu][:blakewu] from comment #23)
> > > The second video on https://www.twitch.tv/p/extensions cannot be played
> > > either. The same error: content security policy. 
> > 
> > Both videos work fine for me, as do videos on twitter and tweetdeck. I'm not
> > seeing any CSP errors. How can we reproduce this?
> 
> Same for me, I can't reproduce. Also given that Edge and Firefox show that
> error, I am not sure that Chrome is correct. Without being able to reproduce
> it's hard to make guesses. If I would have to guess though, then my guess is
> that those pages are not explicitly whitelisting blob within their CSP as
> the spec requires.

Test this video: https://twitter.com/Juanmi_News/status/953001162277605377

Edge and Chrome reproduce the video, only fails Firefox.
(In reply to josejoa59 from comment #28)
> 
> Test this video: https://twitter.com/Juanmi_News/status/953001162277605377
> 
> Edge and Chrome reproduce the video, only fails Firefox.

My Firefox 57.0.4 installation does play this video. Maybe it is a add-on issue?
(In reply to Severin Wünsch from comment #29)
> (In reply to josejoa59 from comment #28)
> > 
> > Test this video: https://twitter.com/Juanmi_News/status/953001162277605377
> > 
> > Edge and Chrome reproduce the video, only fails Firefox.
> 
> My Firefox 57.0.4 installation does play this video. Maybe it is a add-on
> issue?

I have 57.0.4 (64 bits) and added an exception for twitter in adblocker lite, but doesn't play the video. Anyway i don't mind, i use Chrome now.
I cannot reproduce this bug anymore after setting security.csp.enable false, using a clean profile, using my original profile with disabling all add-ons and enabling all add-ons... So weird..
I used to be able to reproduce this with security.csp.enable to TRUE, on tweetdeck.twitter.com and just looking for some tweet with an embedded video. I can't reproduce this anymore and the videos work now. This is on Nightly.
(In reply to Blake Wu [:bwu][:blakewu] from comment #31)
> I cannot reproduce this bug anymore after setting security.csp.enable false, [...]

The bug claims CSP is the problem (based on console log messages) so this setting bypasses the reported bug. Tom's comment 32 is more to the point.

I cannot reproduce the issue using the video in comment 29. Tried Nightly and 57.0.4, with a bunch of addons (including ad blockers) and a clean profile. Can anyone still reproduce this? Can Jose still reproduce this with the video in comment 31? Could it be serving different regional content?
Flags: needinfo?(josejoa59)
(In reply to Daniel Veditz [:dveditz] from comment #33)
> (In reply to Blake Wu [:bwu][:blakewu] from comment #31)
> > I cannot reproduce this bug anymore after setting security.csp.enable false, [...]
> 
> The bug claims CSP is the problem (based on console log messages) so this
> setting bypasses the reported bug. Tom's comment 32 is more to the point.
> 
> I cannot reproduce the issue using the video in comment 29. Tried Nightly
> and 57.0.4, with a bunch of addons (including ad blockers) and a clean
> profile. Can anyone still reproduce this? Can Jose still reproduce this with
> the video in comment 31? Could it be serving different regional content?

With both security.csp.enable to true and false, in Firefox 58.0 (64-bit) for this video: https://twitter.com/Juanmi_News/status/953001162277605377

Here is the reproduced bug in a pic https://screenshots.firefox.com/kTdfJgVyt7DglovS/twitter.com
Flags: needinfo?(josejoa59)
Works for us: Christoph and I were using Linux and Mac, from the US and Europe, Firefox 58 and Nightly (60) (tested multiple configs each). I even tried disabling widevine in case it was a DRM thing. Don't know how to make any progress here.
Status: NEW → RESOLVED
Closed: 6 years ago6 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.