Firefox Accounts fails to load when privacy.resistFingerprinting is true

RESOLVED FIXED

Status

defect
RESOLVED FIXED
2 years ago
Last year

People

(Reporter: u608644, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
Build ID: 20100101

Steps to reproduce:

Try to login to AMO.
1. On AMO webpage, click signin/login link.


Actual results:

TypeError: setting getter-only property "navigationStart"
[Learn More]
navigation-timing.js:39
Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src https://accounts.firefox.com https://accounts-static.cdn.mozilla.net”). Source: onclick attribute on A element.
signin




TypeError: this._speedTrap.init is not a function
Stack trace:
o@https://accounts-static.cdn.mozilla.net/bundle-089f09d69396fa4f85d04b4929460c2a33552eba/app.bundle.en.js:1:75001
_createMetrics@https://accounts-static.cdn.mozilla.net/bundle-089f09d69396fa4f85d04b4929460c2a33552eba/app.bundle.en.js:1:207529
initializeMetrics@https://accounts-static.cdn.mozilla.net/bundle-089f09d69396fa4f85d04b4929460c2a33552eba/app.bundle.en.js:1:198030
initializeDeps/<@https://accounts-static.cdn.mozilla.net/bundle-089f09d69396fa4f85d04b4929460c2a33552eba/app.bundle.en.js:1:196693



Expected results:

I was able to login last week. It's clear this is your side's problem.
This isn't a security bug.

The urls indicate script problems with Firefox Accounts so moving there.
Component: Security → Server: Firefox Accounts
Product: addons.mozilla.org → Cloud Services
Thanks for the report.  Often when we see script errors from Firefox Accounts it is due to a bad intereaction with an addon, could you please again with Firefox in "safe mode" [1] to see whether that might be the cause of the issue here?

(I tried to ni? the reporter here but bugzilla says they're not accepting ni? requests)

[1] https://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-using-safe-mode
> TypeError: setting getter-only property "navigationStart"

I think this is due to anti-fingerprinting behavior, possibly Bug 1369303.  I can reproduce by flipping "privacy.resistFingerprinting" to true and visiting https://accounts.firefox.com.

The culprit is here, where we assume that a falsey navigationStart value means it's undefined:

  https://github.com/rum-diary/speed-trap/blob/90be3c2d419b50cfa03d1700942b19ca8f4921a5/src/navigation-timing.js#L38
Summary: Login to AMO failed because of these errors → Firefox Accounts fails to load when privacy.resistFingerprinting is true
Phil, you appear to be a contributor on https://github.com/rum-diary/speed-trap, could you please tweak the above to cope sanely with navigationStart=0 and cut a new release?
Flags: needinfo?(pbooth)
See Also: → 1369303
That bug's now several months old though, so I'm not sure why we're only seeing reports of this in the last couple of days.  Did we recently ship an update to speed-trap that included this new behaviour?
Blocks: 1443961
(In reply to Ryan Kelly [:rfkelly] from comment #6)
> That bug's now several months old though, so I'm not sure why we're only
> seeing reports of this in the last couple of days.  Did we recently ship an
> update to speed-trap that included this new behaviour?

Yeah train 106 has 0.0.7 of the module that has that change.
> Yeah train 106 has 0.0.7 of the module that has that change.

Gotcha.  As you suggested in IRC, it may be simpler to just roll that back for train-107 and then do a fix at a more leisurely pace.
Updated speed-trap landed in https://github.com/mozilla/fxa-content-server/pull/5974.
Flags: needinfo?(pbooth)
This should now be fixed!
Status: UNCONFIRMED → RESOLVED
Closed: Last year
Resolution: --- → FIXED
Blocks: 1447539
You need to log in before you can comment on or make changes to this bug.