1470256 - Tracking Protection Strict Disconnect.me list blocks reCAPTCHA

Status: RESOLVED WORKSFORME

(Web Compatibility :: Site Reports, defect, P3)

Description

[N. de Jonge]

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Build ID: 20180608151520

Steps to reproduce:

Tracking Protection hides reCAPTCHA.
Example site: https://gab.ai/auth/register


Actual results:

Firefox does not warn on-page(!) that it is hiding reCAPTCHA.
It only shows the Tracking Protection shield in the URL bar.


Expected results:

Wherever Tracking Protection is hiding elements, it should display a clear notification on-page(!).

Comment 1

[Gingerbread Man]

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
20180621013659

The basic Disconnect.me list is OK. The problem is with the strict list. Browser Console output:

The resource at “https://www.google.com/recaptcha/api.js?onload=vueRecaptchaApiLoaded&render=explicit” was blocked because tracking protection is enabled.[Learn More] register
The resource at “https://www.google.com/recaptcha/api.js?onload=vueRecaptchaApiLoaded&render=explicit” was blocked because tracking protection is enabled.[Learn More] register

Comment 2

[Caspy7]

I can confirm this behavior, but only with strict Disconnect.me list enabled.

I spoke with the reporter (N. de Jonge) on IRC who indicated that they were using strict and basic fixes it, however they had *not* changed the list used. This change happened to the strict list for them in the last 24 hours or so.

The strict list may be expected to break more things than basic, but embedded youtube and reCAPTCHAs seems a bit too disruptive.

Comment 3

[François Marier [:francois]]

That's because all of the Google domains are on the strict list:

https://github.com/mozilla-services/shavar-prod-lists/blob/f16248d7f33367bb3c48d72fb32fdb239dbe0c8e/disconnect-blacklist.json#L6699-L6947

The strict list is expected to have significantly higher breakage and users opting into it should watch for the Shield and disable protection on a page by page basis when they need it.

Sites that want/need to work with TP in strict mode would need to use a different CAPTCHA system.

Comment 4

[N. de Jonge]

The linked disconnect-blacklist.json file at GitHub appears to have had its last change in December 2017, yet without changing any Firefox settings, both reCAPTCHA and embedded YouTube videos only recently - within the last 24 hours - disappeared from web pages. This is with, at least, my setup and Firefox 60.0.2 (64-bit) on Linux Mint.

Also, while it's true that the strict list is expected to have significantly higher breakage, many users, including experienced computer users (and even hackers, such as myself), will either have forgotten about enabling the block list, or won't be aware how the tracking protection is affecting web pages. The tracking protection shield is easy to overlook, so it would be most welcome if a clear notification about elements being hidden would be visible on-page; where the actual blocking is happening.

By the way, you (francois) changed the summary from "Tracking Protection Strict Disconnect.me list hides important elements without on-page(!) notifications" to "Tracking Protection Strict Disconnect.me list blocks reCAPTCHA". In my opinion, the bigger problem is when it's unclear for users that (and where) elements are missing, not what the exact 'strength' is of the various block lists. It's not unthinkable that non-technically savvy users will simply pick the strictest block list after installing Firefox, without ever having a clue how this affects the web pages they are viewing.

Comment 5

[François Marier [:francois]]

(In reply to N. de Jonge from comment #4)
> The linked disconnect-blacklist.json file at GitHub appears to have had its
> last change in December 2017, yet without changing any Firefox settings,
> both reCAPTCHA and embedded YouTube videos only recently - within the last
> 24 hours - disappeared from web pages. This is with, at least, my setup and
> Firefox 60.0.2 (64-bit) on Linux Mint.

The reason for this is that the strict list has been broken for a few months (bug 1465528) and got fixed yesterday.

What you are seeing now is the strict list operating as expected.

> Also, while it's true that the strict list is expected to have significantly
> higher breakage, many users, including experienced computer users (and even
> hackers, such as myself), will either have forgotten about enabling the
> block list, or won't be aware how the tracking protection is affecting web
> pages. The tracking protection shield is easy to overlook, so it would be
> most welcome if a clear notification about elements being hidden would be
> visible on-page; where the actual blocking is happening.

That's a good suggestion. I have filed bug 1470285 for it.

Comment 6

[Martin Thomson [:mt:]]

Attachment: spotify.png

The problem here isn't that the blocking happens (that's understandable), but - as reported - the blocking isn't reported correctly.  See the screenshot.

Comment 8

[Ciprian Georgiu, Desktop QA]

Changing the status of this bug to NEW since I was also able to reproduce it, with latest Nightly 67.0a1 under Windows 10 x64.

Comment 9

[Thomas Wisniewski [:twisniewski]]

I cannot reproduce this on the latest Firefox nightly; the Gab page does not seem to use reCaptcha anymore, and the reCaptcha Demo page and https://patrickhlauke.github.io/recaptcha/ are both working fine for me even with strict tracking protection on.