1475937 - Images are not displayed on g1.globo.com while basic TP is ON

Status: RESOLVED FIXED

(Web Compatibility :: Site Reports, defect, P3)

Description

[Sergiu Logigan [:sergiu]]

Environment:
Windows 10, Mozilla Firefox Nightly 63.0a1 (2018-07-15) (64-bit)

STR:
1. Open Mozilla Firefox.
2. Turn ON basic tracking Protection.
3. Navigate to https://g1.globo.com/mundo/noticia/memes-da-copa-do-mundo-2018-nigeria-x-argentina.ghtml
4. Observe the images displayed.

Expected results:
1. The images are displayed.

Actual results:
1. The images are not displayed. Instead, some HTML code is.

ex:
"-< href="https://twitter.com/hashtag/ZicaPraArgentina?src=hash&ref_src=twsrc%5Etfw" url="https://twitter.com/hashtag/ZicaPraArgentina?src=hash&ref_src=twsrc%5Etfw">#ZicaPraArgentina> < href="https://twitter.com/hashtag/NGAAGR?src=hash&ref_src=twsrc%5Etfw" url="https://twitter.com/hashtag/NGAAGR?src=hash&ref_src=twsrc%5Etfw">#NGAAGR>
"Nigéria x Argentina" < href="https://t.co/7WFBZcxmax" url="https://t.co/7WFBZcxmax">pic.twitter.com/7WFBZcxmax>"

Comment 1

[Sergiu Logigan [:sergiu]]

Looking at the devtools console, here are the blocked resources:

The resource at “https://tag.navdmp.com/tm13574.js” was blocked because tracking protection is enabled.
The resource at “https://cdn.krxd.net/controltag/J2lZajxx.js” was blocked because tracking protection is enabled.
The resource at “https://sb.scorecardresearch.com/c2/6035227/cs.js” was blocked because tracking protection is enabled.
The resource at “https://connect.facebook.net/en_US/sdk.js” was blocked because tracking protection is enabled.
The resource at “https://platform.twitter.com/widgets.js” was blocked because tracking protection is enabled.
So there were domains to test:

tag.navdmp.com
cdn.krxd.net
sb.scorecardresearch.com
connect.facebook.net
platform.twitter.com

I opened the URL in a fresh browser profile (Firefox Nightly 63, uMatrix installed, normal mode) and loaded the page. The page is not loaded correctly. No images are displayed.

I disabled the Spoof Referrer option in uMatrix and then whitelisted:
glbimg.com
twimg.com
twitter.com

After this, the images were displayed correctly.

The other resources (tag.navdmp.com, cdn.krxd.net, sb.scorecardresearch.com, connect.facebook.net) didn't help.

https://user-images.githubusercontent.com/16573771/42632380-a23b1e9a-85e5-11e8-8557-ae6ae2ee7ffd.png

So in conclusion:
glbimg.com - Not listed
twimg.com - Twitter resources = [tp-social]
twitter.com - Twitter resources = [tp-social]

Comment 2

[Thomas Wisniewski [:twisniewski]]

The images I'm seeing are really embedded Twitter posts, and can be un-blocked by allowing resources from:

https://platform.twitter.com/
https://cdn.syndication.twimg.com/tweets.json
https://syndication.twitter.com/
https://abs.twimg.com/emoji/
https://pbs.twimg.com/
https://platform.twitter.com/

It's basically the same situation as in https://bugzilla.mozilla.org/show_bug.cgi?id=1485372#c4, and the shimming method there fixes the issue with a yellow-list opt in... but the site defines its own window.twttr object, which we'll have to account for in any shims (just save a reference to it, and restore it just before we load the real widgets.js).

Comment 3

[Oana Arbuzov [:oanaarbuzov]]

The issue is not reproducible with ETP - Standard, thus the issues can be closed.
https://prnt.sc/w39yu2

Note: The issue still occur with ETP - Strict (https://prnt.sc/w39u67) - https://bugzilla.mozilla.org/show_bug.cgi?id=1609867

Tested with:
Browser / Version: Firefox Nightly 86.0a1 (2020-12-14)
Operating System: Windows 10 Pro