Closed Bug 1476572 Opened 6 years ago Closed 3 years ago

Sign up form is not displayed on talkwalker.com while Tracking Protection Basic is enabled

Categories

(Web Compatibility :: Site Reports, defect, P1)

Product:
Web Compatibility
Component:
Site Reports
Version:
Firefox 62
Platform:
x86_64
Windows 10
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: oanaarbuzov, Unassigned)

References

(Blocks 2 open bugs,
URL
)

Details

(Whiteboard: [webcompat][tp-ads][tp-yellowlist-active][tp-site-severe][tp-shim-complex])

User Story

marketo.com

Attachments

(1 file)

uMatrixResults.png
830.42 KB, image/png
Details 
[Environment:]
Browser / Version: Firefox Nightly 63.0a1 (2018-07-17), Firefox Release 61.0
Operating System: Windows 10 Pro, Mac OS X 10.13

[Prerequisites:]
    1. Tracking Protection Basic enabled.
[Steps to Reproduce:]
    1. Navigate to https://www.talkwalker.com/free-demo 
    2. Observe “Sign Up” overlay.
        
[Expected Behavior:]
The form is displayed, allowing account creation.
 
[Actual Behavior:]
The form is not displayed.
Looking at the devtools console, here are the blocked resources:
The resource at “https://app-lon05.marketo.com/js/forms2/js/forms2.min.js” was blocked because tracking protection is enabled.[Learn More] free-demo 
The resource at “https://www.googletagmanager.com/gtm.js?id=GTM-WS3PWF” was blocked because tracking protection is enabled.[Learn More] free-demo 
The resource at “https://munchkin.marketo.net/munchkin.js” was blocked because tracking protection is enabled.[Learn More] free-demo 
The resource at “https://connect.facebook.net/en_US/fbevents.js” was blocked because tracking protection is enabled.[Learn More] free-demo 
The resource at “https://static.hotjar.com/c/hotjar-349174.js?sv=6” was blocked because tracking protection is enabled.[Learn More] free-demo 

So there were domains to test:
- app-lon05.marketo.com
- www.googletagmanager.com
- munchkin.marketo.net
- connect.facebook.net
- static.hotjar.com

I opened the URL in a fresh browser profile (Firefox Nightly 63, uMatrix installed, normal mode) and loaded the page. The "Sign Up" form is not displayed.

I disabled the Spoof Referrer option in uMatrix and then whitelisted app-lon05.marketo.com. In this case the form was displayed and I was able to create an account.

The other resources (www.googletagmanager.com, munchkin.marketo.net, connect.facebook.net, static.hotjar.com) didn't help. 

So in conclusion:
- marketo.com is in the `Advertising` category [tp-ads]
Attached image uMatrixResults.png 
Added uMatrxi results.
Summary: Sign up form is not displayed on talkwalker.com while Tracking Protection is enabled → Sign up form is not displayed on talkwalker.com while Tracking Protection Basic is enabled
Priority: -- → P1
See Also: → 1484700
Product: Tech Evangelism → Web Compatibility

Migrating Webcompat whiteboard priorities to project flags. See bug 1547409.

Webcompat Priority: --- → ?

See bug 1547409. Migrating whiteboard priority tags to program flags.

Webcompat Priority: ? → ---

I see this in the console when TP mode breaks the page: MktoForms2 is not defined

Marketo Forms may not be easy to spoof, as it is a framework for making these kinds of sign-up forms.

But these are the blocked scripts:

https://app-lon05.marketo.com/js/forms2/js/forms2.min.js
https://munchkin.marketo.net/munchkin.js

And the sign-up form seems to work fine if I block just the Munchkin, which seems to be the tracking component:

  var doAjaxSubmit = function (){
    var values = pub.getValues();
    if(window.Munchkin){
      try{
        window.Munchkin.createTrackingCookie(true);
      }catch(e){
        //For IE 7
      }
    }

So I'm not sure if we even need to block forms2.js, since I don't see anything terribly fishy in it aside from that attempt to call Munchkin, and even with access to cookies/storage being blocked, I was able to sign up. So it may just be good enough for us to un-block that one script, leaving the other blocking intact. If it's not, we could always put the effort into creating a custom forms2.js version to spoof with, which does not include anything we feel is suspicious (note they currently have an unminified version up at https://app-lon05.marketo.com/js/forms2/js/forms2.js).

URL: https://www.talkwalker.com/free-demohttps://www.talkwalker.com/free-demo

By using urlclassifier.trackingSkipURLs, I see that for the page to work, the forms2.min.js must be allowed, and also the corresponding request to:

https://app-lon05.marketo.com/index.php/form/getForm?munchkinId=538-DCX-400&form=84&url=https%3A%2F%2Fwww.talkwalker.com%2Ffree-demo&callback=jQuery112408598523865987148_1585790062392&_=1585790062393

The munchkinId parameter is necessary, and is specific to the Marketo instance and not the visitor, so we ought to be safe in whitelisting getForm (as long as we continue blocking the visitor-specific munchkin.js).

This is also affecting Amazon Pay's business account sign-up page, https://pay.amazon.com/signup. I similarly had to yellowlist these resources for the form to appear there:

https://app-lon06.marketo.com/js/forms2/js/forms2.min.js
https://app-lon06.marketo.com/index.php/form/getForm

Edit: the form no longer appears to use Marketo.

Whiteboard: [webcompat][tp-ads] → [webcompat][tp-ads][yellowlist-active][site-severe][shim-complex]
Whiteboard: [webcompat][tp-ads][yellowlist-active][site-severe][shim-complex] → [webcompat][tp-ads][tp-yellowlist-active][tp-site-severe][tp-shim-complex]

The form it displayed with ETP - Standard.
https://prnt.sc/w3bbuq

Note: The form is not displayed with ETP - Strict (https://prnt.sc/w3bbj7).

Tested with:
Browser / Version: Firefox Nightly 86.0a1 (2020-12-14)
Operating System: Windows 10 Pro

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: