1483201 - Storefront purchase page layout is broken while Tracking Protection is enabled

Status: RESOLVED FIXED

(Web Compatibility :: Site Reports, defect, P3)

Description

[Oana Arbuzov [:oanaarbuzov]]

[Environment:]
Browser / Version: Firefox Nightly 63.0a1 (2018-08-13)
Operating System: Windows 10 Pro

[Prerequisites:]
    1. Tracking Protection Basic enabled.

[Steps to Reproduce:]
    1. Navigate to https://store.kaspersky.com/store?Action=buy&Currency=EUR&Locale=en_FI&SiteID=kaspergl&ThemeID=5035600&productID=310017800&quantity=1&spage=&undefined=Home_Home-Products_Kaspersky-Password-Manager 
    2. Observe the page
        
[Expected Behavior:]
The page’s content is loaded correctly.  
 
[Actual Behavior:]
The design is broken.

Comment 1

[Oana Arbuzov [:oanaarbuzov]]

Looking at the devtools console, here are the blocked resources:
The resource at “https://drh.img.digitalriver.com/DRHM/Storefront/Library/scripts/jquery/jquery-1.4.4.min.js” was blocked because tracking protection is enabled.
The resource at “https://drh1.img.digitalriver.com/DRHM/Storefront/Library/scripts/jquery/plugins/jquery.overlay-1.1.min.js” was blocked because tracking protection is enabled.
The resource at “https://www.googletagmanager.com/gtm.js?id=GTM-WZ7LJ3” was blocked because tracking protection is enabled.
The resource at “https://drh2.img.digitalriver.com/DRHM/Storefront/SiteImplementation/kaspergl/kasperglSI/version/99/images/visa_en_FI.gif” was blocked because tracking protection is enabled.
The resource at “https://kaspersky.d3.sc.omtrdc.net/b/ss/kaspersky-single-suite/1/JS-2.6.0/s08230135331518?AQB=1&ndh=1&pf=1&t=14%2F7%2F2018%2015%3A35%3A1%202%20-180&mid=88602929522519685050881368079018691721&aamlh=6&ce=UTF-8&ns=kaspersky&cdp=2&pageName=Shopping%20Cart%20%3E%20Checkout&g=https%3A%2F%2Fstore.kaspersky.com%2Fstore%3FAction%3Dbuy%26Currency%3DEUR%26Locale%3Den_FI%26SiteID%3Dkaspergl%26ThemeID%3D5035600%26productID%3D310017800%26quantity%3D1%26spage%3D%26undefined%3DHome_Home-Products_Kaspersky-Password-Manager&cc=USD&ch=Shopping%20Cart&server=store.kaspersky.com&events=scView&products=%3BDR-310017800%3B5&aamb=j8Odv6LonN4r3an7LhD3WZrU1bUpAkFkkiY1ncBR96t2PTI&c1=DR-9273216407&v1=D%3Dc1&l2=DR-310017800&v3=Shopping%20Cart%20%3E%20Checkout&v9=https%3A%2F%2Fstore.kaspersky.com%2Fstore%3FAction%3Dbuy%26Currency%3DEUR%26Locale%3Den_FI%26SiteID%3Dkaspergl%26ThemeID%3D5035600%26productID%3D310017800%26quantity%3D1%26spage%3D%26undefined%3DHome_Home-Products_Kaspersky-Password-Manager&c29=v1%3As_code_dr.js%3AtrackPageView%20%3E%20s.t%3Ap&c30=v1%3A20180725%3A194%3ADigital%20River%3A%5BNULL%5D&c31=https%3A%2F%2Fstore.kaspersky.com%2Fstore&v44=D%3Dv3&c47=Default&v47=D%3Dc47&c48=v1%3ADigital%20River%3Akaspergl%3A5035600&v48=D%3Dc48&c51=Shopping%20Cart&c57=en-FI%3Akaspergl&v57=D%3Dc57&c58=Kaspersky%20Lab%20Nordic%20Online%20Store%20-%20Shopping%20Basket&v71=v1%3APage%20View%3A%5BNULL%5D&s=1920x1080&c=24&j=1.6&v=N&k=Y&bw=1920&bh=930&mcorgid=983502BE532960BE0A490D4C%40AdobeOrg&AQE=1” was blocked because tracking protection is enabled.
The resource at “https://9273216407---0---globalcommerce---0---86-127-174-35.cfspx.digitalriver.com/images/cleardot.gif” was blocked because tracking protection is enabled.

So below are the domains to test:
- drh.img.digitalriver.com
- drh1.img.digitalriver.com
- drh2.img.digitalriver.com
- 9273216407---0---globalcommerce---0---86-127-174-35.cfspx.digitalriver.com
- www.googletagmanager.com
- kaspersky.d3.sc.omtrdc.net

I opened the URL in a fresh browser profile (Firefox Nightly 63, uMatrix installed, normal mode) and loaded the page. The layout is broken.

I disabled the Spoof Referrer option in uMatrix and then WHITELISTED:
- digitalriver.com (and all related domains cfspx.digitalriver.com, img.digitalriver.com, drh.img.digitalriver.com, drh1.img.digitalriver.com, drh2.img.digitalriver.com, 9273216407---0---globalcommerce---0---86-127-174-35.cfspx.digitalriver.com)
and the page's content was loaded (CSS and images).

The other resource (www.googletagmanager.com, kaspersky.d3.sc.omtrdc.net) didn't help. 

So in conclusion:
- digitalriver.com - Advertising = [tp-ads]

Comment 2

[Oana Arbuzov [:oanaarbuzov]]

Attachment: LayoutBroken.png

Added screenshot with broken layout.

Comment 3

[Oana Arbuzov [:oanaarbuzov]]

Attachment: uMatrixResults.png

Added uMatrix results.

Comment 5

[Thomas Wisniewski [:twisniewski]]

According to the console, jQuery is not being defined, breaking the layout of the page. But really, all of the requests to the Digital River storefront library are being blocked, including a bunch of .gif button images and the scriptsd defining jQuery:

https://drh.img.digitalriver.com/DRHM/Storefront/Library/scripts/jquery/jquery-1.3.2.min.js
https://drh1.img.digitalriver.com/DRHM/Storefront/Library/scripts/jquery/plugins/jquery.overlay-1.1.min.js
...etc...

I don't actually see any immediate red flags in the list of URLs of this format, at least not if the user is actually trying to buy something:

https://drh?.img.digitalriver.com/DRHM/Storefront/*

I think we might be better off to simply unblock these, at least if the user has navigated to a URL of the form https://store.kaspersky.com/store?Action=buy as that seems to reveal an actual intent that the user wishes to buy something, not just browsing the storefront.

Comment 6

[Thomas Wisniewski [:twisniewski]]

Note that bug 1485641 is also about Digital River storefront code breakage while the user is shopping in strict mode.

Comment 8

[Oana Arbuzov [:oanaarbuzov]]

The issue is not reproducible with ETP - Standard, the design is displayed correctly.
https://prnt.sc/wmooi1

Note: The layout is still broken with ETP - Strict.

Tested with:
Browser / Version: Firefox Nightly 86.0a1 (2021-01-12)
Operating System: Windows 10 Pro