Open Bug 1486337 Opened 3 years ago Updated 4 months ago

Strict tracking protection breaks tsn.ca (ie, embedded videos, logins, scorecard)

Categories

(Web Compatibility :: Desktop, defect, P3)

Firefox 62
x86_64
Windows 10
defect

Tracking

(firefox61 affected, firefox62 affected, firefox63 affected, firefox86 affected, firefox87 affected)

REOPENED
Tracking Status
firefox61 --- affected
firefox62 --- affected
firefox63 --- affected
firefox86 --- affected
firefox87 --- affected

People

(Reporter: darrinlowe, Assigned: ksenia)

References

(Blocks 4 open bugs, )

Details

(Keywords: webcompat:needs-diagnosis, Whiteboard: [tp-analytics][tp-yellowlist-passive][tp-site-severe][tp-login][tp-shim-content])

User Story

9c9media.ca

Attachments

(2 files)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Build ID: 20180807170231

Steps to reproduce:

Go to tsn.ca with default firefox settings.


Actual results:

Scoreboard doesn't load, and live video player / streaming does not load. This also applies for their Windows 10 app, however, I was unable to fix the issue on that.


Expected results:

All of these things should load and work normally. 

After months of trying to figure out what happened when one day the website just stopped letting me view their live stream, and their Windows 10 app stopped loading properly, I learned that Firefox's "Tracking Protection" feature is what has broken the website. Disabling this feature on that website (exception) has completely fixed the issue. 

One or more of the "trackers" that are being blocked, are necessary for the website to properly function.
Reproducible on Firefox 61.0.2, Firefox 62.0b20 and Nightly 63.0a1 on Windows 10 x 64, Mac OS X 10.13 and Ubuntu 18.04 x64.
Status: UNCONFIRMED → NEW
Component: Untriaged → Tracking Protection
Ever confirmed: true
Blocks: tpvideo
Priority: -- → P3
Whiteboard: tp-needsrepro
The issue is reproducible and it is related to `Videos` and `Trackingprotection` breakage.

It is reproducible while Tracking Protection BASIC is enabled.

[Environment:]
Browser / Version: Firefox Nightly 63.0a1 (2018-08-30)
Operating System: Windows 10 Pro
VPN: active pointing to Canada

Looking at the devtools console, here are the blocked resources:
The resource at “https://auth.9c9media.ca/auth/main.js” was blocked because content blocking is enabled.
The resource at “https://www.googletagmanager.com/gtag/js?id=AW-803817420” was blocked because content blocking is enabled.
The resource at “https://z.moatads.com/bellmedia966Bwny69/moatcontent.js#l1=tsn.ca&l2=Sports%20News%2C%20Opinion%2C%20Scores%2C%20Schedules%20%7C%20TSN&l3=__page__&l4=-&zmoatab_cm=0&t=1535716497039&de=13614645198&zMoatAB_SNPT=true&vc=2” was blocked because content blocking is enabled.
The resource at “https://beacon.scorecardresearch.com/scripts/beacon.dll?C1=2&C2=3005664&C3=3005664&C4=https%3A//www.tsn.ca/&C5=&C6=&C7=https%3A//www.tsn.ca/&C8=Sports%20News%2C%20Opinion%2C%20Scores%2C%20Schedules%20%7C%20TSN&C9=&rn=66937216” was blocked because content blocking is enabled.
The resource at “https://www.googletagservices.com/tag/js/gpt.js” was blocked because content blocking is enabled.
The resource at “https://static.criteo.net/js/ld/publishertag.js” was blocked because content blocking is enabled.
The resource at “https://cdn.krxd.net/controltag?confid=IjHlQISs” was blocked because content blocking is enabled.
The resource at “https://connect.facebook.net/en_US/fbevents.js” was blocked because content blocking is enabled.
The resource at “https://www.google-analytics.com/analytics.js” was blocked because content blocking is enabled.
The resource at “https://c.go-mpulse.net/boomerang/XZFPJ-5JJRD-T7LAP-LR6NE-CSYBQ” was blocked because content blocking is enabled.
The resource at “https://js-agent.newrelic.com/nr-spa-1071.min.js” was blocked because content blocking is enabled.
The resource at “https://analytics.twitter.com/i/adsct?p_id=Twitter&p_user_id=0&txn_id=nzkmw&events=%5B%5B%22pageview%22%2Cnull%5D%5D&tw_sale_amount=0&tw_order_quantity=0&tw_iframe_status=0&tpx_cb=twttr.conversion.loadPixels&tw_document_href=https%3A%2F%2Fwww.tsn.ca%2F” was blocked because content blocking is enabled.

So below are the domains to test:
- auth.9c9media.ca
- www.googletagmanager.com
- z.moatads.com
- beacon.scorecardresearch.com
- www.googletagservices.com
- static.criteo.net
- cdn.krxd.net
- connect.facebook.net
- www.google-analytics.com
- c.go-mpulse.net
- js-agent.newrelic.com
- analytics.twitter.com

I opened the URL in a fresh browser profile (Firefox Nightly 63, uMatrix installed, normal mode) and loaded the page. Loading spinners are displayed on `Scoreboard` and `Latest Video` elements.

I disabled the Spoof Referrer option in uMatrix and then WHITELISTED:
- 9c9media.ca (including all related domains)
and the `Scoreboard`, video player displayed, but the video did not play.

I whitelisted:
- akamaized.net (including all related domains)
and video played.

The other resources didn't help. 

So in conclusion:
- 9c9media.ca is in Analytics = [tp-analytics]
- akamaized.net is not listed
Blocks: tp-breakage
User Story: (updated)
Component: Tracking Protection → Desktop
OS: Unspecified → Windows 10
Product: Firefox → Tech Evangelism
Hardware: Unspecified → x86_64
Whiteboard: tp-needsrepro → [tp-analytics]
Version: 61 Branch → Firefox 62
Attached image BrokenElements.png
Added screenshot with broken elements.
Attached image umatrxiResults.png
Added uMatrxi results.
Summary: Tracking Protection Broke Important Website Functionality → Tracking Protection Basic Broke Important Website Functionality
Product: Tech Evangelism → Web Compatibility

With strict protection on, I see this console error:

ReferenceError: BmAuth is not defined www.tsn.ca:281:13
    initAuth https://www.tsn.ca/:281
    <anonymous> https://www.tsn.ca/:274
    jQuery 4
    nrWrapper https://www.tsn.ca/:18
    (Async: EventListener.handleEvent)
    nrWrapper https://www.tsn.ca/:18
    jQuery 7

The BmAuth object is defined in this blocked script: https://auth.9c9media.ca/auth/main.js

It provides sign-in and video playback options, among other things. This (very minimal) spoof of the BmAuth object lets the page at least load to the point where I can see the videos and basic content:

  window.BmAuth = {
    init: function() {
      return new Promise(() => {});
    },
    isAuthenticated: function() {
      return Promise.resolve(false);
    },
    addListener: function() {},
    api: {
      event: {
        addListener: function() {},
      },
    },
  };

Based on this, I suspect we could spoof the object more fully, by figuring out what functionality is broken until the BmAuth.init() promise is resolved (for instnace, BmAuth.handleSignIn() is called when the user clicks the login button). We can then dynamically load the script on demand, replace our spoof with the full object, and complete the various promises.

But spoofing like this won't fix the scorecard. Based on what I'm seeing it's broken due to this CORS failure:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://datacrunch.9c9media.ca/statsapi/sports/hockey/leagues/nhl/scoreboard?brand=tsn. (Reason: CORS request did not succeed).

That request is allowed to complete under basic tracking protection, making me suspect it's a potential false positive that we could allow (given that the URL has "datacrunch" and "statsapi" and "brand" in it, I wouldn't be surprised if it was simply mistaken as tracking, rather than an API to get live sports stats).

Summary: Tracking Protection Basic Broke Important Website Functionality → Strict tracking protection breaks tsn.ca (ie, embedded videos, logins, scorecard)

I've confirmed with urlclassifier.trackingSkipURLs that whitelisting https://datacrunch.9c9media.ca/statsapi/sports/hockey/leagues/nhl/scoreboard fixes the scorecard.

Blocks: tp-googleads
No longer depends on: tp-googleads
Whiteboard: [tp-analytics] → [tp-analytics][yellowlist-passive][site-severe][login][shim-content]
Whiteboard: [tp-analytics][yellowlist-passive][site-severe][login][shim-content] → [tp-analytics][tp-yellowlist-passive][tp-site-severe][tp-login][tp-shim-content]
No longer blocks: 1516552

The issue does not occur with ETP - Standard, but it is still reproducible with ETP - Strict enabled.
https://prnt.sc/wngjow
https://prnt.sc/wngjdh

Tested with:
Browser / Version: Firefox Nightly 86.0a1 (2021-01-13)
Operating System: Windows 10 Pro

Status: NEW → RESOLVED
Closed: 10 months ago
Resolution: --- → FIXED

This bug is about Strict, as the title says.

Status: RESOLVED → REOPENED
Resolution: FIXED → ---

A shim for BmAuth by 9c9media was added in bug 1637329 and enabled in bug 1693386 for Firefox 87. Does this still happen with ETP Strict in Firefox 87?

This is now partly fixed. Videos and logins seem to be working now with or without shims, so TSN may have fixed those on their own (I have no login with which to confirm for sure, but I can at least try to login).

The scoreboard is still broken, due to the resource in comment 6 being blocked. We could likely use shims to present a click-to-play style placeholder for that.

Assignee: nobody → kberezina
You need to log in before you can comment on or make changes to this bug.