1486337 - Scorecard does not load with ETP set to STRICT at tsn.ca

Status: REOPENED

(Core :: Privacy: Anti-Tracking, defect, P3)

Description

[darrinlowe]

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Build ID: 20180807170231

Steps to reproduce:

Go to tsn.ca with default firefox settings.


Actual results:

Scoreboard doesn't load, and live video player / streaming does not load. This also applies for their Windows 10 app, however, I was unable to fix the issue on that.


Expected results:

All of these things should load and work normally. 

After months of trying to figure out what happened when one day the website just stopped letting me view their live stream, and their Windows 10 app stopped loading properly, I learned that Firefox's "Tracking Protection" feature is what has broken the website. Disabling this feature on that website (exception) has completely fixed the issue. 

One or more of the "trackers" that are being blocked, are necessary for the website to properly function.

Comment 1

[Hani Yacoub, Desktop QA]

Reproducible on Firefox 61.0.2, Firefox 62.0b20 and Nightly 63.0a1 on Windows 10 x 64, Mac OS X 10.13 and Ubuntu 18.04 x64.

Comment 2

[Oana Arbuzov [:oanaarbuzov]]

The issue is reproducible and it is related to `Videos` and `Trackingprotection` breakage.

It is reproducible while Tracking Protection BASIC is enabled.

[Environment:]
Browser / Version: Firefox Nightly 63.0a1 (2018-08-30)
Operating System: Windows 10 Pro
VPN: active pointing to Canada

Looking at the devtools console, here are the blocked resources:
The resource at “https://auth.9c9media.ca/auth/main.js” was blocked because content blocking is enabled.
The resource at “https://www.googletagmanager.com/gtag/js?id=AW-803817420” was blocked because content blocking is enabled.
The resource at “https://z.moatads.com/bellmedia966Bwny69/moatcontent.js#l1=tsn.ca&l2=Sports%20News%2C%20Opinion%2C%20Scores%2C%20Schedules%20%7C%20TSN&l3=__page__&l4=-&zmoatab_cm=0&t=1535716497039&de=13614645198&zMoatAB_SNPT=true&vc=2” was blocked because content blocking is enabled.
The resource at “https://beacon.scorecardresearch.com/scripts/beacon.dll?C1=2&C2=3005664&C3=3005664&C4=https%3A//www.tsn.ca/&C5=&C6=&C7=https%3A//www.tsn.ca/&C8=Sports%20News%2C%20Opinion%2C%20Scores%2C%20Schedules%20%7C%20TSN&C9=&rn=66937216” was blocked because content blocking is enabled.
The resource at “https://www.googletagservices.com/tag/js/gpt.js” was blocked because content blocking is enabled.
The resource at “https://static.criteo.net/js/ld/publishertag.js” was blocked because content blocking is enabled.
The resource at “https://cdn.krxd.net/controltag?confid=IjHlQISs” was blocked because content blocking is enabled.
The resource at “https://connect.facebook.net/en_US/fbevents.js” was blocked because content blocking is enabled.
The resource at “https://www.google-analytics.com/analytics.js” was blocked because content blocking is enabled.
The resource at “https://c.go-mpulse.net/boomerang/XZFPJ-5JJRD-T7LAP-LR6NE-CSYBQ” was blocked because content blocking is enabled.
The resource at “https://js-agent.newrelic.com/nr-spa-1071.min.js” was blocked because content blocking is enabled.
The resource at “https://analytics.twitter.com/i/adsct?p_id=Twitter&p_user_id=0&txn_id=nzkmw&events=%5B%5B%22pageview%22%2Cnull%5D%5D&tw_sale_amount=0&tw_order_quantity=0&tw_iframe_status=0&tpx_cb=twttr.conversion.loadPixels&tw_document_href=https%3A%2F%2Fwww.tsn.ca%2F” was blocked because content blocking is enabled.

So below are the domains to test:
- auth.9c9media.ca
- www.googletagmanager.com
- z.moatads.com
- beacon.scorecardresearch.com
- www.googletagservices.com
- static.criteo.net
- cdn.krxd.net
- connect.facebook.net
- www.google-analytics.com
- c.go-mpulse.net
- js-agent.newrelic.com
- analytics.twitter.com

I opened the URL in a fresh browser profile (Firefox Nightly 63, uMatrix installed, normal mode) and loaded the page. Loading spinners are displayed on `Scoreboard` and `Latest Video` elements.

I disabled the Spoof Referrer option in uMatrix and then WHITELISTED:
- 9c9media.ca (including all related domains)
and the `Scoreboard`, video player displayed, but the video did not play.

I whitelisted:
- akamaized.net (including all related domains)
and video played.

The other resources didn't help. 

So in conclusion:
- 9c9media.ca is in Analytics = [tp-analytics]
- akamaized.net is not listed

Comment 3

[Oana Arbuzov [:oanaarbuzov]]

Attachment: BrokenElements.png

Added screenshot with broken elements.

Comment 4

[Oana Arbuzov [:oanaarbuzov]]

Attachment: umatrxiResults.png

Added uMatrxi results.

Comment 5

[Thomas Wisniewski [:twisniewski]]

With strict protection on, I see this console error:

ReferenceError: BmAuth is not defined www.tsn.ca:281:13
    initAuth https://www.tsn.ca/:281
    <anonymous> https://www.tsn.ca/:274
    jQuery 4
    nrWrapper https://www.tsn.ca/:18
    (Async: EventListener.handleEvent)
    nrWrapper https://www.tsn.ca/:18
    jQuery 7

The BmAuth object is defined in this blocked script: https://auth.9c9media.ca/auth/main.js

It provides sign-in and video playback options, among other things. This (very minimal) spoof of the BmAuth object lets the page at least load to the point where I can see the videos and basic content:

  window.BmAuth = {
    init: function() {
      return new Promise(() => {});
    },
    isAuthenticated: function() {
      return Promise.resolve(false);
    },
    addListener: function() {},
    api: {
      event: {
        addListener: function() {},
      },
    },
  };

Based on this, I suspect we could spoof the object more fully, by figuring out what functionality is broken until the BmAuth.init() promise is resolved (for instnace, BmAuth.handleSignIn() is called when the user clicks the login button). We can then dynamically load the script on demand, replace our spoof with the full object, and complete the various promises.

But spoofing like this won't fix the scorecard. Based on what I'm seeing it's broken due to this CORS failure:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://datacrunch.9c9media.ca/statsapi/sports/hockey/leagues/nhl/scoreboard?brand=tsn. (Reason: CORS request did not succeed).

That request is allowed to complete under basic tracking protection, making me suspect it's a potential false positive that we could allow (given that the URL has "datacrunch" and "statsapi" and "brand" in it, I wouldn't be surprised if it was simply mistaken as tracking, rather than an API to get live sports stats).

Comment 6

[Thomas Wisniewski [:twisniewski]]

I've confirmed with urlclassifier.trackingSkipURLs that whitelisting https://datacrunch.9c9media.ca/statsapi/sports/hockey/leagues/nhl/scoreboard fixes the scorecard.

Comment 7

[Oana Arbuzov [:oanaarbuzov]]

The issue does not occur with ETP - Standard, but it is still reproducible with ETP - Strict enabled.
https://prnt.sc/wngjow
https://prnt.sc/wngjdh

Tested with:
Browser / Version: Firefox Nightly 86.0a1 (2021-01-13)
Operating System: Windows 10 Pro

Comment 8

[Johann Hofmann [:johannh]]

This bug is about Strict, as the title says.

Comment 9

[Mathew Hodson]

A shim for BmAuth by 9c9media was added in bug 1637329 and enabled in bug 1693386 for Firefox 87. Does this still happen with ETP Strict in Firefox 87?

Comment 10

[Thomas Wisniewski [:twisniewski]]

This is now partly fixed. Videos and logins seem to be working now with or without shims, so TSN may have fixed those on their own (I have no login with which to confirm for sure, but I can at least try to login).

The scoreboard is still broken, due to the resource in comment 6 being blocked. We could likely use shims to present a click-to-play style placeholder for that.

Comment 11

[Raul Bucata]

The issue is still reproducible with ETP set to STANDARD. The scoreboard does not load. Setting ETP to OFF solves the problem. Moving this to the right Product and Component, since it is related to Tracking Protection.

Tested with:

Browser / Version: Firefox Nightly 101.0a1 (2022-04-17) (64-bit)
Operating System: Windows 10 PRO x64

Comment 12

[Tim Huang[:timhuang]]

The issue only happens in Strict Mode to me. Feel free to change back if I was wrong about this.