1486755 - Videos are not played on www.cbsnews.com with Basic Tracking Protection ON

Status: RESOLVED FIXED

(Web Compatibility :: Site Reports, defect, P3)

Description

[Sergiu Logigan [:sergiu]]

Environment:
Operating system: Windows 10 Pro
Firefox version: Firefox Nightly 63.0a1 (2018-08-27) (64-bit)

Prerequisites:
Enable Basic Tracking Protection

Steps to reproduce:
1. Navigate to: https://www.cbsnews.com/video/steve-bannon/
2. Play the video.

Expected Behavior:
The video is displayed.

Actual Behavior:
The video placeholder is displayed black.

Notes:
1. Screenshot attached: http://prntscr.com/knt7nw

Comment 1

[Sergiu Logigan [:sergiu]]

This is related to `tpvideo` breakage #1400025

Looking at the devtools console, here are the blocked resources:

The resource at “https://c.evidon.com/sitenotice/evidon-sitenotice-tag.js” was blocked because content blocking is enabled.[Learn More] steve-bannon
The resource at “https://js-agent.newrelic.com/nr-1071.min.js” was blocked because content blocking is enabled.[Learn More] steve-bannon

So these are the domains to test:
c.evidon.com
js-agent.newrelic.com

I opened the URL in a fresh browser profile (Firefox Nightly 63, uMatrix installed, normal mode) and loaded the page. The video did not load.

I disabled the Spoof Referrer option in uMatrix and then *WHITELISTED*:

-evidon.com
-tiqcdn.com

After this, the video placeholder was correctly displayed.
The other resources didn't help.

http://prntscr.com/kntemg

evidon.com can be found in the disconnect-blacklist.json and disconnect-entitylist.json.
tiqcdn.com can be found in the disconnect-entitylist.json.

So in conclusion:

evidon.com - Advertising = [tp-ads]

Comment 2

[Thomas Wisniewski [:twisniewski]]

I am able to reproduce this on whichever video is playing at the time on https://www.cbsnews.com/video/ (which doesn't require a CBS All-Access account). I see this in the console:

Error: Script error for "https://static.chartbeat.com/js/chartbeat_video.js#"
http://requirejs.org/docs/errors.html#scripterror main.video.js:5:1063

And allowing that script, I see this:

Error: Script error for "https://securepubads.g.doubleclick.net/tag/js/gpt.js#"
http://requirejs.org/docs/errors.html#scripterror main.video.js:5:1063

Then I see:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://pubads.g.doubleclick.net/ssai/event/Sid4xiTQTkCT1SLu6rjUSQ/streams. (Reason: CORS request did not succeed).

And allowing all of those through, the video finally plays.

Simply pretending that the first two scripts load fine while replacing them with an empty script is fine, but the actual stream information is received through the JSON response in the pubads.g.doubleclick.net request, so we would need to yellow-list or proxy that request. Since the user is opting into watching the video, we could detect the request attempt, and confirm with the user if they would like it take place, and then simply allow it (or proxy it).

Comment 3

[Asif Youssuff]

https://www.cbsnews.com/video/ seems to redirect to https://www.cbsnews.com/live/ FYI.

This was noted on reddit on Fenix: https://www.reddit.com/r/firefox/comments/ggltrf/weekly_nightly_discussion_for_20200509_20200515/fqr82id/

Comment 4

[Oana Arbuzov [:oanaarbuzov]]

The issue no longer reproduces with ETP - Standard enabled.
URL: https://www.cbsnews.com/live/#x
https://prnt.sc/wp4w01

Note: The video plays with ETP - Strict in the background with no audio, and when clicking the "Play" button, the video remains in loading state.
https://prnt.sc/wp50hc
https://prnt.sc/wp51ec

Tested with:
Browser / Version: Firefox Nightly 86.0a1 (2021-01-14)
Operating System: Windows 10 Pro