Closed Bug 1486755 Opened 3 years ago Closed 9 months ago

Videos are not played on www.cbsnews.com with Basic Tracking Protection ON

Categories

(Web Compatibility :: Desktop, defect, P3)

Firefox 62
x86_64
Windows 10
defect

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: sergiu, Unassigned)

References

(Blocks 3 open bugs, )

Details

(Whiteboard: [tp-ads][tp-yellowlist-passive][tp-shim-complex][tp-embedded-media])

User Story

evidon.com
Environment:
Operating system: Windows 10 Pro
Firefox version: Firefox Nightly 63.0a1 (2018-08-27) (64-bit)

Prerequisites:
Enable Basic Tracking Protection

Steps to reproduce:
1. Navigate to: https://www.cbsnews.com/video/steve-bannon/
2. Play the video.

Expected Behavior:
The video is displayed.

Actual Behavior:
The video placeholder is displayed black.

Notes:
1. Screenshot attached: http://prntscr.com/knt7nw
This is related to `tpvideo` breakage #1400025

Looking at the devtools console, here are the blocked resources:

The resource at “https://c.evidon.com/sitenotice/evidon-sitenotice-tag.js” was blocked because content blocking is enabled.[Learn More] steve-bannon
The resource at “https://js-agent.newrelic.com/nr-1071.min.js” was blocked because content blocking is enabled.[Learn More] steve-bannon

So these are the domains to test:
c.evidon.com
js-agent.newrelic.com

I opened the URL in a fresh browser profile (Firefox Nightly 63, uMatrix installed, normal mode) and loaded the page. The video did not load.

I disabled the Spoof Referrer option in uMatrix and then *WHITELISTED*:

-evidon.com
-tiqcdn.com

After this, the video placeholder was correctly displayed.
The other resources didn't help.

http://prntscr.com/kntemg

evidon.com can be found in the disconnect-blacklist.json and disconnect-entitylist.json.
tiqcdn.com can be found in the disconnect-entitylist.json.

So in conclusion:

evidon.com - Advertising = [tp-ads]
User Story: (updated)
Priority: -- → P3
Product: Tech Evangelism → Web Compatibility

I am able to reproduce this on whichever video is playing at the time on https://www.cbsnews.com/video/ (which doesn't require a CBS All-Access account). I see this in the console:

Error: Script error for "https://static.chartbeat.com/js/chartbeat_video.js#"
http://requirejs.org/docs/errors.html#scripterror main.video.js:5:1063

And allowing that script, I see this:

Error: Script error for "https://securepubads.g.doubleclick.net/tag/js/gpt.js#"
http://requirejs.org/docs/errors.html#scripterror main.video.js:5:1063

Then I see:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://pubads.g.doubleclick.net/ssai/event/Sid4xiTQTkCT1SLu6rjUSQ/streams. (Reason: CORS request did not succeed).

And allowing all of those through, the video finally plays.

Simply pretending that the first two scripts load fine while replacing them with an empty script is fine, but the actual stream information is received through the JSON response in the pubads.g.doubleclick.net request, so we would need to yellow-list or proxy that request. Since the user is opting into watching the video, we could detect the request attempt, and confirm with the user if they would like it take place, and then simply allow it (or proxy it).

Whiteboard: [tp-ads] → [tp-ads][tp-yellowlist-passive][tp-shim-complex][tp-embedded-media]
No longer blocks: 1516552

The issue no longer reproduces with ETP - Standard enabled.
URL: https://www.cbsnews.com/live/#x
https://prnt.sc/wp4w01

Note: The video plays with ETP - Strict in the background with no audio, and when clicking the "Play" button, the video remains in loading state.
https://prnt.sc/wp50hc
https://prnt.sc/wp51ec

Tested with:
Browser / Version: Firefox Nightly 86.0a1 (2021-01-14)
Operating System: Windows 10 Pro

Status: NEW → RESOLVED
Closed: 9 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.