1490678 - Unable to subscribe to mailing list on wasmweekly.news while Tracking Protection Basic is enabled

Status: REOPENED

(Web Compatibility :: Privacy: Site Reports, defect, P3)

Description

[Oana Arbuzov [:oanaarbuzov]]

[Environment:]
Browser / Version: Firefox Nightly 64.0a1 (2018-09-11)
Operating System: Windows 10 Pro, MacOS 10.13.6, Linux Ubuntu 16.04

[Prerequisites:]
    1. Tracking Protection Basic enabled.
[Steps to Reproduce:]
    1. Navigate to https://wasmweekly.news/subscribe/ 
    2. Type in the email address.
    3. Click “Subscribe” button and observe behavior.
        
[Expected Behavior:]
Email subscription is performed and a notification message is displayed.
 
[Actual Behavior:]
Nothing happens, email subscription is not performed.

Comment 1

[Oana Arbuzov [:oanaarbuzov]]

The issue is related to `trackingprotection` breakage.

Looking at the devtools console, here are the blocked resources:
The resource at “https://beautify.us7.list-manage.com/subscribe/post-json?u=1e6e13d9f376ab2b22c458c4c&id=69d5c632a5&c=jQuery19007692056166240014_1536759978873&EMAIL=moz%40yahoo.com&b_5230bf0236a0adb19995a2eb4_0d4b4bbe45=&subscribe=&_=1536759978874” was blocked because content blocking is enabled.

So below are the domains to test:
- ​beautify.us7.list-manage.com 

I opened the URL in a fresh browser profile (Firefox Nightly 64, uMatrix installed, normal mode) and loaded the page. The subscription is not performed.

I disabled the Spoof Referrer option in uMatrix and then WHITELISTED:
- beautify.us7.list-manage.com 
- s3.amazonaws.com
and the subscription was sent.

The other resources didn't help. 

So in conclusion:
- list-manage.com is in Advertising category = [tp-ads]
- s3.amazonaws.com is not listed

Comment 2

[Oana Arbuzov [:oanaarbuzov]]

Attachment: uMatrixResults.png

Added uMatrix results.

Comment 3

[Firefox Bug Husbandry Bot]

Migrating Webcompat whiteboard priorities to project flags. See bug 1547409.

Comment 4

[Firefox Bug Husbandry Bot]

See bug 1547409. Migrating whiteboard priority tags to program flags.

Comment 5

[Thomas Wisniewski [:twisniewski]]

When I click the subscribe button, this appears in the console:

The resource at “https://beautify.us7.list-manage.com/subscribe/post-json?u=1…bf0236a0adb19995a2eb4_0d4b4bbe45=&subscribe=&_=1586307537393” was blocked because content blocking is enabled. subscribe

And of course, whitelisting https://beautify.us7.list-manage.com/subscribe/post-json fixes it.

This is a MailChimp service, and the page loads the script //s3.amazonaws.com/downloads.mailchimp.com/js/mc-validate.js as part of the HTML, which is not being blocked. If we're worried about MailChimp tracking users, we should probably consider their AWS-served resources as well.

But one way or the other, based on their scripts, we could detect when mc-validate.js is being loaded, and then run some code which will detect clicks on their subscribe buttons (<button type="submit" id="mc-embedded-subscribe">, which will temporarily whitelist access to the post-json landing during the clicks. Or we could feasibly shim that script entirely if we wish to block it by default in strict mode.

Comment 6

[Oana Arbuzov [:oanaarbuzov]]

The issue no longer reproduces with ETP - Standard, I can subscribe to the newsletter.
https://prnt.sc/x7z7dj

Note: The issue still occurs with ETP - Strict enabled.

Tested with:
Browser / Version: Firefox Nightly 86.0a1 (2021-01-18)
Operating System: Windows 10 Pro

Comment 7

[Ciprian Georgiu, Desktop QA]

I can still reproduce the issue in Strict Mode using the latest Nightly 140.0a1 on Windows 11 x64.

Edited: This also repro with Standard mode in PBM.