Closed Bug 1510817 Opened 6 years ago Closed 6 years ago

Combine the two Network/TP warnings for blocked scripts

Categories

(Firefox :: Protections UI, defect, P2)

Product:
Firefox
Component:
Protections UI
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
Firefox 66
Tracking Flags:
Tracking Status
firefox66 --- verified
firefox67 --- verified
firefox68 --- verified
firefox69 --- verified

People

(Reporter: Harald, Assigned: ehsan.akhgari)

References

(Blocks 1 open bug)

Details

Attachments

(3 files)

image.png
52.50 KB, image/png
Details
image.png
25.07 KB, image/png
Details
Bug 1510817 - Don't doubly warn when we can't load a script due to tracking protection;
47 bytes, text/x-phabricator-request
Details | Review
Attached image image.png 
STR:
- Open https://bugzilla.mozilla.org/enter_bug.cgi with Content Blocking enabled

ER: One message about blocked GA script.
AR: GA gets blocked and generates 2 warnings

The resource at “https://www.google-analytics.com/analytics.js” was blocked because content blocking is enabled. enter_bug.cgi
Loading failed for the <script> with source “https://www.google-analytics.com/analytics.js”. enter_bug.cgi:162:1 

One message must be enough, to avoid noise and over-stimulation – training users to get blind to warnings.

The first warning has more context in the text and an MDN link. The two information bits that would be useful to carry over from second warning would be:
1. The fact that a <script> tag was blocked, not just a generic resource
2. The location of the script tag.
Blocks: 1484005
Component: Networking → Tracking Protection
Product: Core → Firefox
Flags: needinfo?(ehsan)
Attached image image.png 
Easy way to reproduce this is:

1) Open New Private Window
2) Open DevTools Toolbox and select the Console panel
3) Load https://bugzilla.mozilla.org/enter_bug.cgi

The panel should display aforementioned messages.

In my case, I am actually seeing the blocking message twice. Might be another bug?
See the attached screenshot.

@Michal: I am seeing that the blocking message is generated here:
https://searchfox.org/mozilla-central/rev/f2028b4c38bff2a50ed6aa1763f6dc5ee62b0cc4/netwerk/base/nsChannelClassifier.cpp#875

and the failed <script> message here:
https://searchfox.org/mozilla-central/rev/f2028b4c38bff2a50ed6aa1763f6dc5ee62b0cc4/dom/script/ScriptLoader.cpp#3051

Would it be possible to attach an identifier (e.g. Resource ID) with those warnings so, the UI can merge it together? Or any better solution come to mind?

Honza
Flags: needinfo?(michal.novotny)
This comes from DOM, not Necko.
Flags: needinfo?(michal.novotny)
Flags: needinfo?(ehsan)
Pushed by eakhgari@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/f9c08f2f2c68
Don't doubly warn when we can't load a script due to tracking protection; r=baku
https://hg.mozilla.org/mozilla-central/rev/f9c08f2f2c68
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox66: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 66
Assignee: nobody → ehsan
Flags: qe-verify+

Considering the long time it took for someone to get on this time, it appears that a few cycles have passed. Considering that this bug is fixed in firefox66, then it should also be fixed in firefox69, firefox68 and firefox67 and should reproduce in firefox65 (or older).

  • This is the messages that are being considered incorrect:
    "
    The resource at “https://www.google-analytics.com/analytics.js” was blocked because content blocking is enabled. enter_bug.cgi
    Loading failed for the <script> with source “https://www.google-analytics.com/analytics.js”. enter_bug.cgi:162:1
    "

  • This is in firefox65 when opening the Bugzilla page:
    "
    Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified
    Content Security Policy: This site (https://bugzilla.mozilla.org) has a Report-Only policy without a report URI. CSP will not block and cannot report violations of this policy.
    "

  • This is in firefox66 when opening the Bugzilla page:
    "
    Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified
    Content Security Policy: This site (https://bugzilla.mozilla.org) has a Report-Only policy without a report URI. CSP will not block and cannot report violations of this policy.
    Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified
    Content Security Policy: This site (https://bugzilla.mozilla.org) has a Report-Only policy without a report URI. CSP will not block and cannot report violations of this policy.
    Request to access cookie or storage on “https://www.google-analytics.com/analytics.js” was blocked because it came from a tracker and content blocking is enabled. enter_bug.cgi
    Request to access cookie or storage on “https://www.google-analytics.com/r/collect” was blocked because it came from a tracker and content blocking is enabled.
    "

  • This is in firefox67 when opening the Bugzilla page:
    "
    Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified
    Content Security Policy: This site (https://bugzilla.mozilla.org) has a Report-Only policy without a report URI. CSP will not block and cannot report violations of this policy.
    Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified
    Content Security Policy: This site (https://bugzilla.mozilla.org) has a Report-Only policy without a report URI. CSP will not block and cannot report violations of this policy.
    Request to access cookie or storage on “https://www.google-analytics.com/analytics.js” was blocked because it came from a tracker and content blocking is enabled. enter_bug.cgi
    Request to access cookie or storage on “https://www.google-analytics.com/r/collect” was blocked because it came from a tracker and content blocking is enabled.
    "

  • This is in firefox68 when opening the Bugzilla page:
    "
    Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified
    Content Security Policy: This site (https://bugzilla.mozilla.org) has a Report-Only policy without a report URI. CSP will not block and cannot report violations of this policy.
    Request to access cookie or storage on “https://www.google-analytics.com/analytics.js” was blocked because it came from a tracker and content blocking is enabled.
    enter_bug.cgi
    nsLoginManager: searchLogins: formSubmitURL or httpRealm is recommended 2 LoginManager.jsm:392:13
    Request to access cookie or storage on “https://www.google-analytics.com/r/collect” was blocked because it came from a tracker and content blocking is enabled.
    "

Can you help me with the verification of this issue? I don't really understand which is a good result and which is a bad one. Thanks.

Flags: needinfo?(ehsan)

Hi Bodea,

The fix here eliminated the extra "Loading failed for the <script> with source..." message that you see in comment 0. The verification here would be to look at the console for that message and verify that you don't see it any more.

There are possibly many other messages that may come from other sources (as you've noted) that aren't related to the work that happened in this bug.

Flags: needinfo?(ehsan)

The issue does not reproduce in firefox65, but it also does not reproduce in any of the newer versions, as described in comment 5. Based on all the above, I will consider this issue verified. Thank you.

Status: RESOLVED → VERIFIED
status-firefox66: fixedverified
status-firefox67: --- → verified
status-firefox68: --- → verified
status-firefox69: --- → verified
Flags: qe-verify+ → qe-verify-
Flags: qe-verify-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: