1526387 - CFR Addon Recommendations call remote AMO API before clicking "Install"

Status: VERIFIED FIXED

(Firefox :: Messaging System, defect, P1)

Description

[Christian Holler (:decoder)]

It was reported that the contextual addon recommendation immediately makes a request to https://services.addons.mozilla.org/api/v3/addons/addon/<ID>/ when showing the doorhanger, even before the user clicks "Install".

:dholbert confirmed this behavior locally and :tspurway confirmed that this is a bug and the request should only happen when the user clicks "Install". The fact that the request contains the addon ID indirectly leaks what site the user has just visited without any user interaction (only affects the handful of sites hardcoded in the CFR code). Fixing this by putting the request behind the "Install" click should be sufficient from a privacy aspect.

:dholbert also figured out that this is probably a regression from bug 1494275, marking as such.

Comment 1

[Tim Spurway [:tspurway]]

Did bug #1494275 introduce the regression? :rrosario, do you want to take a look at this one?

Comment 2

[Daniel Holbert [:dholbert]]

Specifically, this probably happens right now via the following chain of function calls:

• addRecommendation() gets called to create the recommendation
• ...and it calls _maybeAddAddonInstallURL()
• ...which calls _fetchLatestAddonVersion()
• ...which pings the addons API with the ID of the addon that we're recommending

Source, for reference:
https://searchfox.org/mozilla-central/rev/03ebbdab952409640c6857d835d3040bf6f9e2db/browser/components/newtab/lib/CFRPageActions.jsm#512

Comment 3

[Daniel Holbert [:dholbert]]

(In reply to Tim Spurway [:tspurway] from comment #1)

Did bug #1494275 introduce the regression?

Based on searchfox hover-attribution, yes. That's where we added the call to _maybeAddAddonInstallURL which is what's (indirectly) triggering this request, per comment 2.

Comment 4

[GitHub Bugzilla PR Linker]

Attachment: Link to GitHub pull-request: https://github.com/mozilla/activity-stream/pull/4779

Comment 5

[Ricky Rosario [:rrosario, :r1cky]]

Attachment: Bug 1526387 - CFR Addon Recommendations call remote API before clicking "Install"

MozReview-Commit-ID: EgXnUTzfPf3

Comment 6

[Tim Spurway [:tspurway]]

Comment on attachment 9042653 [details]
Bug 1526387 - CFR Addon Recommendations call remote API before clicking "Install"

Beta/Release Uplift Approval Request

Feature/Bug causing the regression

https://bugzilla.mozilla.org/show_bug.cgi?id=1471328

User impact if declined

There is a privacy issue with CFR campaigns that suggest AMO addons leaking the site the user is getting the recommendation from

Is this code covered by automated tests?

Yes

Has the fix been verified in Nightly?

No

Needs manual test from QE?

Yes

If yes, steps to reproduce

• pref on asrouter dev tools browser.newtabpage.activity-stream.asrouter.devtoolsEnabled
• go to about:newtab#asrouter
• open a browser console (Ctrl+Shift+J) and tell it to show XHR
• using about:newtab#asrouter, force a CFR recommendation to show

Expected Result:

You should not see an XHR for https://services.addons.mozilla.org/api

ALSO:

Please ensure existing CFR actions and functionality as described in the Test Suite: https://goo.gl/jM45bW;

List of other uplifts needed

None

Risk to taking this patch

Low

Why is the change risky/not risky? (and alternatives if risky)

CFR is a new feature that doesn't affect all users. If it is broken, the worst that can happen is a missing recommendation. The patch is reasonably small.

String changes made/needed

none

Comment 7

[Pulsebot]

Pushed by rrosario@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/25cbdc59246f
CFR Addon Recommendations call remote API before clicking "Install" r=k88hudson

Comment 8

[Natalia Csoregi [:nataliaCs]]

https://hg.mozilla.org/mozilla-central/rev/25cbdc59246f

Comment 9

[Ryan VanderMeulen [:RyanVM]]

Comment on attachment 9042653 [details]
Bug 1526387 - CFR Addon Recommendations call remote API before clicking "Install"

[Triage Comment]
Fixes a CFR privacy issue, approved for 66.0b7 and 65.0.1.

Comment 10

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-release/rev/be2b97abeeff

Comment 11

[Narcis Beleuzu [:NarcisB]]

https://hg.mozilla.org/releases/mozilla-beta/rev/36ae47c3423b

Comment 12

[Ciprian Muresan [:cmuresan], Ecosystem QA]

I have verified that the issue no longer reproducible on the latest Nightly 67.0a1 (Build ID 20190211215545), latest Beta 66.0b7 (Build ID 20190211185957), and Release 65.0.1 (Build ID 20190211233335) on Windows 10 x64, Mac 10.14, and Arch Linux 4.14.3.
There is no XHR call when the recommendation appears or after it is clicked; the XHR request is made only when the "Add Now" button is clicked.