Cookie restrictions prevents user from being able to log in through Facebook comments

VERIFIED FIXED in Firefox 67

Status

()

defect
VERIFIED FIXED
a month ago
22 days ago

People

(Reporter: englehardt, Assigned: baku)

Tracking

(Blocks 1 bug)

unspecified
mozilla68
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox67 verified, firefox68 verified)

Details

Attachments

(1 attachment)

Inspired by testing the breakage in Bug 1545259, I found that the base list for cookie restrictions prevents a user from being able to log in to Facebook in order to add a comment on an article.

STR:

  1. Go to https://www.politico.com/magazine/story/2019/04/08/alexandria-ocasio-cortez-new-york-226578

  2. Click "Show Comments"

  3. In the comment box enter "Hello"

  4. Click "Log In to Post"

Expected Result:
A Facebook login popup is created, allowing you to log in

Actual result:
No pop up is created. The following error is visible in the console:

Request to access cookie or storage on “https://www.facebook.com/plugins/feedback.php?app_id=178201668917374&channel=https%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2Fd_vbiawPdxB.js%3Fversion%3D44%23cb%3Df1a60a4202e013%26domain%3Dwww.politico.com%26origin%3Dhttps%253A%252F%252Fwww.politico.com%252Ff22fc6b629c5f88%26relation%3Dparent.parent&color_scheme=light&container_width=737&height=100&href=https%3A%2F%2Fwww.politico.com%2Fmagazine%2Fstory%2F2019%2F04%2F08%2Falexandria-ocasio-cortez-new-york-226578&locale=en_US&numposts=5&sdk=joey&version=v2.0” was blocked because it came from a tracker and content blocking is enabled.

This occurs when urlclassifier.trackingAnnotationTable is set to test-track-simple,ads-track-digest256,social-track-digest256,analytics-track-digest256.

Comment 1

a month ago

Had you interacted with www.facebook.com in a first-party context before (in this profile)?

Flags: needinfo?(senglehardt)

I hadn't. After interacting with www.facebook.com I now see a popup. Did we recently update our pop-up blocking heuristics?

Flags: needinfo?(senglehardt)

Comment 3

a month ago

(In reply to Steven Englehardt [:englehardt] from comment #2)

I hadn't. After interacting with www.facebook.com I now see a popup.

Great, so everything is working as intended. => WORKSFORME.

Did we recently update our pop-up blocking heuristics?

Yeah, baku and johannh have been working on a bunch of bugs blocking bug 432687 and I believe the fix to one of them at least was in the popup blocker heuristics, but I don't remember the details. (I noticed the FB login popup gets blocked on this page...)

No longer blocks: etp-breakage
Status: NEW → RESOLVED
Last Resolved: a month ago
Resolution: --- → WORKSFORME

Comment 4

a month ago

Wait, I was too quick to mark this as WORKSFORME, I forgot the change we made in bug 1505571. So this should actually work without having visited and interacted with www.facebook.com in the first-party context before-hand... except that the pop-up blocker kicks in and prevents the login popup from opening up, breaking the whole interaction.

Andrea, do you mind having a look at this please?

Blocks: etp-breakage
Status: RESOLVED → REOPENED
Flags: needinfo?(amarchesini)
Resolution: WORKSFORME → ---
Assignee

Updated

a month ago
Assignee: nobody → amarchesini
Flags: needinfo?(amarchesini)
Assignee

Comment 5

a month ago

This patch fixes a bug about when the
privacy.restrict3rdpartystorage.userInteractionRequiredForHosts should be
considered.

Comment 6

a month ago
Pushed by amarchesini@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/5f0139ba2544
User-Interaction required for trackers only for some urls, set in privacy.restrict3rdpartystorage.userInteractionRequiredForHosts, r=Ehsan
Assignee

Comment 7

a month ago

Comment on attachment 9059395 [details]
Bug 1545273 - User-Interaction required for trackers only for some urls, set in privacy.restrict3rdpartystorage.userInteractionRequiredForHosts, r?ehsan

Beta/Release Uplift Approval Request

  • User impact if declined: user-interaction is always required for 3rd party trackers who use Storage Access API. This could break websites because we don't honor bug 1505571.
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce: See the bug description
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This is a boolean condition that has been written wrongly. It cannot introduce more bugs than what this patch is trying to fix.
  • String changes made/needed: none
Attachment #9059395 - Flags: approval-mozilla-beta?
Assignee

Updated

a month ago
Flags: qe-verify+

Backed out changeset 5f0139ba2544 (Bug 1545273) for browser_blockingCookies.js failures

Push with failures: https://treeherder.mozilla.org/#/jobs?repo=autoland&searchStr=os%2Cx%2C10.10%2Cdebug%2Cmochitests%2Ctest-macosx64%2Fdebug-mochitest-browser-chrome-e10s-3%2Cm%28bc3%29&fromchange=efe40065f0ea38258a80f80b2330e63104281c51&tochange=b48ddc1c59ba06cb99c1eed21ab4edf1ffd5686f&selectedJob=241856694

Backout link: https://hg.mozilla.org/integration/autoland/rev/b48ddc1c59ba06cb99c1eed21ab4edf1ffd5686f

Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=241856694&repo=autoland&lineNumber=32392

20:00:04 INFO - TEST-PASS | toolkit/components/antitracking/test/browser/browser_blockingCookies.js | We should not have cookies - true == true -
20:00:04 INFO - TEST-PASS | toolkit/components/antitracking/test/browser/browser_blockingCookies.js | Still no cookies for me - true == true -
20:00:04 INFO - Opening a window from the iframe.
20:00:04 INFO - Console message: [JavaScript Warning: "Request to access cookie or storage on “https://tracking.example.org/browser/toolkit/components/antitracking/test/browser/3rdPartyUI.html” was blocked because it came from a tracker and content blocking is enabled." {file: "http://example.net/browser/toolkit/components/antitracking/test/browser/page.html" line: 14 column: 4 source: "https://tracking.example.org/browser/toolkit/components/antitracking/test/browser/3rdPartyUI.html line 24 > eval"}]
20:00:04 INFO - Let's wait for the window to be closed
20:00:04 INFO - Console message: [JavaScript Warning: "Request to access cookie or storage on “https://tracking.example.org/browser/toolkit/components/antitracking/test/browser/3rdPartyUI.html” was blocked because it came from a tracker and content blocking is enabled." {file: "http://example.net/browser/toolkit/components/antitracking/test/browser/page.html" line: 47 column: 26 source: "resource://testing-common/content-task.js line 59 > eval"}]
20:00:04 INFO - Console message: [JavaScript Error: "The character encoding of the HTML document was not declared. The document will render with garbled text in some browser configurations if the document contains characters from outside the US-ASCII range. The character encoding of the page must be declared in the document or in the transfer protocol." {file: "https://tracking.example.org/browser/toolkit/components/antitracking/test/browser/3rdPartyOpenUI.html" line: 0}]
20:00:04 INFO - First time, the 3rd party content should not have access to first party storage because the tracker did not have user interaction
20:00:04 INFO - Console message: [JavaScript Warning: "Storage access automatically granted for tracker “https://tracking.example.org” on “https://tracking.example.org”." {file: "https://tracking.example.org/browser/toolkit/components/antitracking/test/browser/3rdPartyUI.html" line: 135 column: 17 source: "resource://specialpowers/specialpowersAPI.js"}]
20:00:04 INFO - TEST-PASS | toolkit/components/antitracking/test/browser/browser_blockingCookies.js | No cookies for me - true == true -
20:00:04 INFO - Buffered messages finished
20:00:04 INFO - TEST-UNEXPECTED-FAIL | toolkit/components/antitracking/test/browser/browser_blockingCookies.js | No cookies for me - false == true -
20:00:04 INFO - Stack trace:
20:00:04 INFO - resource://testing-common/content-task.js line 59 > eval:msg:63
20:00:04 INFO - Not taking screenshot here: see the one that was previously logged
20:00:04 INFO - TEST-UNEXPECTED-FAIL | toolkit/components/antitracking/test/browser/browser_blockingCookies.js | We should not have cookies - false == true -
20:00:04 INFO - Stack trace:
20:00:04 INFO - resource://testing-common/content-task.js line 59 > eval:msg:63
20:00:04 INFO - Not taking screenshot here: see the one that was previously logged
20:00:04 INFO - TEST-UNEXPECTED-FAIL | toolkit/components/antitracking/test/browser/browser_blockingCookies.js | We should not have cookies - false == true -
20:00:04 INFO - Stack trace:
20:00:04 INFO - resource://testing-common/content-task.js line 59 > eval:msg:63
20:00:04 INFO - Not taking screenshot here: see the one that was previously logged
20:00:04 INFO - TEST-UNEXPECTED-FAIL | toolkit/components/antitracking/test/browser/browser_blockingCookies.js | Still no cookies for me - false == true -
20:00:04 INFO - Stack trace:
20:00:04 INFO - resource://testing-common/content-task.js line 59 > eval:msg:63
20:00:04 INFO - Let's interact with the tracker
20:00:04 INFO - GECKO(1147) | ++DOCSHELL 0x122420800 == 6 [pid = 1147] [id = {4c2f21cf-0559-af4c-9818-cf30f13d6730}]
20:00:04 INFO - GECKO(1147) | ++DOMWINDOW == 11 (0x1213826a0) [pid = 1147] [serial = 12] [outer = 0x0]
20:00:04 INFO - GECKO(1147) | ++DOMWINDOW == 12 (0x12146e000) [pid = 1147] [serial = 13] [outer = 0x1213826a0]
20:00:04 INFO - GECKO(1147) | [Parent 1147, Main Thread] WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x805D0021: file /builds/worker/workspace/build/src/modules/libjar/nsJARChannel.cpp, line 994
20:00:04 INFO - GECKO(1147) | ++DOCSHELL 0x129924000 == 7 [pid = 1147] [id = {37f35ab8-851e-7340-979d-fe78b3b5e088}]
20:00:04 INFO - GECKO(1147) | ++DOMWINDOW == 13 (0x12bbdb020) [pid = 1147] [serial = 14] [outer = 0x0]
20:00:04 INFO - GECKO(1147) | ++DOCSHELL 0x12a013000 == 8 [pid = 1147] [id = {cf3ca99b-5afb-7a40-9faf-d0575bdf016f}]
20:00:04 INFO - GECKO(1147) | ++DOMWINDOW == 14 (0x131d5e2e0) [pid = 1147] [serial = 15] [outer = 0x0]
20:00:04 INFO - GECKO(1147) | ++DOMWINDOW == 15 (0x12eb93000) [pid = 1147] [serial = 16] [outer = 0x12bbdb020]
20:00:04 INFO - Console message: OpenGL compositor Initialized Succesfully.
20:00:04 INFO - Version: 2.1 INTEL-10.6.33
20:00:04 INFO - Vendor: Intel Inc.

Flags: needinfo?(amarchesini)

Comment on attachment 9059395 [details]
Bug 1545273 - User-Interaction required for trackers only for some urls, set in privacy.restrict3rdpartystorage.userInteractionRequiredForHosts, r?ehsan

This got backed out so not taking the uplift.

Attachment #9059395 - Flags: approval-mozilla-beta? → approval-mozilla-beta-

Comment 10

29 days ago
Pushed by amarchesini@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/b342fd00b66d
User-Interaction required for trackers only for some urls, set in privacy.restrict3rdpartystorage.userInteractionRequiredForHosts, r=Ehsan

Comment 11

29 days ago
bugherder
Status: REOPENED → RESOLVED
Last Resolved: a month ago29 days ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla68

Comment 12

28 days ago

Comment on attachment 9059395 [details]
Bug 1545273 - User-Interaction required for trackers only for some urls, set in privacy.restrict3rdpartystorage.userInteractionRequiredForHosts, r?ehsan

Renominating based on comment 7.

Attachment #9059395 - Flags: approval-mozilla-beta- → approval-mozilla-beta?

Comment on attachment 9059395 [details]
Bug 1545273 - User-Interaction required for trackers only for some urls, set in privacy.restrict3rdpartystorage.userInteractionRequiredForHosts, r?ehsan

Uplift approved for 67 beta 15, thanks.

Attachment #9059395 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Hello, I ran into a possible issue while trying to verify this on Windows 10 x64 and I'm not sure if this is expected behavior.

With Firefox 68.0a1 (20190429215338) when clicking "Log in to post" button, the browser appears to hang, no pop-up is displayed and the pop-up window is displayed only after "Log in to post" button is pressed again or after "Allow pop-ups for www.politico.com" is selected from the "Options" (yellow bar).Attached a screen recording.

However, on Firefox 67.0b15 (20190429125729) when "Log in to post" button is selected the pop-up window is opened instantly.

Can you please confirm if the mentioned points are in fact intended? Thank you!

Assignee

Updated

23 days ago
Flags: needinfo?(amarchesini)

Comment 16

23 days ago

I can reproduce the problem in comment 15.

Andrea, was this fix sufficient to address the problem in comment 0?

Flags: needinfo?(amarchesini)
Assignee

Comment 17

22 days ago

Yes, I can reproduce it. I'm still debugging it, but it seems that is mainly a popup blocking issue.
The problem seems to be this:

  1. there is a facebook iframe which doesn't have access to the first-party cookies because of ETP.
  2. The iframe does window.open(), but somehow, we don't recognize it as connected to user-interaction and we block the popup.
Flags: needinfo?(amarchesini)
Assignee

Comment 18

22 days ago

Here is what is happening:

  1. facebook's iframe calls document.requestStorageAccess(). It obtains a Promise, unresolved yet.
  2. The user clicks on the link.
  3. the promise is resolved
  4. facebook's iframe does window.open().
  5. There are no user-interaction, and the popup is denied.

It seems that we need to propagate the popup-blocking state somehow. Definitely, this is a separate bug.

See Also: → 1548763

Thanks Andrea, since this is another issue I’m opening bug 1548763 on this scenario and closing this one as verified.
The bug in question was verified with Firefox 67.0b16 (20190502232159) and Firefox 68.0a1 (20190502220333) on macOS 10.14, Windows 10 x64, Ubuntu 18.04.

Status: RESOLVED → VERIFIED
Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.