slideshare - A Download window is opened when accessing the site
Categories
(Web Compatibility :: Privacy: Site Reports, defect, P1)
Tracking
(firefox-esr60 unaffected, firefox-esr68 wontfix, firefox67+ wontfix, firefox67.0.1+ wontfix, firefox68+ wontfix, firefox69 fixed, firefox70 fixed)
People
(Reporter: karlcow, Assigned: miketaylr)
References
(Blocks 1 open bug, )
Details
(Keywords: regression, webcompat:site-wait, Whiteboard: [webcompat])
Attachments
(1 file)
|
2.97 MB,
image/png
|
Details |
browser window with the save dialog
- Navigate to: https://www.slideshare.net/
Expected Behavior:
The site is opened.
Actual Behavior:
The site is opened and a Download window is opened.
The issue is not reproducible on Chrome.
After running mozregression we get
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=a48759a33738d8b5f4ad4659115e8bbd1e608c31&tochange=3e2b52df8b24f0faf0b1a1f7a32cd8040e53e240
I wonder if it depends on Bug 1499442 or Bug 1492563
If I deactivate Content Blocking for the site I get the right behavior.
Ah Maybe it is Bug 1492563
Let's see.
|
||
Updated•6 years ago
|
|
||
Comment 1•6 years ago
|
||
Karl: I can't reproduce it in Nightly (68), neither can :jkt, but apparently he can reproduce in 66. Do we need to figure out what fixed this an uplift to a last minute Beta or is that good enough? It's probably too late to fix anything non-urgent in 67 anyway.
|
Reporter | |
Comment 2•6 years ago
|
||
Daniel, I still can reproduce in Firefox Nightly 68.0a1 (2019-04-30) (64-bit) on macos.
- With a Fresh profile in Nightly (I really mean fresh here)
- Go to https://www.slideshare.net/
Actual:
The browser proposes open/save a dtag 20 bytes document from https://linkedin.com
|
||
Comment 3•6 years ago
|
||
Oh I can too with a brand new profile, is this something you know about :baku?
|
|
||
Comment 4•6 years ago
|
||
According to devtools we're loading the linkedin content in an iframe. The initial URL redirects to an ad server (secure.adnxs.com) that eventually redirects back to linkedIn's dtag with different parameters.
In Release with cookies all over the place I get an ad frame (the 3rd box labeled "Advertisement" in the Features SlideShares row). The ad image I get is served from linkedIn itself so I guess it only went to adnxs.com for tracking and not to get an actual ad.
In Nightly with cleared cookies steps are the same except no cookies on any of these (devtools says they're known trackers). The final redirect back to www.linkedin.com/dtag? is the same except the last parameter. In the broken one it's appnexusuid=0 and in the working one it's a 19 digit appnexusuid (this URL is supplied by adnxs.com). In the broken version there's no content-type header and the content-length is 20 bytes. Despite the content-length header (which is repeated on the save dialog) there's no content downloaded (0 bytes) and devtools concurs ("No response data available for this request").
Because there's no content-type we assume binary and offer to download it rather than display it in the iframe. Even if we were tempted to guess based on content it's served with a nosniff header insisting that we don't. We couldn't guess much from 0 bytes anyway. Sending a response without a content-type is a wrong thing for the server to be doing and linkedin should fix it. Sending the wrong content-length is also a bug on their part.
They are no doubt confused by the lack of cookies. If I load the URL at a top-level page after clearing cookies (or at least linkedin.com cookies) I also get the download. Then when I reload the page (now with the cookies I got from the first attempt) I get the ad document.
If LinkedIn changes this to serve a valid content-type header that would solve the problem. Of course if they figure that out they'd probably want to send us the valid ad content rather than leave a blank panel on their client's page.
The only thing Firefox could do to "fix" this is to take linkedin off the tracking list. We shouldn't because what they are doing here is ABSOLUTELY tracking (in partnership with adnxs.com).
|
||
Comment 5•6 years ago
|
||
Thanks for the detailed description Dan! I can reproduce the download dialog on Nightly 68 build 20190506130308 with Content Blocking. I also tried disabling content blocking and loading https://www.slideshare.net/ with a fresh profile and did not observe the download dialog.
LinkedIn is on the basic tracking protection list.
stpeter, do we have any contacts at LinkedIn who can fix this? From Dan's description, it seems like an issue on their end.
|
|
||
Updated•6 years ago
|
|
|
Reporter | |
Comment 6•6 years ago
|
||
We have a list to discuss these issues. I will contact them.
Thanks a lot Daniel for the parts I had missed.
|
|
Reporter | |
Comment 7•6 years ago
|
||
I just contacted them on the partner mailing list.
|
|
Reporter | |
Comment 8•6 years ago
|
||
Thanks for the detailed bug report, including steps to reproduce and path to resolution.
|
||
Updated•6 years ago
|
|
||
Updated•6 years ago
|
|
||
Updated•6 years ago
|
|
||
Comment 9•6 years ago
|
||
Just to make sure the status of this bug is clear to everyone, it affects 67 for users who have ETP turned on (for example as part of our ongoing shield study on the release branch). It will also affect new users on 67.0.5.
|
|
||
Comment 10•6 years ago
|
||
Bumping to P1 since it affects 67.0.5 which is an incoming release. Baku can we get this investigated as soon as possible? Thanks
|
|
||
Comment 11•6 years ago
•
|
||
The investigation has already happened in comment 4. Someone needs to contact LinkedIn and ask them to fix their code (and comment 7 suggests that is in progress already).
Moving to the component which I think is the new "tech evangelism" component?
|
|
||
Updated•6 years ago
|
|
|
||
Comment 12•6 years ago
|
||
(Sigh, not sure how get the tracking flags back. I cannot use Bugzilla any more. Can someone help?)
|
|
||
Updated•6 years ago
|
|
Assignee | |
Comment 13•6 years ago
|
||
I've filed an internal ticket to track this issue and the team will review.
Just a note that LinkedIn acknowledged Karl's message after he sent it.
|
|
Assignee | |
Comment 14•6 years ago
|
||
I just re-pinged the thread to ask for an update. Still reproduces.
|
|
||
Updated•6 years ago
|
|
|
||
Comment 15•6 years ago
|
||
I am marking as wontfix for 67 as this is not something we can fix on Firefox side and the webcompat team already contacted Linkedin about it.
|
|
Assignee | |
Updated•6 years ago
|
|
|
Assignee | |
Comment 16•6 years ago
|
||
I repinged the thread since it still reproduces.
|
||
Updated•6 years ago
|
|
|
||
Comment 17•6 years ago
|
||
Any updates? I can still reproduce this...
|
|
Assignee | |
Comment 18•6 years ago
|
||
No updates from LinkedIn mailing list. We should probably try alternate avenues...
|
|
Assignee | |
Comment 19•6 years ago
|
||
Trying contact via LinkedIn to a SlideShare engineer.
|
|
Assignee | |
Comment 21•5 years ago
|
||
I didn't get a reply from SlideShare engineer I found, but just asked a follow-up question to a LinkedIn person off-thread.
|
||
Updated•5 years ago
|
|
||
Updated•5 years ago
|
|
|
||
Comment 22•5 years ago
|
||
Added an intervention in https://bugzilla.mozilla.org/show_bug.cgi?id=1577870
|
|
||
Updated•5 years ago
|
|
||
Comment 23•5 years ago
|
||
Discussed during triage - did the intervention resolve the issue? Thanks.
|
|
Assignee | |
Comment 24•5 years ago
|
||
Yeah, we can close this. If/when the site fixes itself, we will remove the intervention (QA does monthly tests to verify if we still need them).
|
|
||
Updated•5 years ago
|
|
|
Assignee | |
Comment 25•5 years ago
|
||
(In reply to Mike Taylor [:miketaylr] from comment #24)
Yeah, we can close this. If/when the site fixes itself, we will remove the intervention (QA does monthly tests to verify if we still need them).
Looks like they've done that, so this intervention will be removed for the next version.
|
||
Updated•5 months ago
|
Description
•