SameSite=LaxByDefault breaks image upload on disqus
Categories
(Core :: Privacy: Anti-Tracking, defect, P3)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox96 | --- | disabled |
People
(Reporter: contact, Unassigned)
References
Details
(Whiteboard: [domsecurity-backlog1])
Attachments
(1 file)
|
59.23 KB,
image/png
|
Details |
Screenshot 2021-09-30 at 12.11.47.png
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Steps to reproduce:
set privacy.firstparty.isolate.restrict_opener_access;false, login to disqus on a page, for example an article on presstv.com... login, upload image fails.
|
||
Updated•5 years ago
|
|
||
Updated•4 years ago
|
|
|
||
Comment 1•4 years ago
|
||
This is also broken under both Dynamic FPI and the Level 2 ETP cookie blocking list.
I can reproduce the breakage on https://batman-news.com/2020/04/10/quarantine-book-club-batman-ego/ (the site in Comment 0 no longer appears to use Disqus).
I'm able to log in successfully, but see the error message "You must be logged in to upload an image." if I try to upload an image.
The upload attempt makes a request to: https://uploads.services.disqus.com/api/3.0/media/create.json?api_key=FOO, which returns 400. What's interesting is that we do have a storage access permission for disqus.com since it uses a pop-up for login. IIRC we use origin for these checks, so this permission doesn't match the uploads.services.disqus.com request.
|
|
||
Updated•4 years ago
|
|
||
Comment 2•4 years ago
|
||
(In reply to Steven Englehardt [:englehardt] from comment #1)
This is also broken under both Dynamic FPI and the Level 2 ETP cookie blocking list.
I can reproduce the breakage on https://batman-news.com/2020/04/10/quarantine-book-club-batman-ego/ (the site in Comment 0 no longer appears to use Disqus).
I'm able to log in successfully, but see the error message "You must be logged in to upload an image." if I try to upload an image.
The upload attempt makes a request to:
https://uploads.services.disqus.com/api/3.0/media/create.json?api_key=FOO, which returns 400. What's interesting is that we do have a storage access permission fordisqus.comsince it uses a pop-up for login. IIRC we use origin for these checks, so this permission doesn't match theuploads.services.disqus.comrequest.
Yes, I can confirm that the requested permission type for uploading image is 3rdPartyStorage^https://uploads.services.disqus.com, but the granted permission type is 3rdPartyStorage^https://disqus.com.
|
|
||
Comment 3•4 years ago
|
||
Thanks Gary!
stpeter or mike: do we have contacts at Disqus that we could reach out to about this?
It seems like they may have two approaches to fixing this:
- Short-term: move the upload functionality under the Disqus origin. This alone isn't ideal though, because the
disqus.comstorage access relies on our temporary compatibility heuristic. - Long-term: Use the Storage Access API.
|
|
||
Updated•4 years ago
|
|
||
Updated•4 years ago
|
|
||
Comment 5•4 years ago
|
||
I can confirm this is still broken.
|
|
||
Comment 6•4 years ago
|
||
I've confirmed that this is also broken in Safari and in Chrome incognito.
|
||
Comment 7•4 years ago
|
||
I've reached out to someone at Disqus through a mutual connection and will report back if this attempt is successful.
|
||
Comment 8•3 years ago
|
||
I can no longer reproduce this issue by using the link https://batman-news.com/2020/04/10/quarantine-book-club-batman-ego/
Johann, would you be able to confirm? Thanks.
|
|
||
Comment 9•3 years ago
|
||
This seems to have been fixed on Disqus side, I can no longer reproduce it either. This is good!
|
||
Comment 10•3 years ago
|
||
I managed to reproduce this issue on the Firefox nightly 94.0a1 (2021-09-29), "You must be logged in to upload an image." message received even after being logged in.
Please note that I managed to reproduce this issue on Chrome also.
|
|
||
Comment 11•3 years ago
|
||
Can you try to flip network.cookie.sameSite.laxByDefault to false and try again in Nightly? This would explain why it breaks in Chrome as well.
Thanks!
|
|
||
Comment 12•3 years ago
|
||
Verified as fixed on Firefox Nightly 95.0a1 with both prefs "network.cookie.sameSite.laxByDefault" and "privacy.firstparty.isolate.restrict_opener_access" set to false.
Verified as fixed on Firefox Beta 94.0b2 and on Firefox 93.0 with cookiebehavior set to 5 and both prefs from above set to false.
All verifications were made on Windows 10 x64, macOS 10.15 and on Ubuntu 20.04.
Thanks.
|
|
||
Updated•3 years ago
|
|
|
||
Comment 13•3 years ago
|
||
Thanks Hani! Reopening this as breakage for SameSite=Lax
|
||
Comment 14•2 years ago
|
||
Should have opened a new bug for the SameSite breakage -- that's a completely different mechanism and would require different fixes (by the site and/or Mozilla) than one caused by dFPI/ETP.
|
|
||
Updated•2 years ago
|
|
|
||
Comment 15•2 years ago
|
||
I can upload an image just fine on blogs using Disqus. I tried the Batman News site linked here and jqueryscript.net
Given this was broken on Chrome as well, and our laxByDefault setting is supposed to match their behavior, it's quite likely Discus fixed it. When I check my disqus cookies now almost all of them are using an explicit SameSite=None. That's the explicit opt-out setting by sites to get the behavior before laxByDefault was turned on.
|
||
Comment 16•2 years ago
|
||
marking as disabled for fx96 since we set sameSite.laxByDefault and sameSite.noneRequiresSecure to false via a pref flip
Description
•