1579881 - can't log in / can't process a payment at Geiko with ETP enabled

Status: RESOLVED INCOMPLETE

(Core :: Privacy: Anti-Tracking, defect, P1)

Description

[Asa Dotzler [:asa]]

https://mobile.twitter.com/talking_biscuit/status/1170116976410157056

"Add @GEICO's website to the list of sites that don't work/can't login/can't process a payment from @firefox with only "standard" blocking."

Comment 1

[(no longer active)]

Creating an account on https://www.geico.com/ requires having an insurance policy number (see https://ecams.geico.com/activation?traceback=static), so it appears like testing this would be difficult.

Peter, is there any chance you could reach out to the company running the website to see if we can somehow get a test account or alternatively ask them to test logging in and making payments from Firefox 69? Thanks!

Comment 2

[Steven Englehardt [:englehardt]]

Ehsan: I have a geico account. I can login with ETP enabled on Nightly 71, Beta 70, and Release 69. Unfortunately it doesn't look like I can send a payment without a balance due, so I can't test that.

Comment 3

[Johann Hofmann [:johannh]]

Marking all versions as affected since (once we can reproduce) we might be able to deploy a fix to release via RemoteSettings. Probably no uplift needed.

Comment 4

[(no longer active)]

(In reply to Steven Englehardt [:englehardt] from comment #2)

Ehsan: I have a geico account. I can login with ETP enabled on Nightly 71, Beta 70, and Release 69. Unfortunately it doesn't look like I can send a payment without a balance due, so I can't test that.

Do you expect to have a balance due soon(ish)? (Sorry I have no idea how this service works, I hope this is a sensible question to ask.)

Comment 5

[Steven Englehardt [:englehardt]]

(In reply to :ehsan akhgari from comment #4)

(In reply to Steven Englehardt [:englehardt] from comment #2)

Ehsan: I have a geico account. I can login with ETP enabled on Nightly 71, Beta 70, and Release 69. Unfortunately it doesn't look like I can send a payment without a balance due, so I can't test that.

Do you expect to have a balance due soon(ish)? (Sorry I have no idea how this service works, I hope this is a sensible question to ask.)

It's a 6 month billing cycle. I'm not due for my next payment until late October and I don't see a way to make a small pre-payment.

Comment 6

[Tanvi Vyas[:tanvi]]

Hi Mike - can anyone from your team help contact geico or get a test account where we can see why payments may not be working in Firefox release? Thanks!

Comment 7

[Peter Saint-Andre [:stpeter]]

I've reached out to a connection at GEICO and will report back.

Comment 8

[Mike Taylor [:miketaylr]]

I don't have any direct connects, but I've tried some folks via LinkedIn.

Comment 9

[Peter Saint-Andre [:stpeter]]

I tried via LinkedIn, too, but that didn't succeed. Will see what else I can try...

Comment 10

[helloworldweb]

I can confirm this affects 69.0.2. I have Geico account and even with a balance due I can't make a payment. Possibly part of the problem is that the site forwards the user from one subdomain to another (to another), and though the first subdomain is white listed, the subsequent subdomains are not.

I could be wrong, I didn't spend a lot of time on this. I also hit them up on Twitter (worth a shot).

Comment 11

[Mike Taylor [:miketaylr]]

Thanks for confirming, helloworldweb.

Ehsan, is there any debugging helloworldweb can help us out with here? Will EPT complain in the network panel or console in a useful way (sorry, I should probably know this).

Comment 12

[Johann Hofmann [:johannh]]

Would it be possible for you to share the contents on the developer console? I suspect it should not contain sensitive data but in doubt feel free to email them to me privately (email address is in my profile).

Possibly part of the problem is that the site forwards the user from one subdomain to another (to another), and though the first subdomain is white listed, the subsequent subdomains are not.

If the information is not too sensitive, it might be helpful to get a screencast of this behavior. Again, I'm happy to handle it privately via email.

Thank you!

Comment 13

[(no longer active)]

(In reply to Mike Taylor [:miketaylr] (slow to respond Oct 8 - Oct 13) from comment #11)

Thanks for confirming, helloworldweb.

Ehsan, is there any debugging helloworldweb can help us out with here? Will EPT complain in the network panel or console in a useful way (sorry, I should probably know this).

Yes, the web console will contain log messages about the resources that were blocked on the page. That may or may not be sufficient information for determining what's going wrong on this page...

For debugging, it is typically useful to disable ETP (by setting content blocking to Custom, and unchecking "Cookies" in Options > Privacy), and installing UMatrix and enabling all load types for all domains and then disable cookie loads from the domains found in the web console log one by one until the bug reproduces to find the domain that ETP's cookie blocking is causing the breakage problem. This works for most types of breakage issues we encounter.

Comment 14

[helloworldweb]

(In reply to Johann Hofmann [:johannh] from comment #12)

Would it be possible for you to share the contents on the developer console? I suspect it should not contain sensitive data but in doubt feel free to email them to me privately (email address is in my profile).

Possibly part of the problem is that the site forwards the user from one subdomain to another (to another), and though the first subdomain is white listed, the subsequent subdomains are not.

If the information is not too sensitive, it might be helpful to get a screencast of this behavior. Again, I'm happy to handle it privately via email.

Thank you!

Unfortunately my insurance bill was due on Saturday, so I used another browser to pay the bill on Friday.

Comment 15

[Oana Arbuzov [:oanaarbuzov]]

Unfortunately I don't have an account (creating one requires valid data), so I'm not able to check if it's still reproducible.

Asa Dotzler does is till occur to you with ETP - Standard? What about with ETP - Strict?

Comment 16

[Asa Dotzler [:asa]]

I never reproduced this. Was reporting for someone else.