Remove `service=sync` from account management links in the browser
Categories
(Firefox :: Firefox Accounts, enhancement)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox76 | --- | fixed |
People
(Reporter: rfkelly, Assigned: vladikoff)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
When the browser wants to link out to FxA management pages on the web, it currently includes ?service=sync&context=fx_desktop_v3 query parameters, like so:
https://accounts.firefox.com/settings?service=sync&context=fx_desktop_v3
The presence of these query parameters causes accounts.firefox.com to send an fxa_status webchannel message to the browser to interrogate its login state, and the browser can choose whether to reply with the credentials of the signed-in user.
Now that it's possible to sign in to the browser without enabling sync, it doesn't really make sense to include service=sync in those links, and its presence there risks muddying FxA server-side metrics. Let's update these links to just include context, like so:
https://accounts.firefox.com/settings?context=fx_desktop_v3
This will involve:
- Changing FxA web content to include
contextin thefxa_statuswebchannel message, alongsideserviceandisPairing. - Ensuring that this
contextvalue is properly accounted for when the browser decides whether to respond to thefxa_statusmessage. - Removing
syncfrom the list of default params appended to outgoing FxA links.
|
Reporter | |
Comment 1•5 years ago
|
||
Removing sync from the list of default params appended to outgoing FxA links.
This appears to be non-trivial, since almost touchpoint for signing in to the browser calls either promiseSignUpURI or promiseSignInURI and assumes they will append service=sync automatically. We might need to refactor these various touchpoints to pass service=sync explicitly as an argument to those methods.
|
|
Reporter | |
Updated•5 years ago
|
|
|
Reporter | |
Updated•5 years ago
|
|
|
Reporter | |
Comment 2•5 years ago
|
||
I just found an edge-case where this actually matters, although I don't think users are likely to hit it in practice:
- Sign in to the browser, but disable sync.
- Follow the "manage account" link to view your "devices and apps" list on the web.
- Disconnect your current devices, causing FxA to show the sign-in screen.
- Sign back in.
Because the browser included service=sync in the outgoing link at step (2), the signin at step (4) will instruct the browser to enable Sync, despite you never agreeing to that explicitly.
|
Assignee | |
Comment 3•5 years ago
|
||
|
||
Updated•5 years ago
|
|
|
Assignee | |
Comment 4•5 years ago
|
||
Hey Ryan, are you able to run this through try? There are probably more tests that are affected
|
|
Reporter | |
Comment 5•5 years ago
|
||
I recall this needing an FxA-side change in order to send the context param in the webchannel handshake, what version of FxA do we need to wait for before landing this?
|
|
Reporter | |
Comment 6•5 years ago
|
||
Hey Ryan, are you able to run this through try? There are probably more tests that are affected
I've attempted to add some more try jobs to your build using the instructions https://firefox-source-docs.mozilla.org/tools/try/index.html#attaching-new-jobs-from-a-review, let's see if it works out...
|
|
Assignee | |
Comment 7•5 years ago
|
||
(In reply to Ryan Kelly [:rfkelly] from comment #5)
I recall this needing an FxA-side change in order to send the
contextparam in the webchannel handshake, what version of FxA do we need to wait for before landing this?
We need FxA 1.159.0 :)
|
|
Reporter | |
Comment 8•5 years ago
|
||
We need FxA 1.159.0
Looks like that's live as of a few hours ago :thumbsup:
|
||
Comment 9•5 years ago
|
||
There's a r+ patch which didn't land and no activity in this bug for 2 weeks.
:vladikoff, could you have a look please?
For more information, please visit auto_nag documentation.
|
||
Comment 10•5 years ago
|
||
|
||
Comment 11•5 years ago
|
||
| bugherder | ||
|
|
Assignee | |
Updated•5 years ago
|
Description
•