1590946 - Remove `service=sync` from account management links in the browser

Status: RESOLVED FIXED

(Firefox :: Firefox Accounts, enhancement)

Description

[Ryan Kelly [:rfkelly]]

When the browser wants to link out to FxA management pages on the web, it currently includes ?service=sync&context=fx_desktop_v3 query parameters, like so:

https://accounts.firefox.com/settings?service=sync&context=fx_desktop_v3

The presence of these query parameters causes accounts.firefox.com to send an fxa_status webchannel message to the browser to interrogate its login state, and the browser can choose whether to reply with the credentials of the signed-in user.

Now that it's possible to sign in to the browser without enabling sync, it doesn't really make sense to include service=sync in those links, and its presence there risks muddying FxA server-side metrics. Let's update these links to just include context, like so:

https://accounts.firefox.com/settings?context=fx_desktop_v3

This will involve:

• Changing FxA web content to include context in the fxa_status webchannel message, alongside service and isPairing.
• Ensuring that this context value is properly accounted for when the browser decides whether to respond to the fxa_status message.
• Removing sync from the list of default params appended to outgoing FxA links.

Comment 1

[Ryan Kelly [:rfkelly]]

Removing sync from the list of default params appended to outgoing FxA links.

This appears to be non-trivial, since almost touchpoint for signing in to the browser calls either promiseSignUpURI or promiseSignInURI and assumes they will append service=sync automatically. We might need to refactor these various touchpoints to pass service=sync explicitly as an argument to those methods.

Comment 2

[Ryan Kelly [:rfkelly]]

I just found an edge-case where this actually matters, although I don't think users are likely to hit it in practice:

1. Sign in to the browser, but disable sync.
2. Follow the "manage account" link to view your "devices and apps" list on the web.
3. Disconnect your current devices, causing FxA to show the sign-in screen.
4. Sign back in.

Because the browser included service=sync in the outgoing link at step (2), the signin at step (4) will instruct the browser to enable Sync, despite you never agreeing to that explicitly.

Comment 3

[Vlad Filippov (:vladikoff)]

Attachment: Bug 1590946 - Remove `service=sync` from account management links. r=rfkelly

Comment 4

[Vlad Filippov (:vladikoff)]

Hey Ryan, are you able to run this through try? There are probably more tests that are affected

Comment 5

[Ryan Kelly [:rfkelly]]

I recall this needing an FxA-side change in order to send the context param in the webchannel handshake, what version of FxA do we need to wait for before landing this?

Comment 6

[Ryan Kelly [:rfkelly]]

Hey Ryan, are you able to run this through try? There are probably more tests that are affected

I've attempted to add some more try jobs to your build using the instructions https://firefox-source-docs.mozilla.org/tools/try/index.html#attaching-new-jobs-from-a-review, let's see if it works out...

Comment 7

[Vlad Filippov (:vladikoff)]

(In reply to Ryan Kelly [:rfkelly] from comment #5)

I recall this needing an FxA-side change in order to send the context param in the webchannel handshake, what version of FxA do we need to wait for before landing this?

We need FxA 1.159.0 :)

Comment 8

[Ryan Kelly [:rfkelly]]

We need FxA 1.159.0

Looks like that's live as of a few hours ago :thumbsup:

Comment 9

[BugBot [:suhaib / :marco/ :calixte]]

There's a r+ patch which didn't land and no activity in this bug for 2 weeks.
:vladikoff, could you have a look please?
For more information, please visit auto_nag documentation.

Comment 10

[Pulsebot]

Pushed by eoger@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ca9d3d624ada
Remove `service=sync` from account management links. r=rfkelly

Comment 11

[Arthur Iakab [arthur_iakab]]

https://hg.mozilla.org/mozilla-central/rev/ca9d3d624ada