Open Bug 1606428 Opened 4 years ago Updated 1 year ago

Unable to login on while ETP - Strict is enabled (Rambler API is blocked)


(Core :: Privacy: Anti-Tracking, defect, P3)

73 Branch



Tracking Status
firefox73 --- affected
firefox87 --- affected


(Reporter: oanaarbuzov, Unassigned)


(Depends on 3 open bugs, Blocks 2 open bugs, )


(Whiteboard: [tp-yellowlist-active][tp-login][tp-shim-content])


(1 file)

Attached image ETPStrictVSDisabled.png

Browser / Version: Firefox Preview Nightly 191230 (🦎: 73.0a1-20191227094418)
Operating System: Huawei P20 Lite (Android 8.0.0) - 1080 x 2280 pixels, 19:9 ratio (~432 ppi density)

Steps to reproduce:

  1. Navigate to
  2. Tap "Browse" menu (right side top button).
  3. Scroll down the menu.
  4. Tap "Войти" button.
  5. Observe behavior.

Expected result:
Login window is triggered.

Actual result:
Nothing happens, login window is not triggered.


  1. The issue is not reproducible with ETP - Standard enabled (a few seconds delay).

When I click the login link, I see this appear in the console:

Rambler ID helper load failed! _script.js:1:83678
    jQuery 7
    jQuery 8

The code in question is this:

      init: function () {
        this.options = s.assign(this.options, this.params),
        this.options.ramblerUrls ?
          (s.forEach(this.options.selectors, function (e, t) {
            this.options.elements['$' + t] = r(e)
            this.options.isTouchDevice && this.options.elements.$html.addClass('_is-touch'),
            this.ramblerHelperPromice().then(this.initRamblerHelper).then(this.getRamblerProfileInfo.bind(this)).catch (this.clearAuth.bind(this)).then(this.registerAuthEvents.bind(this)).then(this.checkAuth.bind(this)),
          )  : console.error('Cannot find auth urls!')

So they're using a service called Rambler for login. Sure enough, if I whitelist, then the login button seems to work (iframe opens and present the login UI).

Their script checks for window.ramblerIdHelper in initRamblerHelper:

      initRamblerHelper: function () {
        if (window.ramblerIdHelper && !r.isEmptyObject(window.ramblerIdHelper)) return window.ramblerIdHelper;
        throw window.ramblerIdHelper = [
        console.log('Rambler ID helper load failed!'),
        'Rambler ID helper load failed!'

And then calls getRamblerProfileInfo:

      getRamblerProfileInfo: function () {
        var i = this;
        return new e(function (t, n) {
            get_championat: 1
          }, function (e) {
            e ? (i.options.processingInfo = !0, t(e))  : (console.log('Rambler profile info load failed!'), n('Rambler profile info load failed!'))

And so we can block the rambler scripts by default, but detect user login attempts and load it at that point by spoofing that script with a shim; here is a minimal shim which works for me on this site:

(function() {
  var src = document.currentScript.src;
  var callLog = [];
  function callLogger(fn) {
    return function() {
      callLog.push({fn, args: arguments});
  window.ramblerIdHelper = {
    getProfileInfo: function(successCallback, errorCallback)  {
    registerOnFrameCloseCallback: callLogger("registerOnFrameCloseCallback"),
    registerOnFrameRedirect: callLogger("registerOnFrameRedirect"),
    registerOnPossibleLoginCallback: callLogger("registerOnPossibleLoginCallback"),
    registerOnPossibleLogoutCallback: callLogger("registerOnPossibleLogoutCallback"),
    registerOnPossibleOauthLoginCallback: callLogger("registerOnPossibleOauthLoginCallback"),
    openAuth: function() {
      const openAuthArgs = arguments;
      delete window.ramblerIdHelper;
      // whitelist src
      const s = document.createElement("script");
      s.src = src;
      s.addEventListener("load", () => {
        const helper = window.ramblerIdHelper;
        for (const {fn, args} of callLog) {
          helper[fn].apply(helper, args);
        helper.openAuth.apply(helper, arguments);
Blocks: tplogin
No longer blocks: tp-breakage
Summary: Unable to login on while ETP - Strict is enabled → Unable to login on while ETP - Strict is enabled (Rambler API is blocked)
Whiteboard: [tp-yellowlist-active][tp-login][tp-shim-content]

The issue is still reproducible, with ETP - Strict "Login" form is not triggered.

Tested with:
Browser / Version: Firefox Nightly 210201 (🦎 87.0a1-20210129095945)
Operating System: Samsung Galaxy S8 (Android 9) - 1440 x 2960 pixels, 18.5:9 ratio (~570 ppi density)

(In reply to Thomas Wisniewski [:twisniewski] from comment #1)

So they're using a service called Rambler for login. Sure enough, if I whitelist, then the login button seems to work (iframe opens and present the login UI).

A shim was added in bug 1637329, but I guess that wasn't enough.

It looks like things have changed a bit on the site, causing some issues with the shim. There is also a popup involved now on login, which complicates things a fair bit. I'll have to investigate if a similar fix can be used here as we're using for Facebook's federated login.

Closed: 2 years ago
Resolution: --- → WORKSFORME

It appears that how the Rambler authenticator works has indeed changed, and it now uses a popup similar to how "login with Facebook" buttons work. I have an update for the shim which should suffice if pages are using the API as this one does.

Resolution: WORKSFORME → ---
Webcompat Priority: --- → ?
Webcompat Priority: ? → ---
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.