1615133 - Cannot create account on databricks with standard ETP on Nightly

Status: RESOLVED FIXED

(Core :: Privacy: Anti-Tracking, defect, P1)

Description

[Sarah Bird]

Steps to reproduce:

• Go to https://databricks.com/signup/signup-community
• Sometimes I get a cookie banner, sometimes I don't, not sure whether that's related
• Fill out form
• Press "Sign Up"

Expected: Proceed having signed up

Actual: Nothing happens, button is non-functional

Workaround: After turning off ETP for the site using shield menu, sign up proceeds as expected.

Clean, Nightly profile on Feb 12.

Tracking protection set to Standard

• Name Firefox
• Version 75.0a1
• Build ID 20200212205745
• Update Channel nightly
• User Agent Mozilla/5.0 (X11; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0
• OS Linux 5.4.13-201.fc31.x86_64

Comment 1

[Steven Englehardt [:englehardt]]

This is caused by fingerprinting blocking of maxmind.com. When the script is blocked we see a reference error in the console: ReferenceError: geoip2 is not defined and clicking the signup button does nothing. geoip2 is defined by https://js.maxmind.com/js/apis/geoip2/v2.1/geoip2.js and the error is thrown by https://databricks.com/wp-content/themes/databricks/assets/js/pages/signup-nk.js?ver=2.2.48, specifically:

jQuery(document).ready(function($) {
    var setupSignupPage = function() {
        geoip2.country(onSuccess, onError);

        $("#signup-button").on('click', function(event) {
            resetErrors();
            var $fields = $("#signup-form").find('input,select').filter('[required]:visible');
            var invalids = isValid($fields);
            if (invalids.length) {
                return showErrors(invalids);
            }

            submitForm();

            event.preventDefault();
        });
...

Since geoip2 doesn't exist, the click handler is never defined. This seems like a perfect example of something we can fix with Bug 1516552.

Comment 2

[Steven Englehardt [:englehardt]]

We've decided to fix this by adding a temporary skiplist entry for the geoip2 path since they have a reasonably well defined API both for geolocation and device identification (that latter of which will not be skiplisted). See https://dev.maxmind.com/geoip/geoip2/javascript/.

Grepping in our 2020-02-04 100k crawl I see the following maxmind URLs related to geoip2 (along with site count):

js.maxmind.com/js/apis/geoip2/v2.1/geoip2.js script 134
geoip-js.maxmind.com/geoip/v2.1/country/me xmlhttprequest 68
geoip-js.maxmind.com/geoip/v2.1/city/me xmlhttprequest 60
js.maxmind.com/geoip/v2.1/country/me xmlhttprequest 11
js.maxmind.com/js/apis/geoip2/v2.0/geoip2.js script 6
geoip-js.maxmind.com/geoip/v2.0/city/me xmlhttprequest 6
js.maxmind.com/geoip/v2.1/city/me xmlhttprequest 5
js.maxmind.com/geoip/v2.1/insights/me xmlhttprequest 4
geoip-js.maxmind.com/geoip/v2.0/country/me xmlhttprequest 2
js.maxmind.com/geoip/v2.0/country/me xmlhttprequest 2
geoip-js.maxmind.com/geoip/v2.1/insights/me xmlhttprequest 1
static.maxmind.com/b300f2149f010784e81d/images/product-icon-geoip2-db.svg image 1
geoip.maxmind.com/geoip/v2.1/city/me xmlhttprequest 1
geoip-ipv4.maxmind.com/geoip/v2.0/country/me xmlhttprequest 1
static.maxmind.com/b300f2149f010784e81d/images/geoip2-infographic.svg image 1
j.maxmind.com/app/geoip.js script 1
geoip.maxmind.com/geoip/v2.0/country/me xmlhttprequest 1

We can cover all of these with *.maxmind.com/js/apis/geoip2,*.maxmind.com/geoip. This only misses j.maxmind.com/app/geoip.js, but that looks like a dead URL.

Comment 3

[Steven Englehardt [:englehardt]]

Attachment: maxmind_test_page.html

Comment 4

[Steven Englehardt [:englehardt]]

Deployed this fix to the url-classifier-skip-urls on STAGE and verified with the simple test page in Comment 3. Ready for deployment on PROD.

Comment 5

[Steven Englehardt [:englehardt]]

This is now live on PROD. I've verified the fix on a fresh Nightly profile.

Comment 6

[Julien Cristau [:jcristau]]

Should this be closed?

Comment 7

[Steven Englehardt [:englehardt]]

(In reply to Julien Cristau [:jcristau] from comment #6)

Should this be closed?

No, this is only temporarily mitigated by the intervention. We still need to figure out a long-term solution.

Comment 8

[Steven Englehardt [:englehardt]]

It looks like maxmind has fixed this issue. As such I'll remove the intervention.