Open Bug 1615133 Opened 6 months ago Updated 2 months ago

Cannot create account on databricks with standard ETP on Nightly

Categories

(Core :: Privacy: Anti-Tracking, defect, P1)

75 Branch
defect

Tracking

()

ASSIGNED

People

(Reporter: birdsarah, Assigned: englehardt)

References

(Blocks 2 open bugs)

Details

Attachments

(1 file)

Steps to reproduce:

Expected: Proceed having signed up

Actual: Nothing happens, button is non-functional

Workaround: After turning off ETP for the site using shield menu, sign up proceeds as expected.

Clean, Nightly profile on Feb 12.

Tracking protection set to Standard

  • Name Firefox
  • Version 75.0a1
  • Build ID 20200212205745
  • Update Channel nightly
  • User Agent Mozilla/5.0 (X11; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0
  • OS Linux 5.4.13-201.fc31.x86_64

This is caused by fingerprinting blocking of maxmind.com. When the script is blocked we see a reference error in the console: ReferenceError: geoip2 is not defined and clicking the signup button does nothing. geoip2 is defined by https://js.maxmind.com/js/apis/geoip2/v2.1/geoip2.js and the error is thrown by https://databricks.com/wp-content/themes/databricks/assets/js/pages/signup-nk.js?ver=2.2.48, specifically:

jQuery(document).ready(function($) {
    var setupSignupPage = function() {
        geoip2.country(onSuccess, onError);

        $("#signup-button").on('click', function(event) {
            resetErrors();
            var $fields = $("#signup-form").find('input,select').filter('[required]:visible');
            var invalids = isValid($fields);
            if (invalids.length) {
                return showErrors(invalids);
            }

            submitForm();

            event.preventDefault();
        });
...

Since geoip2 doesn't exist, the click handler is never defined. This seems like a perfect example of something we can fix with Bug 1516552.

Priority: -- → P1

We've decided to fix this by adding a temporary skiplist entry for the geoip2 path since they have a reasonably well defined API both for geolocation and device identification (that latter of which will not be skiplisted). See https://dev.maxmind.com/geoip/geoip2/javascript/.

Grepping in our 2020-02-04 100k crawl I see the following maxmind URLs related to geoip2 (along with site count):

js.maxmind.com/js/apis/geoip2/v2.1/geoip2.js script 134
geoip-js.maxmind.com/geoip/v2.1/country/me xmlhttprequest 68
geoip-js.maxmind.com/geoip/v2.1/city/me xmlhttprequest 60
js.maxmind.com/geoip/v2.1/country/me xmlhttprequest 11
js.maxmind.com/js/apis/geoip2/v2.0/geoip2.js script 6
geoip-js.maxmind.com/geoip/v2.0/city/me xmlhttprequest 6
js.maxmind.com/geoip/v2.1/city/me xmlhttprequest 5
js.maxmind.com/geoip/v2.1/insights/me xmlhttprequest 4
geoip-js.maxmind.com/geoip/v2.0/country/me xmlhttprequest 2
js.maxmind.com/geoip/v2.0/country/me xmlhttprequest 2
geoip-js.maxmind.com/geoip/v2.1/insights/me xmlhttprequest 1
static.maxmind.com/b300f2149f010784e81d/images/product-icon-geoip2-db.svg image 1
geoip.maxmind.com/geoip/v2.1/city/me xmlhttprequest 1
geoip-ipv4.maxmind.com/geoip/v2.0/country/me xmlhttprequest 1
static.maxmind.com/b300f2149f010784e81d/images/geoip2-infographic.svg image 1
j.maxmind.com/app/geoip.js script 1
geoip.maxmind.com/geoip/v2.0/country/me xmlhttprequest 1

We can cover all of these with *.maxmind.com/js/apis/geoip2,*.maxmind.com/geoip. This only misses j.maxmind.com/app/geoip.js, but that looks like a dead URL.

Deployed this fix to the url-classifier-skip-urls on STAGE and verified with the simple test page in Comment 3. Ready for deployment on PROD.

Blocks: 1617323

This is now live on PROD. I've verified the fix on a fresh Nightly profile.

Should this be closed?

(In reply to Julien Cristau [:jcristau] from comment #6)

Should this be closed?

No, this is only temporarily mitigated by the intervention. We still need to figure out a long-term solution.

Assignee: nobody → senglehardt
Status: NEW → ASSIGNED
You need to log in before you can comment on or make changes to this bug.