Edit buttons on blogspot broken by dFPI
Categories
(Core :: Privacy: Anti-Tracking, defect, P3)
Tracking
()
People
(Reporter: ciprian_georgiu, Unassigned)
References
(Blocks 1 open bug)
Details
Affected versions
- latest Nightly 75.0a1
- RC2 74.0
- Release 73.0
Affected platforms
- Windows 10 x64
- macOS 10.13
- Ubuntu 18.04 x64
Steps to reproduce
- Launch Firefox.
- Make sure that Standard option is set in about:preferences#privacy (or set
network.cookie.cookieBehaviorpref on 4). - Access http://dfgxvxcdfgdg.blogspot.com/ in a new tab.
Expected result
- No missing elements on the page: the writing icon pen (bottom of the page), and setting tools (right part of the page).
Actual result
- Missing elements on the page: the writing icon pen (bottom of the page), and setting tools (right part of the page).
Regression range
- Not a regression, I was able to reproduce this on older Nightly builds as well (e.g. 2019-08-10).
Additional notes
- In the privacy panel, www.blogger.com, apis.google.com seems to be blocked in the Cross-site tracking cookies categories, so maybe one of this tracker is causing the breakage.
|
||
Updated•1 year ago
|
|
||
Comment 1•1 year ago
|
||
I'm not able to reproduce. I see the same page with and without ETP enabled. Would you mind to post a screenshot of the diff? Do you need to be logged in?
|
Reporter | |
Comment 2•1 year ago
|
||
Yes, you need to be logged into blogspot.com to see the breakage (totally missed this step, sorry about that). Let me know if there's anything else I can help with.
|
|
||
Comment 3•1 year ago
|
||
(In reply to Ciprian Georgiu [:ciprian_georgiu], Release Desktop QA from comment #2)
Yes, you need to be logged into blogspot.com to see the breakage (totally missed this step, sorry about that). Let me know if there's anything else I can help with.
Thanks that's helpful. I was able to reproduce with one extra piece of context: these edit buttons only seem to be available if you're on your own site. So I had to create a test site myself.
ETP blocks cookies from two origins on the page apis.google.com and blogger.com. Skiplisting blogger.com fixes the issue, so it seems like that should be added as a property to the Google entity list. Blogger is on the Level 2 list.
|
|
||
Comment 4•1 year ago
|
||
I've filed https://github.com/disconnectme/disconnect-tracking-protection/issues/164 to report to Disconnect and will update this bug when that gets added.
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
||
Comment 5•1 year ago
|
||
This was fixed for etp level 2 cookie blocking by https://github.com/mozilla-services/shavar-prod-lists/pull/172.
However it is still broken by dynamic fpi.
|
|
||
Updated•11 months ago
|
|
|
||
Updated•11 months ago
|
|
||
Comment 6•6 months ago
|
||
The "Edit post" icon is hidden by default. The blogspot.com will load a CSS file authorization.css from www.blogger.com. The www.blogger.com will verify the login data to see if the request came from an admin user. If it's from an admin user, the authorization.css will contain the CSS rule which unhides the icon.
In the dFPI case, the storage of www.blogger.com will be partitioned since it is third-party. It won't have the cookie of the admin user. So, the "Edit post" icon won't be shown.
|
|
||
Comment 7•6 months ago
|
||
I think we should reach out to Google to let them know about this issue. The blogger.com requires storage access when it's loaded under first-party blogspot.com. They should use the Storage Access API to acquire access.
Steve, would you be able to do this? Thanks.
|
|
||
Comment 8•6 months ago
|
||
I've sent an email to our discussion list with Google. I also tested in Chrome Incognito (which blocks all third-party cookies) and observe the same breakage.
|
||
Comment 9•3 months ago
|
||
Thanks, any outcome from discussions with Google?
dFPI will be enabled for users of strict ETP in Firefox 86, to be released two days from now.
Description
•