Open Bug 1620547 Opened 4 months ago Updated 3 months ago

Concur is not working in Firefox Nightly

Categories

(Web Compatibility :: Desktop, defect, P1)

defect

Tracking

(firefox-esr68 unaffected, firefox73 unaffected, firefox74 unaffected, firefox75 disabled, firefox76 disabled, firefox77 affected)

Tracking Status
firefox-esr68 --- unaffected
firefox73 --- unaffected
firefox74 --- unaffected
firefox75 --- disabled
firefox76 --- disabled
firefox77 --- affected

People

(Reporter: flod, Unassigned)

References

(Blocks 1 open bug, Regression)

Details

(Whiteboard: [sitewait])

Not exactly sure what would be causing this, but with Nightly 75.0a1 (2020-03-05) (64 bit):

  1. Visit https://sso.mozilla.com/dashboard and select Concur.
  2. After the SSO login, a blank page will be displayed for a few seconds. The page title is about Cookies consent.
  3. After that, I get redirected to https://sitedown.concursolutions.com/ and informed that "Concur is currently unavailable".

It works correctly in 74 RC, so it could be some setting enabled only in Nightly.

It might be relevant to add that several folks are seeing this in the Berlin office, and reproducibility might depend on location (I see country=DE passed to the trustarc.com request).

FWIW, I get in with 75.0a1 (2020-02-26) (64-bit) and 75.0a1 (2020-03-02) (64-bit). (The second one might have been due to pre-existing cookies.)

A fresh profile seems to work, but I can't figure out what the differences are compared to my existing profile.

Ah, this is sameSite=lax's fault.

SAP is calling to TrustArc's cookie consent banner. The banner sets a cookie notice_preferences indicating what choice the user made. On SAPs side, they try to read the cookie and check if the user has consented to cookies. If that fails because they can't find the cookie, they do a direct to http://sitedown.concursolutions.com. The site we're on was a POST request, which isn't a safe request. Since TrustArc did not specify sameSite in the cookie, the new default of sameSite=lax gets to play, and because of that, SAP never sees the cookie.

The best resolution here is probably an update in TrustArc's library to set sameSite=none. I'll try to get in touch.

Regressed by: 1604212

I sent a message to someone I found working at TrustArc. Let's see.

Taking this over to the WebCompat category, as this isn't really a bug we're likely to fix within Firefox, but rather a site issue that can be fixed.

Component: Untriaged → Desktop
Product: Firefox → Web Compatibility
Whiteboard: [sitewait]

Shouldn't this block meta bug 1618610 ?

(In reply to j.j. from comment #6)

Shouldn't this block meta bug 1618610 ?

Yep, thanks.

Priority: -- → P1

Concur is not working again in Firefox Nightly (Version 77.0a1 (2020-04-19) (64 bit). It does, however, continue to work in FireFox 75.0 (64 bit).

To replicate the error:

  • Visit https://sso.mozilla.com/dashboard and select Concur.
  • After the SSO login, Concur seems to work, but upon clicking on any module a blank page will be displayed.
  • After a resubmit of the web address, get the message: "The page cannot be displayed because an internal server error has occurred."

As mentioned, it does work correctly in 75.0, so maybe it is again some setting enabled only in Nightly.

(In reply to mbecker from comment #8)

As mentioned, it does work correctly in 75.0, so maybe it is again some setting enabled only in Nightly.

Yes, bug 1604212 is nightly only at the moment.

I also encounter a problem with SAP Concur on the nightly 77.0a1.
The symptom is slightly different from comment 8.

There's an error message on console: Some cookies are misusing the “sameSite“ attribute, so it won’t work as expected

To fix this for now toggle network.cookie.sameSite.laxByDefault to false or add the domain to network.cookie.sameSite.laxByDefault.disabledHosts (comma-separated strings)

I did toggle this to false when the earlier issue arose. This seems to be a new issue (I still have toggled to "false" but also still see the error)

You need to log in before you can comment on or make changes to this bug.