1620547 - Concur is not working in Firefox Nightly

Status: NEW

(Web Compatibility :: Desktop, defect, P1)

Description

[Francesco Lodolo [:flod]]

Not exactly sure what would be causing this, but with Nightly 75.0a1 (2020-03-05) (64 bit):

1. Visit https://sso.mozilla.com/dashboard and select Concur.
2. After the SSO login, a blank page will be displayed for a few seconds. The page title is about Cookies consent.
3. After that, I get redirected to https://sitedown.concursolutions.com/ and informed that "Concur is currently unavailable".

It works correctly in 74 RC, so it could be some setting enabled only in Nightly.

Comment 1

[Francesco Lodolo [:flod]]

It might be relevant to add that several folks are seeing this in the Berlin office, and reproducibility might depend on location (I see country=DE passed to the trustarc.com request).

Comment 2

[Anne (:annevk)]

FWIW, I get in with 75.0a1 (2020-02-26) (64-bit) and 75.0a1 (2020-03-02) (64-bit). (The second one might have been due to pre-existing cookies.)

Comment 3

[Francesco Lodolo [:flod]]

A fresh profile seems to work, but I can't figure out what the differences are compared to my existing profile.

Comment 4

[Dennis Schubert [:denschub]]

Ah, this is sameSite=lax's fault.

SAP is calling to TrustArc's cookie consent banner. The banner sets a cookie notice_preferences indicating what choice the user made. On SAPs side, they try to read the cookie and check if the user has consented to cookies. If that fails because they can't find the cookie, they do a direct to http://sitedown.concursolutions.com. The site we're on was a POST request, which isn't a safe request. Since TrustArc did not specify sameSite in the cookie, the new default of sameSite=lax gets to play, and because of that, SAP never sees the cookie.

The best resolution here is probably an update in TrustArc's library to set sameSite=none. I'll try to get in touch.

Comment 5

[Dennis Schubert [:denschub]]

I sent a message to someone I found working at TrustArc. Let's see.

Taking this over to the WebCompat category, as this isn't really a bug we're likely to fix within Firefox, but rather a site issue that can be fixed.

Comment 6

[j.j.]

Shouldn't this block meta bug 1618610 ?

Comment 7

[Mike Taylor [:miketaylr]]

(In reply to j.j. from comment #6)

Shouldn't this block meta bug 1618610 ?

Yep, thanks.

Comment 8

[mbecker]

Concur is not working again in Firefox Nightly (Version 77.0a1 (2020-04-19) (64 bit). It does, however, continue to work in FireFox 75.0 (64 bit).

To replicate the error:

• Visit https://sso.mozilla.com/dashboard and select Concur.
• After the SSO login, Concur seems to work, but upon clicking on any module a blank page will be displayed.
• After a resubmit of the web address, get the message: "The page cannot be displayed because an internal server error has occurred."

As mentioned, it does work correctly in 75.0, so maybe it is again some setting enabled only in Nightly.

Comment 9

[Julien Cristau [:jcristau]]

(In reply to mbecker from comment #8)

As mentioned, it does work correctly in 75.0, so maybe it is again some setting enabled only in Nightly.

Yes, bug 1604212 is nightly only at the moment.

Comment 10

[Hsin-Yi Tsai (away for a while) [:hsinyi]]

I also encounter a problem with SAP Concur on the nightly 77.0a1.
The symptom is slightly different from comment 8.

• Visit https://sso.mozilla.com/dashboard and select Concur.
• It was redirected to the https://sitedown.concursolutions.com/

There's an error message on console: Some cookies are misusing the “sameSite“ attribute, so it won’t work as expected

Comment 11

[Jan-Erik Rediger [:janerik]]

To fix this for now toggle network.cookie.sameSite.laxByDefault to false or add the domain to network.cookie.sameSite.laxByDefault.disabledHosts (comma-separated strings)

Comment 12

[mbecker]

I did toggle this to false when the earlier issue arose. This seems to be a new issue (I still have toggled to "false" but also still see the error)