Open Bug 1631091 (tp-instagram) Opened 5 years ago Updated 22 hours ago

[meta] Tracking Protection breaks sites relying on Instagram resources

Categories

(Core :: Privacy: Anti-Tracking, defect, P3)

Product:
Core
Component:
Privacy: Anti-Tracking
Type:
defect

Tracking

()

People

(Reporter: twisniewski, Unassigned)

References

(Depends on 17 open bugs, Blocks 3 open bugs,
URL
)

Details

(Keywords: meta)

For instance, embedded Instagram posts can currently be broken in strict mode, as demonstrated at https://blog.hubspot.com/marketing/embed-social-media-posts-guide#Instagram

Depends on: 1609867

The demo page above uses this boilerplate markup to embed Instagram resources:

<blockquote class="instagram-media" data-instgrm-captioned="" data-instgrm-permalink="https://www.instagram.com/p/BsvRhCTlXfM/?utm_source=ig_embed&amp;utm_medium=loading&amp;utm_campaign=embed_loading_state_script" data-instgrm-version="10">
  <!-- a placeholder with a "view this post on Instagram" link -->
</blockquote>

This is replaced with an iframe by the Instagram embed.js script https://www.instagram.com/embed.js:

<iframe class="instagram-media instagram-media-rendered" id="instagram-embed-0" src="https://www.instagram.com/p/BsvRhCTlXfM/embed/captioned/?cr=1&amp;v=10&amp;wp=540&amp;rd=https%3A%2F%2Fblog.hubspot.com&amp;rp=%2Fmarketing%2Fembed-social-media-posts-guide#%7B%22ci%22%3A0%2C%22os%22%3A1318%2C%22ls%22%3A1007%2C%22le%22%3A1267%7D" allowtransparency="true" allowfullscreen="true" data-instgrm-payload-id="instagram-media-payload-0" scrolling="no" height="976" frameborder="0"></iframe>

These iframes seem to work with sandbox="allow-scripts", so we have some decent options here for yellow-listing the content. But it should not be any more difficult than doing the same for Facebook/Twitter embeds. I just had to yellow-list these resources:

https://www.instagram.com/embed.js
https://www.instagram.com/static/bundles/es6/EmbedSDK.js/bf4a12bd69f3.js
https://www.instagram.com/p/BsvRhCTlXfM/embed/captioned/
https://www.instagram.com/static/bundles/es6/
https://www.instagram.com/ajax/bz
Depends on: 1631809

Because this bug's Severity has not been changed from the default since it was filed, and it's Priority is P3 (Backlog,) indicating it has been triaged, the bug's Severity is being updated to S3 (normal.)

Severity: normal → S3
Depends on: 1634301
Depends on: 1694158
Depends on: 1701962
Depends on: 1621980
Depends on: 1691754
Depends on: 1766446
Depends on: 1764072
Depends on: 1763773
Depends on: 1753466
Depends on: 1775466
Depends on: 1782927
Depends on: 1793956
Keywords: meta
Summary: Tracking Protection breaks sites relying on Instagram resources → [meta] Tracking Protection breaks sites relying on Instagram resources
Depends on: 1794414
Depends on: 1810703
Depends on: 1841798
Depends on: 1898043
Blocks: 1922500
No longer blocks: 1922500
See Also: → smartblock-embeds
Blocks: 1922500
Depends on: 1929509
You need to log in before you can comment on or make changes to this bug.