Zendesk is using the window.open heuristic intentionally to gain third-party cookie access
Categories
(Core :: Privacy: Anti-Tracking, defect, P3)
Tracking
()
People
(Reporter: englehardt, Unassigned)
References
Details
Note that zendesk is on the Level 2 cookie blocking list, so you have to use Nightly to reproduce.
STR:
- In Firefox Nightly: visit https://support.leanplum.com/hc/en-us/signin?return_to=https%3A%2F%2Fsupport.leanplum.com%2Fhc%2Fen-us%2Frequests
- You should see a message "Your browser restricts cookie usage. Click here to restart your sign in."
- Clicking on the link opens a popup that is immediately closed. After that, zendesk.com has storage access. You can verify by checking for "Allowed" cookies from zendesk in the ETP doorhanger
- Continue login as normal.
Here's how it works:
The "Click here to restart your sign in." message is an anchor tag with the following code: onclick='window.open("/auth/v2/login/set_cookie")'. Note this anchor tag is in an iframe with the src https://leanplum.zendesk.com/auth/v2/login/signin?return_to=https%3A%2F%2Fsupport.leanplum.com%2Fhc%2Fen-us%2Frequests&theme=hc&locale=en-us&brand_id=40434&auth_origin=40434%2Ctrue%2Ctrue, so the relative URL resolves to https://leanplum.zendesk.com/auth/v2/login/set_cookie.
The set_cookie page returns the following HTML:
<html>
<head></head>
<body>
<script type="text/javascript">
window.opener.location.reload();
window.close();
</script>
</body>
</html>
This will provide storage access in Firefox using the window.open compatibility heuristic, and I suspect it will do the same in Safari as well.
IMO this is pretty disappointing for two reasons:
- Zendesk should instead use
document.requestStorageAccess(), which will both provide a better user experience and isn't a temporary compatibility heuristic that will eventually be removed from Firefox. - If users don't click the link to activate the heuristic they can still try to login. Trying to login results in an X-Frame-Options error.
|
Reporter | |
Updated•4 years ago
|
|
|
Reporter | |
Updated•4 years ago
|
|
||
Comment 1•4 years ago
|
||
This will provide storage access in Firefox using the window.open compatibility heuristic, and I suspect it will do the same in Safari as well.
Safari requires user interaction in the popup since March 2019. See "Removed Compatibility Fix for Popups" in https://webkit.org/blog/8613/intelligent-tracking-prevention-2-1/.
|
|
Reporter | |
Comment 2•4 years ago
|
||
This message is no longer displayed when cookies are blocked. It looks like zendesk recently updated their flow to use the storage access API in Safari. See this page and the discussion in the comments but I don't see that flow doesn't trigger in Firefox.
Since the workaround is no longer active I'll close this bug.
Description
•