ETP Standard breaks embedded Twitter videos (e.g., on The Verge and NYT)
Categories
(Core :: Privacy: Anti-Tracking, defect, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox77 | --- | wontfix |
| firefox78 | --- | fixed |
| firefox79 | --- | fixed |
| firefox80 | --- | fixed |
People
(Reporter: csasca, Assigned: englehardt)
References
(Blocks 1 open bug)
Details
(Keywords: regression)
Affected versions
- Firefox 77.0
- Firefox 78.0a1
Affected platforms
- macOS 10.15
- Windows 7
- Ubuntu 18.04
Steps to reproduce
- Launch Firefox
- Access an article from The Verge, for example and scroll down to where the video is located
- Click on play
Expected result
- The video is played without issues
Actual result
- The video is not played back
Regression range
- Will see for a regression, it seems that 68.9.0esr is not affected
Additional notes
- The issue can be seen in the following attachment
|
Reporter | |
Updated•1 year ago
|
|
||
Comment 1•1 year ago
|
||
Turn off ETP on this website and the video will work.
|
||
Updated•1 year ago
|
|
||
Comment 2•1 year ago
|
||
S1 or S2 bugs need an assignee - could you find someone for this bug?
|
Assignee | |
Comment 3•1 year ago
|
||
The Twitter video is embedded in the iframe: https://twitter.com/i/videos/tweet/1265444495488880649?embed_source=clientlib&player_id=0&rpc_init=1&autoplay=1&language_code=en&use_syndication_guest_id=true. Since twitter.com is on the blocklist, this iframe does not have storage access.
This iframe embeds the script: https://abs.twimg.com/web-video-player/TwitterVideoPlayerIframe.cefd459559024bfb.js which does the following storage access checks:
f = function() {
var e = d && window.indexedDB || "undefined" != typeof self && self.indexedDB;
if (e && d) try {
window.localStorage.setItem("test", "a"), window.localStorage.removeItem("test")
} catch (e) {
return !1
}
return e
},
When window.indexedDB is accessed, an uncaught SecurityError is thrown and the video never loads.
Uncaught DOMException: The operation is insecure. TwitterVideoPlayerIframe.cefd459559024bfb.js:76
This is unfortunate because the code here is clearly trying to test whether it has access to window.indexedDB (which it doesn't) and then fall back to local storage (which will also throw a security error). If Twitter were to include indexedDB in the try-catch the video would likely load.
We also have a few options on our end. If scripts do indeed expect window.indexedDB to be null instead of throw a SecurityError, that might be a better approach.
Alternatively, we can consider adding something similar to isolated localStorage.
|
|
Assignee | |
Comment 4•1 year ago
|
||
Mike, do you know if we have contacts at Twitter who can help?
|
||
Comment 5•1 year ago
|
||
Hi, I tried to get a regression range for this issue and I went back as far as I could, but it seems between the 2018-09-01 and 2018-08-31 there was not enough data to bisect.
Here are the pushlogs from the Last known good build and the First known bad build, I was unable to pin point the issue causing it but maybe it helps someone who knows more about it:
|
|
Assignee | |
Comment 6•1 year ago
|
||
This also reproduces on https://www.nytimes.com/2020/05/28/us/george-floyd-national-guard.html. I suspect this happens with all embedded Twitter videos.
|
|
Assignee | |
Comment 7•1 year ago
|
||
We've shipped a skiplist intervention (Bug 1641969) and are planning to migrate to a webcompat intervention (Bug 1641998).
|
|
Assignee | |
Updated•1 year ago
|
|
|
Assignee | |
Updated•1 year ago
|
|
|
Assignee | |
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
||
Comment 8•1 year ago
|
||
I sent an email to our internal Mozilla/Twitter list.
|
|
Assignee | |
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
|
Assignee | |
Comment 10•11 months ago
|
||
I've verified that this is now fixed in Nightly 80 and Release 78.
|
||
Updated•11 months ago
|
|
||
Updated•10 months ago
|
Description
•