Embedded Twitter videos broken in Beta and Release
Categories
(Web Compatibility :: Site Reports, defect, P1)
Tracking
(firefox-esr68 unaffected, firefox76 unaffected, firefox77 affected, firefox78 affected)
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox76 | --- | unaffected |
| firefox77 | --- | affected |
| firefox78 | --- | affected |
People
(Reporter: englehardt, Unassigned)
References
(Regression)
Details
(Keywords: regressionwindow-wanted)
Attachments
(3 files)
Screenshot_2020-06-02 Uber is scrapping tens of thousands of Jump bikes during a nationwide bike shortage.png
This issue is distinct from the breakage we've observed caused by ETP (see Bug 1641521) and reproduces with ETP disabled. I can reproduce the issue in Firefox release (v77 build 20200528194502) and beta (v78.0b1 build 20200601142750) but not the latest Nightly.
STR:
- Open a fresh Firefox release profile
- Navigate to https://www.theverge.com/2020/5/27/21271927/uber-jump-bike-scooter-scrap-photos-video-lime-junkyard and disable ETP via the shield icon in the address bar. The page will reload.
- Scroll down to the second tweet with the embedded video
- Play the video, it should work. If you see a blank white space after pressing play ensure you have ETP disabled (that's Bug 1641521)
- In a new tab open twitter.com
- Return to the previous tab with the verge article and refresh the page
- Play the video
ER: the video plays
AR: the embedded widget displays "The media could not be played." (see attached screenshot)
After clearing cookies from twitter.com, the video on the verge will play again. Revisiting twitter.com directly will cause the same failure on future refreshes of The Verge. I've also verified that this reproduces on other first parties (e.g., the NYT).
|
Reporter | |
Comment 1•4 years ago
|
||
|
||
Comment 2•4 years ago
•
|
||
I can't reproduce.
This is working for me on 78.0a1 (2020-06-01) (64-bit)
macOS 10.15.5 (19F101)
macbookpro
which is consistent with
I can reproduce the issue in Firefox release (v77 build 20200528194502) and beta (v78.0b1 build 20200601142750) but not the latest Nightly.
Probably a mozregression find-fix could reveal what is happening. It doesn't seem to be a webcompat issue though.
|
|
||
Comment 3•4 years ago
|
||
And Set network.cookie.sameSite.laxByDefault to true will fix for Beta78.0b1.
(FYI, network.cookie.sameSite.laxByDefault is true on Nightly Build only.)
|
|
||
Updated•4 years ago
|
|
|
||
Comment 4•4 years ago
|
||
Regression window:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=ee1a0f35334587ca5843a3b8ddc30af1ba224ae4&tochange=e0299348ab87b6e906cf63c2709df1c9c7391227
Suspect: Bug 1627653
|
||
Comment 5•4 years ago
|
||
Bug 1627653 has been partially reverted by bug 1641459, landed in 78.
|
|
||
Comment 6•4 years ago
|
||
I can actually reproduce this issue using a yesterday build. I'm debugging this issue.
|
||
Updated•4 years ago
|
|
||
Comment 7•4 years ago
|
||
I've been comparing profiles that work vs. don't work (on release).
Difference seems to be a 403 on the request to their API server:
https://api.twitter.com/1.1/videos/tweet/config/1268658364944441346.json
This message shows in the console:
Request URL:https://api.twitter.com/1.1/videos/tweet/config/1268658364944441346.json
This URL matches a known tracker and it would be blocked with Content Blocking enabled.
So at seems like on release at least, this would be tracker related. But the weird thing is that on both these profiles, I have the same level of tracking protection enabled (Standard).
And it's also odd that the error doesn't happen until you actually click on the video. If it was tracker related, you'd think the embed would fail completely.
Comparing the two requests, the header information is very different.
|
|
||
Comment 8•4 years ago
|
||
Maybe it's unrelated, but it could be a dup of bug 1642832.
|
||
Comment 9•4 years ago
|
||
:mkaply can you provide HAR recordings of your repro (possibly privately to asuth@mozilla.com) and/or indicate what the contents of the 403 response were (the body not the headers)? One possibility is something like the bug 1589764 situation where twitter's CSRF defenses are getting desynchronized.
|
|
||
Comment 10•4 years ago
|
||
(In reply to Andrea Marchesini [:baku] from comment #8)
Maybe it's unrelated, but it could be a dup of bug 1642832.
I meant bug 1637325
|
|
||
Comment 11•4 years ago
•
|
||
Response data is:
{"errors":[{"code":239,"message":"Bad guest token."}]}
I can reproduce this at will on a particular profile, so let me know if you want to take a look.
|
||
Comment 12•3 years ago
|
||
I can't reproduce the issue, for me the video always plays.
https://prnt.sc/xd12da
Tested with:
Browser / Version: Firefox Nightly 86.0a1 (2021-01-20), Firefox Release 84.0.2, Firefox Beta 85.0b9
Operating System: Windows 10 Pro
Steven does the issue still occurs on your side?
|
||
Updated•2 years ago
|
Description
•