Salesforce Lightning: navigation broken with network.cookie.sameSite.laxByDefault=true
Categories
(Core :: Networking: Cookies, defect, P2)
Tracking
()
People
(Reporter: hmitsch, Unassigned)
References
(Regression, )
Details
(Keywords: regression, Whiteboard: [necko-triaged])
Attachments
(3 files)
Salesforce_pop-ups.png
Test Condition
- Open https://test.salesforce.com (Salesforce Sandbox)
- Log in
- Salesforce web application opens with Lightning UI (https://cs100.lightning.force.com/lightning/page/home).
- Click [Settings] (gear wheel on top right)
- Click [Service Setup]
- New tab opens
- In the navigation bar (left side) expand [Users], click on [Users]
- Firefox shows a yellow pop-up blocking menu on top, Salesforce displays an "Open this page dialogue" (because it figured out that pop-ups were blocked), click [Open]
- Bowser is redirected to Salesforce login page
- Log in (again)
- User listing page is opened
- Select any link in the [Full Name] column
Expected Result
- User detail page opens
Actual Result
- Nothing happens
Additional Information
- In this last tab (third tab) the browser's console log says:
XML Parsing Error: no root element found
Location: https://cs100.salesforce.com/_/52609e00b7ee307e
Line Number 1, Column 1: 52609e00b7ee307e:1:1
My Best Guess
If I had to guess I assume that the new window (tab) is missing some references. In Safari this "new tab" is actually opened INSIDE the main view of the second tab.
Test Setup
You need a Salesforce account in order to test this. I am happy to give you access to our Sandbox. Please ping me on this bug and I will get you access.
|
||
Comment 1•4 years ago
|
||
Does always allowing popups for salesforce "fix" this?
If you can give us access I could take a look at this. Feel free to mail me the credentials or something :). If I get stuck I can always forward them to someone from the compat team.
|
Reporter | |
Comment 2•4 years ago
|
||
Hi Emilio,
thanks so much for taking care of this. I tried to allow popups but I was unable to fix the situation. At this point, the best way for me to work with Salesforce is to switch back from the new "Lightning experience" to the old "legacy UI".
I just created you a user on your bugzilla email address (@crisal.io). You should have credentials in your inbox.
Hope you can reproduce the issue and we can collect some facts.
Best regards,
Henrik
|
|
Reporter | |
Updated•4 years ago
|
|
|
||
Comment 3•4 years ago
|
||
So I can repro this. I think what's going on is that I get logged out all the time, and their log-in stuff just opens in a new window, which is unexpected.
In fact, this works just fine if I set network.cookie.sameSite.laxByDefault=false (I cleared cookies and site data as well), can you confirm that?
|
||
Updated•4 years ago
|
|
|
||
Comment 4•4 years ago
|
||
That being said, this seems to work just fine in Chrome Dev with the samesite=lax flag on, so this might be a bug in our samesite=lax implementation or such.
Andrea, is this something you can take a look, or know who to forward to? I have little idea about sameSite. Let me know and I'll give you my credentials, or maybe Henrik can create another account for you.
|
|
||
Updated•4 years ago
|
|
|
||
Comment 5•4 years ago
|
||
Ah, this might be bug 1620104, which is salesforce doing UA sniffing :(
|
|
Reporter | |
Comment 6•4 years ago
|
||
|
|
Reporter | |
Comment 7•4 years ago
|
||
Emilio, I set lax=false and deleted all *force* cookies. Now I get a Nightly Can’t Open This Page error.
(screenshot attached above)
|
|
||
Comment 8•4 years ago
|
||
Hmm, I cannot reproduce that, is there any error in the console?
|
||
Updated•4 years ago
|
|
||
Comment 9•4 years ago
|
||
This seems a dup of bug 1620104. Last time I checked how salesforce uses the sameSite attribute with cookies, I found this:
doesBrowserDefaultToSameSiteLax:function(b){b=b||g.userAgent;var a=b.chromeVersionMajor;return!!((b.isChrome||b.isChromium)&&77<=a)}}}(Sfdc));
|
|
Reporter | |
Comment 10•4 years ago
|
||
Emilio, here is a capture of my Error Log.
|
|
||
Comment 11•4 years ago
|
||
So they're sending an X-Frame-Options: Allow-from ... header.
It seems we removed that in bug 1301529, and that other browsers don't support it either: https://source.chromium.org/chromium/chromium/src/+/master:content/browser/frame_host/ancestor_throttle.cc;l=396;drc=9703ac7b3df04707512d1bf9189241abda914098
I wonder why I'm not seeing that... Does it repro outside of private browsing?
|
|
Reporter | |
Comment 12•4 years ago
|
||
Emilio, I think I can be more helpful this time.
- I tried in my regular browsing session (not private browsing): Same issue.
- Next I disabled Tracking Protection in the private browsing session: Success
Thanks for sorting this out with me.
How can I help to drive this further? Do we need to talk to Salesforce people?
|
||
Updated•4 years ago
|
|
||
Updated•4 years ago
|
|
|
||
Comment 13•4 years ago
|
||
Actually, we should probably keep this on the radar for 79 since we're running experiments with this pref on the Beta channel this cycle.
|
|
||
Comment 14•4 years ago
|
||
Peter, do you know if we have contacts at Salesforce who might be able to assist?
|
||
Comment 15•4 years ago
|
||
As :baku noted this is a dupe of https://bugzilla.mozilla.org/show_bug.cgi?id=1620104 and I've already reached out to Salesforce folks about that.
|
|
||
Updated•4 years ago
|
Description
•