Closed Bug 1647854 Opened 4 years ago Closed 4 years ago

Salesforce Lightning: navigation broken with network.cookie.sameSite.laxByDefault=true


(Core :: Networking: Cookies, defect, P2)

79 Branch





(Reporter: hmitsch, Unassigned)


(Regression, )


(Keywords: regression, Whiteboard: [necko-triaged])


(3 files)

Attached image Salesforce_pop-ups.png

Test Condition

  • Open (Salesforce Sandbox)
  • Log in
  • Salesforce web application opens with Lightning UI (
  • Click [Settings] (gear wheel on top right)
  • Click [Service Setup]
  • New tab opens
  • In the navigation bar (left side) expand [Users], click on [Users]
  • Firefox shows a yellow pop-up blocking menu on top, Salesforce displays an "Open this page dialogue" (because it figured out that pop-ups were blocked), click [Open]
  • Bowser is redirected to Salesforce login page
  • Log in (again)
  • User listing page is opened
  • Select any link in the [Full Name] column

Expected Result

  • User detail page opens

Actual Result

  • Nothing happens

Additional Information

  • In this last tab (third tab) the browser's console log says:
XML Parsing Error: no root element found
Line Number 1, Column 1: 52609e00b7ee307e:1:1

My Best Guess

If I had to guess I assume that the new window (tab) is missing some references. In Safari this "new tab" is actually opened INSIDE the main view of the second tab.

Test Setup

You need a Salesforce account in order to test this. I am happy to give you access to our Sandbox. Please ping me on this bug and I will get you access.

Does always allowing popups for salesforce "fix" this?

If you can give us access I could take a look at this. Feel free to mail me the credentials or something :). If I get stuck I can always forward them to someone from the compat team.

Hi Emilio,

thanks so much for taking care of this. I tried to allow popups but I was unable to fix the situation. At this point, the best way for me to work with Salesforce is to switch back from the new "Lightning experience" to the old "legacy UI".

I just created you a user on your bugzilla email address ( You should have credentials in your inbox.

Hope you can reproduce the issue and we can collect some facts.

Best regards,

Flags: needinfo?(emilio)

So I can repro this. I think what's going on is that I get logged out all the time, and their log-in stuff just opens in a new window, which is unexpected.

In fact, this works just fine if I set network.cookie.sameSite.laxByDefault=false (I cleared cookies and site data as well), can you confirm that?

Flags: needinfo?(emilio) → needinfo?(mitsch)
Regressed by: 1604212
Has Regression Range: --- → yes

That being said, this seems to work just fine in Chrome Dev with the samesite=lax flag on, so this might be a bug in our samesite=lax implementation or such.

Andrea, is this something you can take a look, or know who to forward to? I have little idea about sameSite. Let me know and I'll give you my credentials, or maybe Henrik can create another account for you.

Flags: needinfo?(amarchesini)
Summary: Salesforce Lightning: navigation broken → Salesforce Lightning: navigation broken with network.cookie.sameSite.laxByDefault=true
Component: Untriaged → Networking: Cookies
Product: Firefox → Core

Ah, this might be bug 1620104, which is salesforce doing UA sniffing :(

See Also: → 1620104
Flags: needinfo?(mitsch)

Emilio, I set lax=false and deleted all *force* cookies. Now I get a Nightly Can’t Open This Page error.
(screenshot attached above)

Hmm, I cannot reproduce that, is there any error in the console?

This seems a dup of bug 1620104. Last time I checked how salesforce uses the sameSite attribute with cookies, I found this:

doesBrowserDefaultToSameSiteLax:function(b){b=b||g.userAgent;var a=b.chromeVersionMajor;return!!((b.isChrome||b.isChromium)&&77<=a)}}}(Sfdc));

Flags: needinfo?(amarchesini)

Emilio, here is a capture of my Error Log.

So they're sending an X-Frame-Options: Allow-from ... header.

It seems we removed that in bug 1301529, and that other browsers don't support it either:;l=396;drc=9703ac7b3df04707512d1bf9189241abda914098

I wonder why I'm not seeing that... Does it repro outside of private browsing?

Emilio, I think I can be more helpful this time.

  • I tried in my regular browsing session (not private browsing): Same issue.
  • Next I disabled Tracking Protection in the private browsing session: Success

Thanks for sorting this out with me.

How can I help to drive this further? Do we need to talk to Salesforce people?

Severity: -- → S3
Priority: -- → P2
Whiteboard: [necko-triaged]

Actually, we should probably keep this on the radar for 79 since we're running experiments with this pref on the Beta channel this cycle.

Peter, do you know if we have contacts at Salesforce who might be able to assist?

Flags: needinfo?(stpeter)

As :baku noted this is a dupe of and I've already reached out to Salesforce folks about that.

Flags: needinfo?(stpeter)
Closed: 4 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.