Like and Re-blog buttons do not work/missing on Wordpress
Categories
(Core :: Privacy: Anti-Tracking, defect, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox81 | --- | fixed |
People
(Reporter: bullionareboy, Assigned: dlee)
References
(Blocks 1 open bug)
Details
Attachments
(4 files)
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:80.0) Gecko/20100101 Firefox/80.0
Steps to reproduce:
Login to Wordpress account
Visit https://mozillagfx.wordpress.com/2020/07/10/moz-gfx-newsletter-54/
Click 'Like'
Actual results:
Click on 'Like' opens a popup window but the change is not reflected.
The Re-blog button is missing
Expected results:
Click on 'like' button should reflect change on the webpage.
Reblog button should not be missing
Setting network.cookie.cookieBehavior to 4 fixes the issue
This might be due to the dFPI again
Comment 2•4 years ago
|
||
(In reply to bull500 from comment #1)
This might be due to the dFPI again
Thanks for reporting this!
Updated•4 years ago
|
Comment 3•4 years ago
|
||
In this case, https://widgets.wp.com is automatically granted storage access on https://mozillagfx.wordpress.com, but https://public-api.wordpress.com also needs storage access on https://mozillagfx.wordpress.com.
Comment 4•4 years ago
|
||
Since we're visiting mozillagfx.wordpress.com
I wouldn't expect public-api.wordpress.com
to have partitioned storage. We partition by site (scheme+eTLD+1) and wordpress.com
isn't on the public suffix this. I suspect we're partitioning some resources from public-api.wordpress.com
because they're embedded in cross-origin iframes.
Here are two frames loaded from public-api.wordpress.com
:
-
An iframe embedded directly in the main frame:
https://public-api.wordpress.com/connect/?googleplus-sign-in=https%3A%2F%2Fmozillagfx.wordpress.com&color_scheme=light
-
An iframe embedded with the following frame ancestors and loaded from
https://public-api.wordpress.com/wp-admin/rest-proxy/#https://widgets.wp.com
:https://widgets.wp.com/likes/master.html?ver=20190321#ver=20190321
https://mozillagfx.wordpress.com/2020/07/10/moz-gfx-newsletter-54/
(1) has unpartitioned storage access, which is expected. (2) has partitioned storage, which is unexpected.
Here's a simpler test page to verify: https://senglehardt.com/test/dfpi/nested_embed.html. Note that this is not the case when FPI is enabled (presumably because we also double key the main page's state).
Gary, would you mind to take a look?
Also flagging Anne because I'm not sure if we should add anything related to this in the spec.
Updated•4 years ago
|
Comment 5•4 years ago
|
||
I'm not sure I fully follow as I only see a single frame with a "Like" button. (I agree with the partitioning story you sketch and that hopefully matches how it will eventually get standardized. Still quite a long way to go there though.)
Updated•4 years ago
|
Comment 6•4 years ago
|
||
(In reply to Steven Englehardt [:englehardt] from comment #4)
Since we're visiting
mozillagfx.wordpress.com
I wouldn't expectpublic-api.wordpress.com
to have partitioned storage. We partition by site (scheme+eTLD+1) andwordpress.com
isn't on the public suffix this. I suspect we're partitioning some resources frompublic-api.wordpress.com
because they're embedded in cross-origin iframes.
We checked if an iframe is third-party not only using eTLD+1 but also this, and according to this, public-api.wordpress.com
is considered as 3rd party intentionally because it's included in a third-party iframe.
Comment 7•4 years ago
|
||
Steven, in this case, A (wordpress.com) -> B (wp.com) -> C (wordpress.com), so A and C should be considered as same origin regardless the origin of B, right?
Assignee | ||
Comment 8•4 years ago
•
|
||
Hi baku,
I talked offline with gary, and also from comment 4, I think the idea is that nested same-origin iframe should still be considered as first-party.
I'll write a summaty for all our third-party APIs...
ThirdPartyUtil::IsThirdPartyWindow
- not consider top-level
ThirdPartyUtil::IsThirdPartyChannel
- not consider top-level
nsContentUtils::IsThirdPartyWindowOrChannel(nsPIDOMWindowInner* aWindow, nsIChannel* aChannel, nsIURI* aURI)
when passingWindow
- not consider top-level
nsContentUtils::IsThirdPartyWindowOrChannel(nsPIDOMWindowInner* aWindow, nsIChannel* aChannel, nsIURI* aURI)
when passingChannel
- consider top-level
- AntiTrackingUtils::IsThirdPartyWindow
- not consider top-level, this API is actually the same as calling
nsContentUtils::IsThirdPartyWindowOrChannel
with window
- AntiTrackingUtils::IsThirdPartyChannel
- consider top-level, this API was added to support Fission because
nsContentUtils::IsThirdPartyWindowOrChannel
is not fission-compatible
As we talked yesterday, right now, the behavior of IsThirdPartyWindow and IsThirdPartyChannel is not sync (channel considers top-level while window doesn't). However, I guess there will be some cases requring 3rd-party API considering top-level (like this one?).
So I'll suggest we do the following:
- Do not use
nsContentUtils::IsThirdPartyWindowOrChannel
anymore because it is not fission-compatible (and also the function itself is confusing). We should replace places where we use this API with the other 3rd-party APIs - Update AntiTrackingUtils::IsThirdPartyWindow to consider top-level.
so for cases we need to consider top-level, useAntiTrackingUtils::IsThirdPartyXXX
, for cases we don't want to consider top-level, useThirdPartyUtil::IsThirdPartyXXX
.
Does that make sense?
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 9•4 years ago
|
||
also needinfo tim to see if tim has any comment
Comment 10•4 years ago
|
||
I think it totally makes sense to be consistent in terms of the behavior. There are too many APIs that we are using to check the third-partyness right now: this is confusing and error-prone. I think we need a well-written comment to describe the behavior since it is hard to tell if it is considering the top-level from the API name.
However, it is still unclear to me about in which case we need to consider top-level or not. So, in the long run, I think we need a clear definition of what it means for considering top-level in terms of antitracking and a general idea about where and why we need to consider the top-level. I believe it would be helpful to clarify things here.
Comment 11•4 years ago
|
||
I agree with Tim about the number of APIs. I'm working to get rid of nsContentUtils::IsThirdPartyWindowOrChannel
, AntiTrackingUtils::IsThirdPartyWindow
and AntiTrackingUtils::IsThirdPartyChannel
. We should have only one 3rd-party implementation.
Note that cookieService has a completely independent implementation because of the "confusion" related to the window/channel chain. CookieService uses ThirdPartyUtils directly to compute how to treat the sameSite
attribute. This also should go away, but it cannot, with the Dimi's proposal.
The 3rd-partyness and cross-origin have a lot in common, but they have differences, and we should spend a bit of time formalizing them. Anne can definitely help here.
Talking about windows, in gecko we consider 3rd-party an iframe with a different base-domain (eTLD+1) than the parent's ones (exploring the whole chain). This means that if the iframe chain is: A.com (first-party) -> B.com -> A.com
, A2 is 3rd-party vs B.com, B.com is 3rd-party vs A1.com and, because of this, A2 is 3rd-party vs A1.
This is what is implemented in the ThirdPartyUtils and it's fission-compatible. We don't do the same for nsIChannels, but I think it's a bug and it should be fixed. (Dimi and I had a quick chat yesterday about it).
In the anti-tracking project, often we use a different 3rd-party check: we use a window-TO-top-level comparison. This means that A2 and A1 are first-party when considering just the iframe and the top-level window. Maybe we should use this check here too.
What Dimi proposes is to use the window-vs-top-level comparison everywhere (am I right?). This could work for the anti-tracking project, but not for the rest of gecko. CookieService is an example but there are more.
To me the next steps here are:
- unify the window and channel 3rd-party implementations. Considering the whole chain.
- define if we want 3rd-party or 3rd-party-vs-top-level check for the anti-tracking project. To me we should use 3rd-party-vs-top-level here (without making it the default 3rd-party check).
Anne, thoughts?
Assignee | ||
Comment 12•4 years ago
|
||
(In reply to Andrea Marchesini [:baku] from comment #11)
What Dimi proposes is to use the window-vs-top-level comparison everywhere (am I right?). This could work for the anti-tracking project, but not for the rest of gecko. CookieService is an example but there are more.
Not exactly, what I proposed is:
-
Make sure
AntiTrackingUtils::IsThirdPartyWindow
andAntiTrackingUtils::IsThirdPartyChannel
consider top-level, and use this for anti-tracking project. -
Make sure
ThirdPartyUtil::IsThirdPartyWindow
andThirdPartyUtil::IsThirdPartyChannel
consider the whole chain, use this API in places we don't care about top-level, for example, as you mentioned, CookieService. -
Get rid of
nsContentUtils::IsThirdPartyWindowOrChannel
, replace them with eitherAntiTrackingUtils::IsThirdPartyXXX
orThirdPartyUtil::IsThirdPartyXXX
depends on the expected behavior
Basically I think the idea is the same as yours.
To me the next steps here are:
- unify the window and channel 3rd-party implementations. Considering the whole chain.
- define if we want 3rd-party or 3rd-party-vs-top-level check for the anti-tracking project. To me we should use 3rd-party-vs-top-level here (without making it the default 3rd-party check).
Agree!
One question, if there is any case in Anti-tracking project we don't care about top-level?
Updated•4 years ago
|
Comment 13•4 years ago
|
||
As discussed yesterday, ignoring the checks needed for SameSite cookies, we basically want two concepts of third party:
- Third party origin (current origin is not same origin with the top-level origin)
- Third party site (current site is not same site with the top-level site)
And for dFPI we pretty much only need the latter. Note that this also means that the current checks for the latter need to start taking scheme into account. If http://example.com/
embeds https://example.com/
, then the latter is both a third-party origin and a third-party site.
(And to address comment 7, yes, A and B are same origin and have direct script access.)
Assignee | ||
Comment 14•4 years ago
|
||
Assignee | ||
Comment 15•4 years ago
|
||
Depends on D86714
Assignee | ||
Comment 16•4 years ago
|
||
This test tests whether cookies can be set in the following frames:
top-level: http://example.org/tests/netwerk/test/mochitests/file_domain_hierarchy_inner.html
1st-level: http://example.com/tests/netwerk/test/mochitests/file_domain_hierarchy_inner_inner.html
2nd-level: http://example.org/tests/netwerk/test/mochitests/file_domain_hierarchy_inner_inner_inner.html
Before this patch, the 2nd-level iframes can't set a cookie.
After this patch, the 2nd-level is considered first-party and can set a cookie.
Depends on D86715
Assignee | ||
Comment 17•4 years ago
|
||
This testcase has:
top-level: mochi.test
1st-level: host (depend on the value in the test data)
2nd-level: mochi.test
This test run tests in the 2nd-level iframe, which is first-party with
respect to the top-level according to the new change.
The test is re-written to run tests in both 1st-level iframe and
2nd-level iframes.
Depends on D86716
Comment 18•4 years ago
|
||
Pushed by dlee@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/47b142630cf9 P1. AntiTrackingUtils::IsThirdPartyWindow and AntiTrackingUtils::IsThirdPartyChannel should consider top-level r=timhuang https://hg.mozilla.org/integration/autoland/rev/fadf02e459b6 P2. Use TYPE_DOCUMENT to ensure IsThirdPartyContextToTopWindow is false when loading a top-level r=timhuang https://hg.mozilla.org/integration/autoland/rev/0fa31c531db2 P3. Fix test_different_domain_in_hierarchy.html test failure r=timhuang https://hg.mozilla.org/integration/autoland/rev/1e2a698cb187 P4. Fix test_third_party.html test failure r=timhuang
Comment 19•4 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/47b142630cf9
https://hg.mozilla.org/mozilla-central/rev/fadf02e459b6
https://hg.mozilla.org/mozilla-central/rev/0fa31c531db2
https://hg.mozilla.org/mozilla-central/rev/1e2a698cb187
Description
•