Closed Bug 1656171 Opened 4 years ago Closed 3 years ago

Unable to login with Facebook/Google/Twitter on Kinja form with ETP - Standard enabled

Categories

(Core :: Privacy: Anti-Tracking, defect, P2)

Product:
Core
Component:
Privacy: Anti-Tracking
Platform:
Unspecified
Windows 10
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
95 Branch
Project Flags:
Webcompat Priority ?
Tracking Flags:
Tracking Status
firefox87 --- wontfix
firefox95 --- verified

People

(Reporter: oanaarbuzov, Assigned: pbz)

References

(Blocks 2 open bugs,
URL
)

Details

Attachments

(2 files)

ETPStandard_EtpDisabled.png
55.79 KB, image/png
Details
Bug 1656171 - Shim requestStorageAccess calls for Kinja-powered blogs. r=twisniewski!,#anti-tracking-reviewers
48 bytes, text/x-phabricator-request
Details | Review

Environment:
Browser / Version: Firefox Nightly 81.0a1 (2020-07-29)
Operating System: Windows 10 Pro

Steps to reproduce:

  1. Navigate to https://jalopnik.com/a-man-bought-seven-cars-for-a-total-of-1-915-but-his-h-1844530785#replies
  2. Scroll down to "Discussion" area, and click "See all replies" button.
  3. Wait until comments are displayed and click the star.
  4. After "Login" form is displayed click "Connect with Facebook".
  5. Observe behavior.

Expected result:
Login with Facebook is performed and the star is highlighted (blue).

Actual result:
Login with Facebook is not performed.

**Note: **

  1. The same issue occurs for Google and Twitter logins.
  2. With ETP disabled the login works.
Blocks: dfpi-breakage
No longer blocks: etp-breakage
Severity: -- → S3
Flags: needinfo?(tihuang)
Priority: P3 → P2

This does not reproduce when I switch back to behavior 4. Note that you must complete a login to see the breakage. It looks like Facebook isn't being granted an exception for dFPI.

It seems that the login data of https://jalopnik.com/ is saved under the https://kinja.com. And the https://kinja.com is partitioned in https://jalopnik.com/. So, the login data cannot be fetched in https://jalopnik.com/. I can fix the login issue if I put the https://kinja.com into the exception list, which somehow proves that this is the case.

Flags: needinfo?(tihuang)

The issue can no longer be reproducible in the replies and it seems that it consistently breaks in the reply that I cannot log in anymore even with ETP disabled or by using Chrome. But we can still spot the same issue when logging in jalopnik.com.

The login process of jalopnik.com will first open the third party login page as a popup, like the Google login page. Once the login finishes with Google, the popup window will redirect to kinja.com to save the login data, then close the popup. And then, jalopnik.com gets the login data from it's third-party 'kinja.com' to log in.

Our opener heuristic doesn't work here since the popup was opened with Google instead of kinja.com.

And it seems that jalopnik.com has implemented the StorageAccessAPI for Safari because there will be a prompt for storage access when I start to login in jalopnik.com.

So, I think we should contact them to make them also implement StorageAccessAPI for Firefox.

Peter, would you be able to contact them about this?

Flags: needinfo?(stpeter)

The login is not triggered when clicking a star (both on Firefox and Chrome).

On https://jalopnik.com/, with ETP - Standard and ETP - Strict I'm able to sign in with Facebook/Twitter/Google.
https://prnt.sc/y0qy0o

On kotaku.com, sign in with Facebook/Twitter/Google does not works with ETP - Standard or Strict.
https://prnt.sc/y0qz86

Tested with:
Browser / Version: Firefox Nightly 87.0a1 (2021-02-01)
Operating System: Windows 10 Pro

status-firefox87: --- → affected

It looks like Kinja are not calling the Storage Access API themselves, WebKit just has a quirk for it: https://github.com/WebKit/WebKit/commit/62dad650a37545f4de947da297767cd52145009f

Flags: needinfo?(stpeter)
Blocks: 1728133
Assignee: nobody → pbz
Status: NEW → ASSIGNED
Depends on: 1732478
Attachment #9239399 - Attachment description: WIP: Bug 1656171 - Kinja shim → WIP: Bug 1656171 - Shim requestStorageAccess calls for Kinja-powered blogs. r=twisniewski!,#anti-tracking-reviewers
Attachment #9239399 - Attachment description: WIP: Bug 1656171 - Shim requestStorageAccess calls for Kinja-powered blogs. r=twisniewski!,#anti-tracking-reviewers → Bug 1656171 - Shim requestStorageAccess calls for Kinja-powered blogs. r=twisniewski!,#anti-tracking-reviewers
Depends on: 1732919
Webcompat Priority: --- → ?
Blocks: tp-shim
See Also: → 1733566

I couldn't manage to reproduce this issue with ETP enabled, I tried on Firefox Nightly 95.0a1, Firefox 94.0b1 and on Firefox 92.0.1.

(In reply to Hani Yacoub from comment #9)

I couldn't manage to reproduce this issue with ETP enabled, I tried on Firefox Nightly 95.0a1, Firefox 94.0b1 and on Firefox 92.0.1.

This is expected. The sites are currently allowlisted via intervention, see Bug 1728133.

Pushed by pzuhlcke@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/81954ba2ba03
Shim requestStorageAccess calls for Kinja-powered blogs. r=webcompat-reviewers,twisniewski,anti-tracking-reviewers

https://hg.mozilla.org/mozilla-central/rev/81954ba2ba03

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox95: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 95 Branch

Verified as fixed on Firefox Nightly 95.0a1 on Windows 10 x64, macOS 11.6 and on Ubuntu 20.04,

Status: RESOLVED → VERIFIED
status-firefox95: fixedverified
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: