Breakage on Sanoma-owned publications, possibly from cookie blocking
Categories
(Core :: Privacy: Anti-Tracking, defect, P3)
Tracking
()
People
(Reporter: englehardt, Unassigned)
Details
Copying from https://github.com/mozilla-services/shavar-prod-lists/issues/400. Note that I haven't verified this.
hs.fi is a newspaper site owned by sanoma.fi. Subscribers log in on tili.sanoma.fi (as you can see by clicking "Kirjaudu" in the top right corner of hs.fi) and the login state is supposed to be reflected on hs.fi. With ETP in "strict" mode, hs.fi fails to discover the logged-in state if the login has been performed in an earlier session. This started happening in Firefox for iPad a couple of weeks earlier than it started happening in Fenix.
My undebugged hypothesis is that we treat sanoma.fi as a third party relative to hs.fi and strip the login cookie from requests to sanoma.fi (or block requests altogether) when hs.fi is the location bar domain.
Please add a same-entity annotation that allows hs.fi to perform cookieful requests to sanoma.fi.
While at it, it would make sense to also allow other sanoma.fi properties to make cookieful requests to the IdP. These are listed as linked logos on https://oma.sanoma.fi/v2/aihe/sanoma-tili/mika-on-sanoma-tili-ja-mihin-sita-kaytetaan
|
||
Comment 1•5 years ago
|
||
I cannot reproduce this issue in Nightly by using the Responsive Design Mode with Fenix user-agent in strict mode.
I can successfully log in and the login status remains after I close the tab and then open the site again.
Henri, I saw that you reported this. Would you be able to provide steps to help us with debugging this? Thanks.
|
||
Comment 2•5 years ago
|
||
(In reply to Tim Huang[:timhuang] from comment #1)
I cannot reproduce this issue in Nightly by using the Responsive Design Mode with Fenix user-agent in strict mode.
Login persists for me again in Fenix now (and on desktop). The situation has been particularly bad in Firefox for iPad for maybe three weeks, but, of course, now that I try to repro it to try to figure out the specific behavior, I can't repro.
(Previously in Firefox for iPad, even opening an article link in a new tab made the article in the new tab show up as as logged out.)
|
|
||
Updated•5 years ago
|
|
|
||
Comment 3•5 years ago
|
||
The problem is back in a conspicuous way in Firefox for iPad, but I have trouble seeing the logic of when the login gets forgotten and when not.
|
|
||
Comment 4•5 years ago
|
||
There is one thing which is unclear to me that the Firefox for iPad doesn't use Gecko. IIUC, it's using webkit. So, the breakage should be triggered by something else rather than ETP. Does this have something to do with STP? Does the same issue be reproducible on Safari?
Steven, what do you think?
Henri, could you please try Safari to see if there is the same issue?
|
|
||
Comment 5•5 years ago
|
||
I'll experiment with Safari. The UI for Firefox for iPad talks about ETP, but it seems plausible that STP could interfere.
|
Reporter | |
Comment 6•4 years ago
|
||
Unfortunately Firefox for iOS layers ETP over WebKit's ITP, so the breakage could be caused by either of them (or the interplay between the two).
Try disabling ETP via the shield icon in the address bar. If you still see issues then it's likely ITP. There should be a way to disable ITP within your settings, but I'm not sure if it will be exposed as a Firefox setting or as an "embedded browser" setting somewhere in iOS. Unfortunately Apple doesn't provide hooks for us to disable ITP programmatically.
|
|
||
Comment 7•4 years ago
|
||
I tried Safari for a couple of days. It stays logged in regardless of how I end up onto an article page (from front page, from Twitter, from opening a link in a new tab).
I'll try Firefox for iPad with ETP disabled next.
|
|
||
Comment 8•4 years ago
|
||
Safari does not have this problem.
Firefox for iPad continues to have this problem even if I use the location bar shield to disable ETP both for hs.fi and tili.sanoma.fi.
Description
•