SameSite noneRequiresSecure = true breaks logging into myplan.johnhancock.com
Categories
(Web Compatibility :: Site Reports, defect)
Tracking
(firefox96 disabled, firefox109 disabled, firefox110 disabled, firefox111 disabled)
People
(Reporter: yoasif, Assigned: ksenia)
References
(Regression)
Details
(Keywords: nightly-community, regression)
Steps to reproduce:
- Navigate to https://myplan.johnhancock.com/login
- Type in username/password, click Login
What happens:
Form submits and page appears to reload.
I see this in the console:
Loading failed for the <script> with source “https://johnhancockfinancialservices.sc.omtrdc.net/b/ss/jhfs…2.22.0-LAWA/s58100189518704?AQB=1&ndh=1&pf=1&callback=s_c_il[1].doPostbacks&et=1&t=25%2F10%2F2020%2016%3A6%3A18%203%20300&d.&nsid=0&jsonv=1&.d&mid=20375281222620687980991451090888831279&aamlh=7&ce=UTF-8&pageName=MLN%3AJHRPS%20%7C%20Login&g=https%3A%2F%2Fmyplan.johnhancock.com%2Flogin&c.&di_launch_lib_ms=312.00&di_session_id_ms=442.00&di_session_id=di-311589-ACBA9DDDFAD8AE89F58CAA134257422E80&.c&cc=USD&events=event2&pe=lnk_o&pev2=link%20clicked&s=1366x768&c=24&j=1.6&v=N&k=Y&bw=1366&bh=414&mcorgid=369B27E253DB0DB20A490D4E%40AdobeOrg&lrt=1507&AQE=1”. login:1:1
Request to access cookie or storage on “https://bam-cell.nr-data.net/events/1/2e7ea17242?a=555111956…D%3D&rst=23187&ck=1&ref=https://myplan.johnhancock.com/login” was blocked because it came from a tracker and content blocking is enabled.
Request to access cookie or storage on “<URL>” was blocked because it came from a tracker and content blocking is enabled. 2
Expected result:
I am taken to my financial information.
17:22.57 INFO: Narrowed integration regression window from [28a2fba7, 150b8347] (4 builds) to [a14a131c, 150b8347] (2 builds) (~1 steps left)
17:22.57 INFO: No more integration revisions, bisection finished.
17:22.57 INFO: Last good revision: a14a131ca73171c6aab469abefb9db79120e056a
17:22.57 INFO: First bad revision: 150b8347d28f8a05bddd6cd9ea4b7851490639a1
17:22.59 INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=a14a131ca73171c6aab469abefb9db79120e056a&tochange=150b8347d28f8a05bddd6cd9ea4b7851490639a1
Reporter | ||
Updated•3 years ago
|
Updated•3 years ago
|
Comment 2•3 years ago
|
||
We appreciate your report. For this issue, unfortunately, a special account is needed to sign in. Test account creation requires a valid Social Security Number
Having no valid sign-in credentials, we are not able to move forward with this issue.
If more information is provided (test account credentials
can only be provided by mail for security purposes, as the comments here are made public,/ attach logs/errors), in-depth testing can be performed, so please feel free to reopen or comment on the issue and we'll have a thorough look at it.
Suggestion: Try clearing cache/data/cookies, disable Ad-blocker (if available), or use a clean profile, and check again? Also, have the required cookies have been accepted for this page? Also, is the issue reproducible on your side using the latest build of Firefox Nightly?
Reporter | ||
Comment 3•3 years ago
|
||
Raul, unfortunately, I continue to see the issue and the login requires two factor authentication (I am sent an email when an attempt to login is made with a code).
If someone is willing to diagnose this during working hours in New York, I'd be happy to share my credentials (along with sending over the second factor). I am available on Matrix if this makes sense. If there is a better way to go about this (logging, etc.), I am also happy to try that as well.
Comment 5•3 years ago
|
||
I'm chatting with the ETP team today to figure out who is best to deal with this, thanks for pinging me Karl.
Comment 6•3 years ago
|
||
Just to confirm, Asif just let me know that with laxByDefault=false on a fresh profile, the login does work.
Next we'll try to compare whether Chrome and Firefox are treating any of the cookies with different samesite strictness.
Comment 7•2 years ago
|
||
Any updates on this Tom, as an account is still needed on my part and account creation requires a valid SSN?
Comment 8•2 years ago
|
||
I think Asif has since lost access to his account, but we handed off all the information we could find directly to Ben before then. Hopefully he has enough to go on when he has time to revisit this issue. Ben, any updates?
Comment 9•2 years ago
|
||
I'm curious if the problem persists on FX96 because SameSite=Lax was just made default. Other than that I have no updates.
Comment 10•2 years ago
|
||
After some chat in Matrix, Asif and I discovered that this bug is resolved with a user agent switch to Chrome. I suspect the site is handing out different cookie flags for Chrome. We should reach out to get us the same treatment.
Also, this affects release with FX96.
Updated•2 years ago
|
Reporter | ||
Updated•2 years ago
|
Comment 11•2 years ago
|
||
The inability to log in to https://myplan.johnhancock.com/login continues. My customer service agent at John Hancock confirmed that it is a Firefox browser issue and that John Hancock has attempted to contact Mozilla about a fix but has so far been unsuccessful in getting the problem resolved. I do not know if it is because Mozilla has failed to respond, but I got that impression. The problem exists currently in Firefox version 96.0.1. The agent suggested using Microsoft Edge or Google Chrome to log in, which was not what I wanted to hear...
Comment 12•2 years ago
|
||
Alan: unfortunately, despite what the customer service agent (not a web developer) said, this is a John Hancock problem. Chrome and Edge "work" because the site uses the correct code, and they serve different, broken code to Firefox.
If you fool their site into thinking you're using Chrome it appears the site will work according to comment 10. One way to do this is to use an add-on to spoof your "User-Agent" string. One that is currently recommended by our Add-ons site (look for the badge) is https://addons.mozilla.org/en-US/firefox/addon/user-agent-string-switcher/
CAUTION: although this will fix some sites, it will break some others that do need to treat Firefox and Chrome differently. I recommend changing the user-agent to Chrome in order to log in, and then reset it back to the default right after so you don't forget and get mysteriously broken sites later.
There is a more manual way to change the user-agent that doesn't involve an add-on, but it's more cumbersome. If you'd prefer that please ask for help at https://support.mozilla.org/
Comment 13•2 years ago
|
||
Thanks Daniel!
Assignee | ||
Comment 14•2 years ago
|
||
Until this is addressed by the website, we can ship a temporary UA override in Firefox as the site seems pretty popular. I've filed https://bugzilla.mozilla.org/show_bug.cgi?id=1751329 for that.
Comment 15•2 years ago
|
||
marking as disabled for fx96 since we set sameSite.laxByDefault and sameSite.noneRequiresSecure to false via a pref flip
Reporter | ||
Comment 17•2 years ago
|
||
(In reply to Oana Arbuzov [:oanaarbuzov] from comment #16)
Asif does the issue still reproduce on your side?
Oana, this issue continues to be reproducible on the latest Nightly with a fresh profile. I was able to login normally using GNOME Web.
Updated•2 years ago
|
Updated•2 years ago
|
Comment 18•2 years ago
|
||
Do you see any new console messages? We added more logging since two years ago.
Reporter | ||
Comment 19•2 years ago
•
|
||
I just tried this again this morning, and it actually worked this time. Perhaps JH has actually fixed this. I'm going to mark this WFM.
Reporter | ||
Updated•2 years ago
|
Reporter | ||
Comment 20•2 years ago
•
|
||
Okay - it works in release, but not in Nightly.
Console log from Nightly:
Cookie “s_sq” has “SameSite” policy set to “Lax” because it is missing a “SameSite” attribute, and “SameSite=Lax” is the default value for this attribute. AppMeasurement.min.js:2:1763
Loading failed for the <script> with source “https://johnhancockfinancialservices.sc.omtrdc.net/b/ss/jhfswamjhreupeprod/10/JS-2.22.0-LAWA/s31796057750610?AQB=1&ndh=1&pf=1&callback=s_c_il[1].doPostbacks&et=1&t=8%2F6%2F2022%2013%3A11%3A27%205%20240&d.&nsid=0&jsonv=1&.d&mid=09335038968708836833827963107779218687&aamlh=7&ce=UTF-8&pageName=MLN%3ALog%20in%20to%20your%20John%20Hancock%20retirement%20account&g=https%3A%2F%2Fmyplan.johnhancock.com%2Flogin&c.&di_launch_lib_ms=2.00&di_session_id_ms=0.00&di_session_id=di-311589-D7DB84D78E32AE8F459CAA13B588B320A9&.c&cc=USD&events=event2&pe=lnk_o&pev2=link%20clicked&s=1920x1080&c=32&j=1.6&v=N&k=Y&bw=1280&bh=637&mcorgid=369B27E253DB0DB20A490D4E%40AdobeOrg&lrt=211&AQE=1”. login:1:1
Ignoring unsupported entryTypes: largest-contentful-paint. login:11:19666
No valid entryTypes; aborting registration. login:11:19666
Ignoring unsupported entryTypes: layout-shift. login:11:19762
Cookie “s_upe” rejected because it has the “SameSite=None” attribute but is missing the “secure” attribute. 2 login
Some cookies are misusing the “SameSite“ attribute, so it won’t work as expected 19
Use of the orientation sensor is deprecated. login:11:25269
Use of the motion sensor is deprecated. login:11:25269
*****THIS IS WORKING***** launch-EN87fc0302002640dfb05c0ca314d251cb.min.js:8:8769
Request to access cookie or storage on “https://bam.nr-data.net/1/2e7ea17242?a=555111956&v=1216.487a282&to=ZgcGZBZQWRdZUExeXV9NKWYnHmQNTFZbWEBUIQteEENYCFRWShh7XwYBSA%3D%3D&rst=924&ck=1&ref=https://myplan.johnhancock.com/login&ap=79&be=594&fe=888&dc=767&af=err,xhr,stn,ins&perf=%7B%22timing%22:%7B%22of%22:1657300287182,%22n%22:0,%22u%22:568,%22r%22:3,%22ue%22:574,%22re%22:259,%22f%22:259,%22dn%22:259,%22dne%22:259,%22c%22:259,%22s%22:259,%22ce%22:259,%22rq%22:261,%22rp%22:558,%22rpe%22:559,%22dl%22:567,%22di%22:753,%22ds%22:766,%22de%22:768,%22dc%22:887,%22l%22:887,%22le%22:895%7D,%22navigation%22:%7B%22rc%22:1%7D%7D&fcp=674&jsonp=NREUM.setToken” was blocked because it came from a tracker and content blocking is enabled.
Comment 21•2 years ago
|
||
Thank you!
Could you do me a favor and check if it still works after setting network.cookie.sameSite.laxByDefault
to false
in Nightly?
This following error message has me concerned that the actual breakage might be related to nonRequiresSecure and not laxByDefault.
Cookie “s_upe” rejected because it has the “SameSite=None” attribute but is missing the “secure” attribute.
Comment 22•2 years ago
|
||
Presumably the main breakage came from the inability to load the script, and that's more likely due to the s_sq
cookie. In theory Chrome would also reject s_upe
if it was set as SameSite=None without the secure attribute. Would a site only sometimes use the secure attribute depending on what browser was being used? It would take extra code to intentionally do that which is hard to believe, but we've seen sites do things like that so it's certainly possible.
Use of the orientation sensor is deprecated. login:11:25269
Use of the motion sensor is deprecated. login:11:25269
Love the apparent attempt to fingerprint you. I wonder what else they're poking around at that they shouldn't need for a financial site.
Comment 23•2 years ago
|
||
Makes no sense, but yes, John Hancock sends s_upe
with the secure attribute to Chrome and without to Firefox.
Chrome: set-cookie: s_upe=q41qrctvoi03wu5f5nvkvald; Path=/; SameSite=None; Secure; HttpOnly
Firefox: set-cookie: s_upe=mndazlxl1fzf03q1yanr5m4l; Path=/; SameSite=None; HttpOnly
That cookie was set on the initial page load so it's not a user auth cookie, but
- it shows they're quite willing to do this bananas thing and might on some other cookie that is more involved with auth
- maybe it's some kind of anti-abuse token or API key to load otherwise-static cross-origin resources
Following up comment 21: if disabling laxByDefault in nightly doesn't fix the site, please set network.cookie.sameSite.noneRequiresSecure
to false
and see if the site starts working.
If turning off noneRequiresSecure fixes the login, try turning laxByDefault back on (true
) and see if it works with only noneRequiresSecure disabled. Would be very nice to know if we're broken on the site for only one of them, or if either independently breaks the site.
Reporter | ||
Comment 24•2 years ago
|
||
Sorry about the delay here, team.
Setting:
network.cookie.sameSite.laxByDefault
= false
does not work.
Setting:
network.cookie.sameSite.laxByDefault
= false
network.cookie.sameSite.noneRequiresSecure
= false
works.
Setting:
network.cookie.sameSite.laxByDefault
= true
network.cookie.sameSite.noneRequiresSecure
= false
works.
Hope this helps!
Comment 25•2 years ago
|
||
Thanks for the confirmation!
Updated•2 years ago
|
Comment 26•1 year ago
|
||
Is the issue still reproducible for you, Asif? If so could you please test it with Enhanced Tracking Protection OFF, Standard and Strict, each on a clean profile and give us an update?
Reporter | ||
Comment 27•1 year ago
|
||
(In reply to Calin Tanase from comment #26)
Is the issue still reproducible for you, Asif? If so could you please test it with Enhanced Tracking Protection OFF, Standard and Strict, each on a clean profile and give us an update?
Calin, sure. On Firefox Nightly, the issue is reproducible with tracking protection in all of those configurations.
Comment 28•1 year ago
|
||
Thanks for the update, Asif.
Comment 29•1 year ago
•
|
||
Setting 109/110 to disabled
Updated•1 year ago
|
Comment 30•4 months ago
|
||
Since Chromium 80 (June 2020) has enforced Secure when SameSite=None, and this site has a fix but it just doesn't apply to Firefox. So I think we should enable it by default to enforce this site to apply their fix to Firefox as well. We SHOULD NOT put the security of all users at risk because of a garbage website. What's more, the maintainers of this website actually know about this problem, they just refuse to apply a fix for Firefox.
Comment 31•2 months ago
|
||
We won't be shipping samesitelax by default, so all of this breakage bug can be closed: Bug 1617609
Description
•