Can't export Google Contacts on Nightly
Categories
(Core :: Privacy: Anti-Tracking, defect, P2)
Tracking
()
Webcompat Priority | P3 |
People
(Reporter: flod, Unassigned)
References
(Blocks 1 open bug)
Details
Currently on Firefox 86 macOS (Nightly, 20201222215026). I tried exporting my Contact from Google, and after selecting the format (e.g. CSV Google) and clicking Export, nothing happens.
In Google Chrome, a download is initiated right after clicking. I can't see anything useful in the console or the Network panel.
More notes:
- It works normally in release (84) and beta (85.0b4), but it fails also in a new profile with the same Nightly.
- Fission is enabled in my everyday profile, and disabled in the new one, so that's not the cause.
- Tried disabling all experiments, and disabling some options in Tracking Protection, but no luck.
Reporter | ||
Comment 1•3 years ago
|
||
I tried with mozregression, going back to mid October (83, 20201015215335), and it still fails. So, it must be some settings that it's on by default on Nightly.
Comment 2•3 years ago
|
||
Bugbug thinks this bug should belong to this component, but please revert this change in case of error.
Comment 3•3 years ago
|
||
This does not look like a devtools issue
Reporter | ||
Updated•3 years ago
|
Comment 4•3 years ago
|
||
I see Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified
logged when attempting to export so this sounds like an issue with either bad CSP on Google's end or bad interpretation of CSP on our end.
Comment 6•3 years ago
|
||
That's just a normal CSP warning on Google's part. Their CSP uses strict-dynamic
but also includes unsafe-inline
for backwards compatibility with older browsers that don't support strict-dynamic
. It's just letting a dev know that part was ignored in case they were depending on it. It does not indicate CSP is broken for this page.
Comment 7•3 years ago
|
||
Unfortunately, it's quite common that these warnings for required fallbacks in CSP lead to confusion.
I'm wondering if we could turn these warnings into informational items in the console. E.g. unsafe-inline
being ignored in presence of a CSP nonce or hash is positive for security.
Comment 8•3 years ago
|
||
Lukas: that's a good point about our warnings being overly verbose, but our question for you was if you knew why the download itself was broken on Firefox (since the CSP warning is irrelevant).
Comment 9•3 years ago
|
||
Sorry, my fault.
I don't have much context on Google Contacts, but iirc they're using a "safe downloader" which is using a sandboxed iframe and blobs to allow "safe" downloads. Since this is still working in Chrome, the downloader itself doesn't seem to be broken.
Maybe FF nightly treats blob downloads in sandboxed iframes differently now?
Comment 10•3 years ago
|
||
I don't have much context on Google Contacts, but iirc they're using a "safe downloader" which is using a sandboxed iframe and blobs to allow "safe" downloads
This is a good hint. So this is caused by bug 1658878 "Isolate BlobURLs per agent-cluster". Disabling the pref privacy.partition.bloburl_per_agent_cluster
makes downloads work again.
Updated•3 years ago
|
Comment 11•3 years ago
•
|
||
This code definitely should have some kind of warning logged to the console to make this debuggable.
Comment 12•3 years ago
|
||
(In reply to Tom Schuster [:evilpie] from comment #11)
This code definitely should have some kind of warning logged to the console to make this debuggable.
Filed bug 1686441
Updated•3 years ago
|
Updated•3 years ago
|
Comment 13•3 years ago
|
||
Is this possible to fix on our side with the privacy properties that we want to uphold?
Updated•3 years ago
|
Comment 14•2 years ago
|
||
Ksenia, can you verify if this is still an issue?
Comment 15•2 years ago
|
||
This is still an issue (if I enable privacy.partition.bloburl_per_agent_cluster
). This pref seems to be disabled by default though, so based on that setting webcompat priority as P3.
Comment 16•8 months ago
|
||
This issues was caused by the pref : privacy.partition.bloburl_per_agent_cluster. This pref is now disabled by default and current implementation of blob url partitioning using the pref : privacy.partition.bloburl_per_partition_key has been tested and has been shown to not cause breakages with sandbox iframes.
Description
•