Open Bug 1684004 Opened 5 months ago Updated 7 days ago

Can't export Google Contacts on Nightly

Categories

(Core :: Privacy: Anti-Tracking, defect, P2)

defect

Tracking

()

People

(Reporter: flod, Unassigned)

References

(Blocks 2 open bugs)

Details

Currently on Firefox 86 macOS (Nightly, 20201222215026). I tried exporting my Contact from Google, and after selecting the format (e.g. CSV Google) and clicking Export, nothing happens.

In Google Chrome, a download is initiated right after clicking. I can't see anything useful in the console or the Network panel.

More notes:

  • It works normally in release (84) and beta (85.0b4), but it fails also in a new profile with the same Nightly.
  • Fission is enabled in my everyday profile, and disabled in the new one, so that's not the cause.
  • Tried disabling all experiments, and disabling some options in Tracking Protection, but no luck.

I tried with mozregression, going back to mid October (83, 20201015215335), and it still fails. So, it must be some settings that it's on by default on Nightly.

Summary: Can't export Google Contacts → Can't export Google Contacts on Nightly

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Component: Untriaged → Netmonitor
Product: Firefox → DevTools

This does not look like a devtools issue

Component: Netmonitor → General
Product: DevTools → Core
Product: Core → Firefox

I see Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified logged when attempting to export so this sounds like an issue with either bad CSP on Google's end or bad interpretation of CSP on our end.

Component: General → DOM: Security
Product: Firefox → Core

Lukas, maybe a problem on Google's end?

Flags: needinfo?(lwe)

That's just a normal CSP warning on Google's part. Their CSP uses strict-dynamic but also includes unsafe-inline for backwards compatibility with older browsers that don't support strict-dynamic. It's just letting a dev know that part was ignored in case they were depending on it. It does not indicate CSP is broken for this page.

Unfortunately, it's quite common that these warnings for required fallbacks in CSP lead to confusion.
I'm wondering if we could turn these warnings into informational items in the console. E.g. unsafe-inline being ignored in presence of a CSP nonce or hash is positive for security.

Flags: needinfo?(lwe)

Lukas: that's a good point about our warnings being overly verbose, but our question for you was if you knew why the download itself was broken on Firefox (since the CSP warning is irrelevant).

Flags: needinfo?(lwe)

Sorry, my fault.
I don't have much context on Google Contacts, but iirc they're using a "safe downloader" which is using a sandboxed iframe and blobs to allow "safe" downloads. Since this is still working in Chrome, the downloader itself doesn't seem to be broken.
Maybe FF nightly treats blob downloads in sandboxed iframes differently now?

Flags: needinfo?(lwe)

I don't have much context on Google Contacts, but iirc they're using a "safe downloader" which is using a sandboxed iframe and blobs to allow "safe" downloads

This is a good hint. So this is caused by bug 1658878 "Isolate BlobURLs per agent-cluster". Disabling the pref privacy.partition.bloburl_per_agent_cluster makes downloads work again.

Blocks: 1590107, 1686111
Component: DOM: Security → Privacy: Anti-Tracking

This code definitely should have some kind of warning logged to the console to make this debuggable.

(In reply to Tom Schuster [:evilpie] from comment #11)

This code definitely should have some kind of warning logged to the console to make this debuggable.

Filed bug 1686441

Severity: -- → S3
Priority: -- → P2

Is this possible to fix on our side with the privacy properties that we want to uphold?

You need to log in before you can comment on or make changes to this bug.