Closed Bug 1740329 Opened 4 years ago Closed 3 years ago

Salesforce application gives misleading error message due to dFPI

Categories

(Core :: Privacy: Anti-Tracking, defect, P2)

Product:
Core
Component:
Privacy: Anti-Tracking
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox96 --- affected

People

(Reporter: kathleen.a.wilson, Unassigned)

References

(Blocks 1 open bug)

Details

Attachments

(2 files)

Screen Shot 2022-03-17 at 9.41.31 AM.png
688.19 KB, image/png
Details
Screen Shot 2022-03-23 at 11.37.17 AM.png
277.90 KB, image/png
Details

Salesforce seemingly randomly displays the following error message on Firefox Nightly (noticed in FF 95, continuing in FF 96).

We can't display this page because your browser blocks cross-domain cookies. Try again with a different supported browser.

When the error message starts happening, I am able to get it to stop by turning off Enhanced Tracking Protection via the shield icon in the Firefox address bar.

Explanation by Dan Veditz: "Standard" is fine, doesn't need to be "off". The problem is dynamic First-Party Isolation (dFPI) which is newly part of "Strict" in nightly.

Screenshots are available here: https://bugzilla.mozilla.org/show_bug.cgi?id=1712018#c17

Specifically we're seeing this on our Common CA Database app at https://ccadb.my.salesforce.com/, which appears to involve resources from *.salesforce.com and *.visualforce.com (and maybe *.force.com, too?). The initial login works fine, but after several hours (maybe when an oauth token needs to be refreshed?) we get the above message.

I don't know if Salesforce will fix this on their end by using the Storage Access API, or if we need a compat-shim of some kind for safeforce apps. Can't really call it a "bug" in dFPI -- this is just a natural consequence. There are few enough users of CCADB that we could just instruct them all to turn off dFPI or add cookie exceptions for the domains involved, but I'm pretty confident all the ".my.safeforce.com" apps (and maybe more salesforce things) are going to have this issue. That's a whole ton of users judging by their revenue numbers

Summary: Salesforce gives misleading error message due to dFPI → Salesforce application gives misleading error message due to dFPI

(In reply to Kathleen Wilson from comment #0)

Explanation by Dan Veditz: "Standard" is fine, doesn't need to be "off". The problem is dynamic First-Party Isolation (dFPI) which is newly part of "Strict" in nightly.

I misspoke. dFPI ("Total Cookie Protection") has been part of "Strict" tracking protection since Firefox 86, and in those versions switching to "Standard" would fix the problem. The change in Nightly 95 (not riding the trains) is that dFPI is the default all the time even in "standard" tracking protection mode. Switching to "Standard" will not fix the problem in Nightly. Options until fixed on the Salesforce side include

  1. add Tracking Protection exceptions (turned off) for the salesforce domains
  2. add cookie exceptions ("Allow") for the salesforce domains
  3. use "Custom" tracking protection and change the cookie setting to turn off dFPI everywhere

This may be a useful blog post for someone trying to make their site compatible with dFPI:
https://hacks.mozilla.org/2021/02/introducing-state-partitioning/

dFPI has been the default in Private Browsing since Firefox 89.

I guess our storage access redirect heuristics granted the storage access during the login and this makes it work at the beginning. However, the permission only lasts for 15 mins. So, the issue starts appearing after the permission expired.

I think the right solution is to ask salesforce to use Storage Access API, but there are things we can do to mitigate this issue. For example, we can extend the permission expired time to 30 days. We had a discussion regarding this before and we think this is a reasonable change and can reduce breakages to a certain extent. Or we can try to add a shim for this. However I don't have an account, so I cannot test this to see if a shim is available here. But, from what I saw in https://ccadb.my.salesforce.com/, there is a login button and we probably can add a shim when the user click the login button.

See Also: → 1712018

(In reply to Tim Huang[:timhuang] (PTO until 11/16) from comment #3)

but there are things we can do to mitigate this issue. For example, we can extend the permission expired time to 30 days. We had a discussion regarding this before and we think this is a reasonable change and can reduce breakages to a certain extent.

That should definitely reduce the breakage, and I'm happy to test that.

Or we can try to add a shim for this. However I don't have an account, so I cannot test this to see if a shim is available here. But, from what I saw in https://ccadb.my.salesforce.com/, there is a login button and we probably can add a shim when the user click the login button.

Would that change be specific to CCADB? I am more concerned about all of the other Salesforce users.
(I can tell the CCADB users how to configure their browsers to use CCADB, so limited impact there. I view CCADB as a canary for other Salesforce users on Firefox.)

(In reply to Kathleen Wilson from comment #4)

(In reply to Tim Huang[:timhuang] (PTO until 11/16) from comment #3)

but there are things we can do to mitigate this issue. For example, we can extend the permission expired time to 30 days. We had a discussion regarding this before and we think this is a reasonable change and can reduce breakages to a certain extent.

That should definitely reduce the breakage, and I'm happy to test that.

We have a pref that allows us to adjust the expired time, which is privacy.restrict3rdpartystorage.expiration_redirect. You could manually change this to 30 days to see if the problem mitigates.

Or we can try to add a shim for this. However I don't have an account, so I cannot test this to see if a shim is available here. But, from what I saw in https://ccadb.my.salesforce.com/, there is a login button and we probably can add a shim when the user click the login button.

Would that change be specific to CCADB? I am more concerned about all of the other Salesforce users.
(I can tell the CCADB users how to configure their browsers to use CCADB, so limited impact there. I view CCADB as a canary for other Salesforce users on Firefox.)

The shim can apply to all matching domains for salesforece.com as long as the login process is similar. But, it's expected that it could be different across Salesforce users. So, the ideal solution would be that Salesforce uses StorageAccessAPI. We should contact them about this.

Peter, would you be able to contact Salesforce about this to see if they are interested in supporting StorageAccessAPI?

Flags: needinfo?(stpeter)

I've reached out to my best contact at Salesforce and will report back.

Flags: needinfo?(stpeter)
Severity: N/A → S3
Priority: -- → P2

This is happening in Firefox release (v98) now!

CCADB is a Salesforce cloud instance. To be clear, it's not the CCADB that I'm worried about (that's a rather small community). What I'm worried about is that Salesforce users (across all instances that use common tools from force.com and visualforce.com) will see this message unless they have added the cookie exceptions to their Firefox browser settings.

Rather than saying "Try again with a different supported browser." Salesforce should point people to https://help.salesforce.com/s/articleView?id=sf.pages_browser_security_settings.htm&type=5 or give similar instructions about which domains to add to their third-party cookie exceptions list in their browser settings.

Adding salesforce.com, force.com, and visualforce.com to the cookies exception list solves the problem.

The issue here is about the error message telling users to try again with a different browser.

Tim, are you the right person to re-visit this one?

Flags: needinfo?(tihuang)

Tom, would you be able to check if Shim script is helpful here?

Flags: needinfo?(tihuang) → needinfo?(twisniewski)

In general, if there is a login button, we can shim around it, yes.

Unfortunately in this case it seems each site can use its own login solution, as CCADB has their own login page which POSTS to their own subdomain for login. I suspect that don't want to make a shim which applies on every related subdomain, and tries to guess their possible login buttons. That leaves us having to shim on a site-by-site basis as we discover them.

Flags: needinfo?(twisniewski)

Just FYI that my Salesforce admin filed a Salesforce Support Case about this.
We have also done so in the past, but each time the Salesforce Support Case would just get closed as us not using a supported browser. Now that the problem is in release, maybe they will do something about it...

Just FYI that our Salesforce Support Case is going to be closed for the following reason: "Unfortunately Salesforce Support can only assist with break/fix solutions. For any suggestions to our product or the messaging it provides, I would recommend reaching out to your account team with these suggestions or our idea exchange."

So someone from Mozilla should try to find an alternative path for working with Salesforce to updated their error message.

Depends on: 1761207
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED

Kathleen and Cameron Could not reproduce issue. According to Kathleen she tried to reproduce in FF 99.0.1and was not able to reproduce it

Last was an issue in FF 98

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: