Open Bug 1747889 Opened 3 years ago Updated 1 year ago

"Sign in" is not recognized after enabling "Data Visualizer" add-in on office.com with ETP - Standard

Categories

(Core :: Privacy: Anti-Tracking, defect, P3)

Product:
Core
Component:
Privacy: Anti-Tracking
Version:
Firefox 97
Platform:
Desktop
Windows 10
Type:
defect

Tracking

()

Status:
ASSIGNED
Tracking Flags:
Tracking Status
firefox97 --- affected

People

(Reporter: oanaarbuzov, Assigned: timhuang)

References

(Blocks 3 open bugs,
URL
)

Details

Attachments

(3 files)

StandardVsDisabled.png
180.26 KB, image/png
Details
pref false vs pref true
133.37 KB, image/png
Details
3 Strict vs OFF ETP.png
213.62 KB, image/png
Details
Attached image StandardVsDisabled.png

Environment:
Browser / Version: Firefox Nightly 97.0a1 (2021-12-29)
Operating System: Windows 10 Pro

Prerequisites:
ETP - Standard enabled.
Signed into Enterprise Microsoft account.

Steps to Reproduce:

  1. Navigate to
  2. Open a new blank workbook.
  3. Click "Insert" button from "Options" menu and choose "Office Add-ins" option.
  4. After "Office Add-ins" popup is displayed, click the "STORE" button.
  5. Select "Microsoft Visio Data Visualizer" add-in and add it to the workbook.
  6. Observe the "Data Visualizer" popup.

Expected Behavior:
"Sign in" is recognized and available "Flowcharts" are displayed.

Actual Behavior:
"Sign in" is not recognized, even if already sign into Microsoft account.

Notes:

  1. Screenshot attached.
  2. The issue is not reproducible with ETP disabled.
Assignee: nobody → tihuang
Status: NEW → ASSIGNED

I can reproduce the issue. The root cause is that https://login.microsoftonline.com/ doesn't have storage access under https://outlookwebtest-my.sharepoint.com/. So, it cannot access its login credential. This means that the Storage Access API should be called in https://login.microsoftonline.com/ when it's embedded in https://outlookwebtest-my.sharepoint.com/ so that this can work. And a shim is possible to fix this issue.

Severity: -- → S2
Blocks: 1740763
Blocks: dfpi-breakage
No longer blocks: etp-breakage

We have an intervention in place, see Bug 1740763. Lowering severity.

Severity: S2 → S3

Tim, could you confirm this intervention is still working? Testing on Firefox stable on PROD RemoteSettings the Data Visualizer still does not seem to recognize the login.
The *,https://login.microsoftonline.com entry is still in place.

Flags: needinfo?(tihuang)
Blocks: 1772545

Yes, this is also broken to me. I think they change their auth process because I need to allow the domain https://visio.officeapps.live.com to make it work. Maybe we need to add it to our list.

Flags: needinfo?(tihuang)

Thanks! Tim, since you're assigned, could you please update the skiplist entries and the respective bugs? Perhaps we can (after testing) just drop the generic entries for the the microsoftonline and live endpoints now?

Flags: needinfo?(tihuang)

Sure thing. I will do that.

Flags: needinfo?(tihuang)

I am not entirely sure if we can drop those two entries. But I can check if it's possible.

Per my testing, we still need the live.com endpoint to display the avatar icon. So, we couldn't drop it.

Oh, weird. The Data Visualizer addon works again even without allowing https://visio.officeapps.live.com. Maybe Microsoft change something that doesn't require this allowlist entry anymore.

Could you please check again if we still need the allowlist entries for MS login? afaic this is the last remaining bug before we can remove the entries.

Flags: needinfo?(tihuang)

I can no longer access the Microsoft Enterprise test account.

Raul, Calin,

Could you help with testing this? To test if we still need the allowlist entry, you can disable the allowlist by flipping the pref privacy.antitracking.enableWebcompat. And see if the problem still exists after disabling WebCompat interventions.

Flags: needinfo?(tihuang)
Flags: needinfo?(rbucata)
Flags: needinfo?(ctanase)

Hi Tim. I can still reproduce the issue with the pref set to FALSE in a clean profile. Setting the pref to TRUE (by default) in a clean profile does not present the reported issue, as with ETP set to STRICT, the account sign-in is recognized.

Tested with:

Browser / Version: Firefox Release 113.0.2 (64-bit)/ Firefox Nightly 115.0a1 (2023-05-23) (64-bit)
Operating System: Windows 10 PRO x64

Notes:

  1. Reproducible on the latest build of Firefox Nightly and Release.
  2. Accessing in a clean profile for the first time with the pref set to TRUE does not present the issue when accessing again with the pref set to FALSE.
Flags: needinfo?(rbucata)
Attached image pref false vs pref true
Comment on attachment 9335608 [details] pref false vs pref true There was an error when uploading the screenshot Link: https://prnt.sc/8HxVjJjKZWlp
Attached image 3 Strict vs OFF ETP.png

The issue is reproducible for me as well with the pref set to false and Strict ETP.

Tested on:
• Browser / Version: Firefox Nightly 115.0a1 (2023-05-23)
• Operating System: Windows 10

Flags: needinfo?(ctanase)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: