Open Bug 1833251 Opened 1 year ago Updated 11 months ago

Issue with submitting a support webform with Enhanced Tracking Protection (strict) enabled. Essentially, you need to whitelist (add an exception) for mixpanelsupport.zendesk.com.

Categories

(Core :: Privacy: Anti-Tracking, defect, P3)

Product:
Core
Component:
Privacy: Anti-Tracking
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: eric.nague, Unassigned)

References

(Blocks 1 open bug)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36

Steps to reproduce:

  1. Tried submitting a ticket in web form
  2. Ticket did not go through
  3. Noticed mixpanelsupport.zendesk.com was not whitelisted
  4. Added it as an exception

Actual results:

The web form does not go through and the ticket is not created in our Zendesk instance.

Expected results:

The ticket should have been made and mixpanelsupport.zendesk.com should have been whitelisted.

Not an exploitable security bug that needs to stay hidden.

Group: firefox-core-security
Component: Untriaged → Privacy: Anti-Tracking
Product: Firefox → Core

Is this the form you're referring to in step 1? https://help.mixpanel.com/hc/en-us/requests/new

Resources from https://mixpanelsupport.zendesk.com are blocked by our tracking protection in ETP strict because zendesk.com is on the Disconnect list.

You can see this if you look up the url via about:urlclassifier in Firefox. Here is the result:

tracking-protection
URI: https://mixpanelsupport.zendesk.com/
List of tables: analytics-track-digest256
Severity: -- → S3
Type: enhancement → defect
Flags: needinfo?(eric.nague)
Priority: -- → P3
Blocks: tp-breakage

I see - that makes sense and yes, that looks right! Thank you for scoping that out.

Is there a way we could work around this so that our support tickets can be made through firefox or how we could inform our customers about this?

Flags: needinfo?(eric.nague)

It only affects ETP strict, which is a smaller population of Firefox. Users can work around this issue by disabling ETP for the current site via the toggle in the protections panel (shield icon). They can also switch to ETP standard.

Is https://help.mixpanel.com Zendesk too, but with your domain, or is that a different property? Otherwise, if you host both the iframe and the support site (https://help.mixpanel.com) under the same domain, there won't be any issues with ETP. We only block third-party trackers.

I'm curious why all subdomains of zendesk.com are on the list. That seems quite broad. We don't maintain the list, so for questions or list changes you can contact Disconnect, e.g. by filing an issue on their repository here: https://github.com/disconnectme/disconnect-tracking-protection

Flags: needinfo?(eric.nague)

Yes, https://help.mixpanel.com is from the Zendesk domain. Can you say more about the list? Would I reach out to Disconnect to get on the whitelist for https://mixpanelsupport.zendesk.com?

Flags: needinfo?(eric.nague)

I don't think individual domains are allow-listed, however you could check with them if really all of *.zendesk.com should be classified as a tracker. Specifically the route you use for the support form script.

As mentioned in my previous comment, it might also be possible to serve e.g. https://mixpanelsupport.zendesk.com/auth/v2/host/without_iframe.js under your own domain? Perhaps Zendesk can help here.

I've just tested submitting a request with Firefox Nightly ETP strict enabled. Seems to work fine? I get a confirmation that the request has been submitted successfully.

Ok I'll reach out to both sources. Thank you!

You need to log in before you can comment on or make changes to this bug.