Issue with submitting a support webform with Enhanced Tracking Protection (strict) enabled. Essentially, you need to whitelist (add an exception) for mixpanelsupport.zendesk.com.
Categories
(Core :: Privacy: Anti-Tracking, defect, P3)
Tracking
()
People
(Reporter: eric.nague, Unassigned)
References
(Blocks 1 open bug)
Details
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
Steps to reproduce:
- Tried submitting a ticket in web form
- Ticket did not go through
- Noticed mixpanelsupport.zendesk.com was not whitelisted
- Added it as an exception
Actual results:
The web form does not go through and the ticket is not created in our Zendesk instance.
Expected results:
The ticket should have been made and mixpanelsupport.zendesk.com should have been whitelisted.
Comment 1•1 year ago
|
||
Not an exploitable security bug that needs to stay hidden.
Comment 2•11 months ago
|
||
Is this the form you're referring to in step 1? https://help.mixpanel.com/hc/en-us/requests/new
Resources from https://mixpanelsupport.zendesk.com are blocked by our tracking protection in ETP strict because zendesk.com is on the Disconnect list.
You can see this if you look up the url via about:urlclassifier in Firefox. Here is the result:
tracking-protection
URI: https://mixpanelsupport.zendesk.com/
List of tables: analytics-track-digest256
Updated•11 months ago
|
Reporter | ||
Comment 3•11 months ago
|
||
I see - that makes sense and yes, that looks right! Thank you for scoping that out.
Is there a way we could work around this so that our support tickets can be made through firefox or how we could inform our customers about this?
Comment 4•11 months ago
|
||
It only affects ETP strict, which is a smaller population of Firefox. Users can work around this issue by disabling ETP for the current site via the toggle in the protections panel (shield icon). They can also switch to ETP standard.
Is https://help.mixpanel.com Zendesk too, but with your domain, or is that a different property? Otherwise, if you host both the iframe and the support site (https://help.mixpanel.com) under the same domain, there won't be any issues with ETP. We only block third-party trackers.
I'm curious why all subdomains of zendesk.com are on the list. That seems quite broad. We don't maintain the list, so for questions or list changes you can contact Disconnect, e.g. by filing an issue on their repository here: https://github.com/disconnectme/disconnect-tracking-protection
Reporter | ||
Comment 5•11 months ago
|
||
Yes, https://help.mixpanel.com is from the Zendesk domain. Can you say more about the list? Would I reach out to Disconnect to get on the whitelist for https://mixpanelsupport.zendesk.com?
Comment 6•11 months ago
|
||
I don't think individual domains are allow-listed, however you could check with them if really all of *.zendesk.com
should be classified as a tracker. Specifically the route you use for the support form script.
As mentioned in my previous comment, it might also be possible to serve e.g. https://mixpanelsupport.zendesk.com/auth/v2/host/without_iframe.js
under your own domain? Perhaps Zendesk can help here.
I've just tested submitting a request with Firefox Nightly ETP strict enabled. Seems to work fine? I get a confirmation that the request has been submitted successfully.
Reporter | ||
Comment 7•11 months ago
|
||
Ok I'll reach out to both sources. Thank you!
Description
•