https://api.together.xyz/open-chat gives "Detected that third-party cookies are not enabled." in Firefox
Categories
(Core :: Privacy: Anti-Tracking, defect, P2)
Tracking
()
People
(Reporter: jrmuizel, Unassigned)
References
Details
It works in Chrome and Safari
Comment 1•1 year ago
|
||
This is what I see in the console when loading https://api.together.xyz/open-chat
document.requestStorageAccess() may only be requested from inside a short running user-generated event handler.
open-chat-9435fa4f9d32af05.js:1:5201
Partitioned cookie or storage access was provided to “https://js.stripe.com/v3/m-outer-93afeeb17bc37e711759584dbfc50d47.html#url=https%3A%2F%2Fapi.together.xyz%2Fopen-chat&title=&referrer=&muid=2c4e1dba-8715-4cfa-9aaf-9710807e27872cb800&sid=dd761874-2f54-4aa7-9cb4-f50b8ee4be422c89ef&version=6&preview=false” because it is loaded in the third-party context and dynamic state partitioning is enabled.
Content-Security-Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). index.js:6054:26
Content-Security-Policy: The page’s settings observed the loading of a resource at inline (“script-src”). A CSP report is being sent. index.js:6054:26
Partitioned cookie or storage access was provided to “https://m.stripe.network/inner.html#url=https%3A%2F%2Fapi.together.xyz%2Fopen-chat&title=&referrer=&muid=2c4e1dba-8715-4cfa-9aaf-9710807e27872cb800&sid=dd761874-2f54-4aa7-9cb4-f50b8ee4be422c89ef&version=6&preview=false” because it is loaded in the third-party context and dynamic state partitioning is enabled.
Content-Security-Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). index.js:6054:26
I think the fact that requestStorageAccess failed is what made the page show the error.
Comment 2•1 year ago
|
||
It's odd that the site uses requestStorageAccess
on page load. That is bound to fail since that method is user activation gated (also in other browsers). It's hard to tell what it's trying to do since all the code is minified.
Comment 3•1 year ago
|
||
As per Storage Access API spec we should resolve for top level requestStorageAccess
calls, even if they don't have user activation, see: https://privacycg.github.io/storage-access/#ref-for-top-level-browsing-context%E2%91%A2
We would have to move this check https://searchfox.org/mozilla-central/rev/aec3a901e6f6b3041b5ec457c9111a042cef1fb1/toolkit/components/antitracking/StorageAccessAPIHelper.cpp#852 before the user activation check here: https://searchfox.org/mozilla-central/rev/aec3a901e6f6b3041b5ec457c9111a042cef1fb1/dom/base/Document.cpp#17292
When we fix this we should also enable the WPT here: https://searchfox.org/mozilla-central/rev/aec3a901e6f6b3041b5ec457c9111a042cef1fb1/testing/web-platform/meta/storage-access-api/requestStorageAccess.sub.https.window.js.ini#5
Updated•1 year ago
|
Comment 4•8 months ago
|
||
The website works similar to Chrome and Safari.
Environment
macOS Sonoma 14.1.1
Firefox Nightly 124.0a1 (2024-01-28) (64-bit) - ETP standard AND strict
Firefox 122.0 (64-bit) - ETP standard AND strict
Description
•