Closed Bug 1872203 Opened 6 months ago Closed 1 hour ago

Login broken on Steam with ETP - Standard Enabled

Categories

(Core :: Privacy: Anti-Tracking, defect)

Product:
Core
Component:
Privacy: Anti-Tracking
Type:
defect

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: sieber.colby, Unassigned)

References

(Blocks 1 open bug)

Details

Environment:
Browser / Version: [e.g. Firefox Nightly 97.0a1 (2021-12-29)]
Operating System: [e.g. Windows 10 Pro]

Prerequisites:
Steam implements SSO across our various web domains (including, but not limited to, steampowered.com, steamcommunity.com, steam.tv, etc). With third-party cookies disabled, we are unable to set authentication cookies against all domains we want to log users in to. The most obvious impact is a user who logs into one domain, clicks a link that takes them to another domain, they will not be logged in when they arrive.

Steps to Reproduce:

  1. Log into steamcommunity.com
  2. In the top right account dropdown, click "Account details"

Expected Behavior:
You should arrive at a logged in page on the store.steampowered.com domain.

Actual Behavior:
You are redirected to a log in page, even though you just logged in.

Notes:
The above bug is one of the easiest to see, but there are even more insidious problems that can happen. For one, your durable login token is stored against a steampowered.com subdomain, so if you log into steamcommunity.com and that cookie fails to be set, you only have a few hours of session time on steamcommunity.com before you'll automatically be logged out again when it attempts to refresh the steamcommunity.com login using the durable steampowered.com token.

Other issues involve broken content on our websites when a page makes a request to another of our domains, where it expects the user to also be logged in due to SSO, which will not automatically happen and the user will have needed to manually authenticate on each domain before such content could function correctly.

Blocks: tplogin
Blocks: etp-breakage
No longer blocks: tplogin

Thanks for reporting this login issue.

Firefox has partitioned third-party cookies, which breaks Steam's login mechanism. The same issue can be reproduced on Safari because third-party cookies are blocked there. And, soon, Chrome will have the same issue given that Chrome will deprecate third-party cookies.

We recommend using Storage Access API to get first-party access for third-party context. In your case. it's steampowered.com to get first-party access under steamcommunity.com. If you find any problem with using Storage Access API, don't hesitate to reach out to us, we are happy to help. It's also welcome to give suggestions to the API and join the Privacy CG to help us improve the spec.

Flags: needinfo?(sieber.colby)

A needinfo is requested from the reporter, however, the reporter is inactive on Bugzilla. Given that the bug is still UNCONFIRMED, closing the bug as incomplete.

For more information, please visit BugBot documentation.

Status: UNCONFIRMED → RESOLVED
Closed: 1 hour ago
Flags: needinfo?(sieber.colby)
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.