Open Bug 1886952 Opened 1 year ago Updated 2 months ago

Tracking protection: exceptions are not recognized

Categories

(Core :: Privacy: Anti-Tracking, defect, P3)

Product:
Core
Component:
Privacy: Anti-Tracking
Version:
Firefox 124
Type:
defect

Tracking

()

People

(Reporter: e.lehmann, Unassigned)

References

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/20100101 Firefox/124.0

Steps to reproduce:

Locally tested server at http://localhost:8080. It serves an angular SPA, which calls out for a keycloak instance, say https://my-keycloak.com and tries to fetch an Oauth2 token via POST. This call is blocked because of enhanced tracking protection, according to the console.
Tried to set https://my-keycloak.com as an exception in the Settings->"Data protection and security"->"enhanced tracking protection"->"Manage exceptions" form. The URL is added properly. Reloaded the page, even restarted the browser. The URL is still listed in the exceptions.

Actual results:

The behaviour is still the same (POST call to https://my-keycloak.com from the SPA at http://localhost:8080 is blocked because of enhanced tracking protection), although the URL https://my-keycloak.com was added as an exception. Obviously the exceptions are not recognized.

BTW, I see the same behaviour with other exceptions that I added for other URLs. Sometimes it helps to switch off the ETP completely, via the "shield" icon on the very left of the address bar, but this is also not what I want (because then there is no tracking protection at all). I want to set trusted URLs in the exception list and I want to have them properly recognized as such.

Expected results:

The POST call to https://my-keycloak.com should pass after adding this url to the tracking protection exceptions.

The Bugbug bot thinks this bug should belong to the 'Core::Privacy: Anti-Tracking' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Privacy: Anti-Tracking
Product: Firefox → Core

Hello e.lehmann,

The exception you set creates an exception for https://my-keycloak.com as a top-level page, not as an embedded resource. That is equivalent to disabling ETP entirely via the shield.

What console message do you see that makes you think this is ETP? Can you share the specific keycloak domain so we can test if it is on any of our blocklists?

Thanks!

Flags: needinfo?(e.lehmann)

Hello Benjamin,

Ok, but I cannot set an exception for http://localhost:8080 as a top-level page. If this would solve the issue, it would be fine. But when I try to add this exception, the dialog rewrites it to https://localhost:8080, and my local develop/test setup is not using https. That is another issue with that dialog...

The console message states literally:
'The resource at "https://my-keycloak.com/my-realm/protocol/openid-connect/token" was blocked because content blocking is enabled. [Learn More]'

And the link behind [Learn More] leads to this page: https://developer.mozilla.org/en-US/docs/Web/Privacy/Firefox_tracking_protection

The keycloak domain is company internal, accessible only via VPN or internal network. I doubt that it is on any of your block lists.

And btw, when I configure the ETP from "Standard" to "Custom" in the "Privacy & Security" settings, and uncheck "Tracking content", it works. But this is then again a global setting which applies to all URLs.

Flags: needinfo?(e.lehmann)

Ok, but I cannot set an exception for http://localhost:8080 as a top-level page. If this would solve the issue, it would be fine. But when I try to add this exception, the dialog rewrites it to https://localhost:8080, and my local develop/test setup is not using https. That is another issue with that dialog...

Actually, despite rewriting it, the dialog's entry works for both http and https for that host. I think with that exception set you should have a path to unbreak things.

The console message states literally: '...'

This message is what we log when we see something on a blocklist (or should be what we log when something is on our blocklist). If you don't have any results when searching that URI in about:url-classifier I'd love to try to figure out why that is firing.

I added both URLs "localhost:8080" and "my-keycloak.com" to the exceptions, but nothing changed. The error and console log message is always the same. I have another "pair" of urls, for which I get this error too, both of them this time non-localhost and actually using https. Also tried to add urls with paths, such as "localhost:8080/app" and path wildcards, such as "localhost:8080/*", but these are not even recognized in the exceptions list.

I suspect that there is really an issue with the ETP exceptions list, and that the exceptions which are set there are not picked up properly. From my expectation I would want to add an URL (maybe including path and wildcards) to this list, for which I want the ETP to be disabled up-front. But it doesn't work like this.

I suspect that there is really an issue with the ETP exceptions list

You are right! I just figured out why the exceptions aren't working for you. It looks like adding localhost from the "Manage Exceptions..." dialog does not actually make the exception work. I'll file a bug for that. What seems to work for me is, when on the localhost page, clicking on the shield and flipping the toggle next to Enhanced Tracking Protection in that menu. That should add an exception for localhost. Does that work?

No, when I click on the shield and flip the toggle, no exception is added in the "Manage exceptions..." dialog. I just checked that.

Also, flipping the toggle does not make it work for localhost. The error and message in the console log are still the same after switching ETP off with the shield toggle. It works for other URLs, though. But this approach is not persistent... after closing and reopening the browser, the shield toggle is switched on again for the same URL where I switched it off before.

The only thing that helps in this localhost case for me is to select "Custom" in the "Settings"/"Privacy & Security"/"ETP" configuration section and disable the "Tracking content" checkmark (second checkmark from the top)

No, when I click on the shield and flip the toggle, no exception is added in the "Manage exceptions..." dialog. I just checked that.

The dialog state does not get saved until you click the "Save Changes" button. The same is true if you have the dialog it open in one tab and change the state in another- it doesn't show up in the dialog unless you close and open it. Basically the dialog creates a snapshot when it opens and lets you edit it before committing with the save button.

Assignee: nobody → bvandersloot

Ben, would you be able to set the priority and severity because you have the most context about this bug? Thanks.

Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(bvandersloot)
Severity: -- → S3
Flags: needinfo?(bvandersloot)
Priority: -- → P3
Assignee: bvandersloot → nobody
You need to log in before you can comment on or make changes to this bug.