Closed Bug 1908841 Opened 4 months ago Closed 23 days ago

sneakerpolitics.com - Products missing with Strict ETP

Categories

(Web Compatibility :: Privacy: Site Reports, defect, P3)

Product:
Web Compatibility
Component:
Privacy: Site Reports
Version:
Firefox 130
Platform:
ARM
Android
Type:
defect

Tracking

(firefox128 unaffected, firefox129 wontfix, firefox130 wontfix, firefox131 wontfix)

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox128 --- unaffected
firefox129 --- wontfix
firefox130 --- wontfix
firefox131 --- wontfix

People

(Reporter: ctanase, Unassigned)

References

(Depends on 1 open bug, Regression,
URL
)

Details

(Keywords: priv-webcompat, regression, webcompat:platform-bug, Whiteboard: [webcompat-source:web-bugs])

Attachments

(3 files)

Strict ETP.png
102.18 KB, image/png
Details
console-export-2024-8-13_10-5-33 (oneplus a6000)
5.11 KB, application/octet-stream
Details
console-export-2024-8-13_10-5-58 (pixel 5)
6.46 KB, application/octet-stream
Details

Environment:
Operating system: Android 14
Firefox version: Firefox Mobile 130.0/128

Preconditions:

  • Strict ETP enabled

Steps to reproduce:

  1. Go to https://sneakerpolitics.com/collections/sneakers
  2. Observe the page.

Actual Behavior:
Missing items

Notes:

  • Reproduces in ETP Strict Mode only
  • Reproduces in Firefox Nightly
  • Does not reproduce in Firefox Release, and Chrome

Created from https://github.com/webcompat/web-bugs/issues/139308

status-firefox128: --- → unaffected
status-firefox130: --- → affected
Priority: P1 → --
Version: unspecified → Firefox 130
Attached image Strict ETP.png

Seems to reproduce on Windows 10 as well.

I've performed a regression:

Last good revision: c098e1447bc00f3d8c34c9056bd0bec82f8c30a1
First bad revision: 859498ffdfa51365ba1d695f5eab2a9550805b43
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=c098e1447bc00f3d8c34c9056bd0bec82f8c30a1&tochange=859498ffdfa51365ba1d695f5eab2a9550805b43

Regressed by: 1899359

After some testing, it looks like theres a difference between the list used via remote settings vs shavar. With rs, I see that snapui.springsearch.io is classified as a tracker (which is present in the latest disconnect list), but I don't see this tracker blocked with shavar. It's possible that the ui is rendered using this and is being blocked with the new switch to remote-settings. Can you confirm that snapui is something you use to render the shopping lists?

Flags: needinfo?(ctanase)

I'm not quite sure how to verify that, I've just tested on a clean profile.

Flags: needinfo?(ctanase)
Severity: -- → S3
Priority: -- → P3

For windows:

This seems interesting, when I try running this on fx130 with a new profile, https://snapui.springsearch.io is no longer in the content-tracking-list, and the ui works as expected. When the page was being blocked, https://snapui.springsearch.io shows up in tracking-protections. However, after an update of the protection lists, this goes away and for new profiles, things work as expected.

It's also odd that this isn't reproducible on macos or linux

This isn't reproducible anymore, can you retest and let us know?

Flags: needinfo?(ctanase)

Well, on Desktop seems to be fixed but on Android I'm still able to reproduce.

Tested on:
Operating system: Windows 10 / Google Pixel 5 (Android 14)
Browser/Version: Firefox Nightly 131.0a1 (2024-08-07) / Firefox Nightly 131.0a1-20240805215935

Flags: needinfo?(ctanase)

Could you give us the console log output when you load the page? I am unable to reproduce on fx131a1 on android? Sorry about the back and forth, I'm having trouble verifying this (it looks like the snapui.searchspring.io domain is not on the disconnect list)

Flags: needinfo?(ctanase)
Flags: needinfo?(ctanase)

Tested on OnePlus 6 A6000 (Android 11) and Google Pixel 5 (Android 14) with the latest Nightly (131.0a1-20240811212519). Still reproducible.
I've attached the console logs.

:twisniewski is there anyone else that can look into this?

Flags: needinfo?(twisniewski)
Component: Site Reports → Privacy: Site Reports

The issue still reproduces for me on my phone running on the latest Fenix nightly, so I'd be surprised if no one on the ETP team can reproduce it. Paul, Tim, maybe you can reproduce it?

Flags: needinfo?(twisniewski)
Flags: needinfo?(tihuang)
Flags: needinfo?(pbz)

I can reproduce as well. I don't have time to look into this further, but I've collected some data that may be helpful:

Here is what stands out from the console log:

Partitioned cookie or storage access was provided to “https://imgs.signifyd.com/fp/ls_fp.html;CIS3SID=538D5DC3B00F956E8C05FA19847B34A1?org_id=w2txo5aa&session_id=2003c8f73b6882de8b57e388a88f01sneakerpoliticsmyshopifycom&nonce=3a3fcc6ae2901baf” because it is loaded in the third-party context and dynamic state partitioning is enabled.

The following trackers get blocked:

https://h64.online-metrix.net/fp/clear.png?org_id=w2txo5aa&session_id=2003c8f73b6882de8b57e388a88f01sneakerpoliticsmyshopifycom&nonce=3a3fcc6ae2901baf&i=2
https://snapui.searchspring.io/mlz8r2/bundle.js
https://static.klaviyo.com/onsite/js/SW27hF/klaviyo.js?company_id=SW27hF
https://cdn.attn.tv/sneakerpolitics/dtag.js?source=app-embed
https://static.klaviyo.com/onsite/js/klaviyo.js?company_id=SW27hF
https://snapui.searchspring.io/mlz8r2/bundle.js
https://static.klaviyo.com/onsite/js/SW27hF/klaviyo.js?company_id=SW27hF
https://cdn.attn.tv/sneakerpolitics/dtag.js?source=app-embed
https://static.klaviyo.com/onsite/js/klaviyo.js?company_id=SW27hF
https://config.gorgias.chat/bundle-loader/01GYCCNZYPX2Q6JRGN6QSSR2X8?source=shopify1click&shop=sneakerpolitics.myshopify.com
https://cdn.attn.tv/sneakerpolitics/dtag.js?shop=sneakerpolitics.myshopify.com
https://w2txo5aamxkxnywlm4kl4722szxrb4fxbmzy5mlp3a3fcc6ae2901bafam1.e.aa.online-metrix.net/fp/clear.png?org_id=w2txo5aa&session_id=2003c8f73b6882de8b57e388a88f01sneakerpoliticsmyshopifycom&nonce=3a3fcc6ae2901baf&di=yes
https://www.googletagmanager.com/gtm.js?id=GTM-W3T3G2P
https://cdn.shopify.com/shopifycloud/checkout-web/assets/c1.en/DeliveryMethodSelectorSection.C7RYu8wU.js
https://cdn.shopify.com/shopifycloud/checkout-web/assets/c1.en/hooks.CzcjE40a.js

Unrelated, but looks like the website is doing something that looks like fingerprinting:

Security Error: Content at https://sneakerpolitics.com/collections/sneakers may not load data from brave://.
Security Error: Content at https://sneakerpolitics.com/collections/sneakers may not load data from edge://.
Security Error: Content at https://sneakerpolitics.com/collections/sneakers may not load data from puffin://.

At least it's trying to detect which browsers are installed.

Flags: needinfo?(pbz)

As Harshit pointed out in comment 5, it's because we block searchspring.io as an ad tracker. The searchspring.io was recently moved to the ad category from the content category. This is the reason why there is inconsistency on the lists.

Flags: needinfo?(tihuang)

To rectify my previous comment, searchspring.io has been moved from the ad tracker category into the content tracker category.

Calin, could you verify this again with the ETP strict in Nightly and Release with a fresh profile? The page should be displayed properly now.

Flags: needinfo?(ctanase)

I'm not longer reproducing the issue on both Nightly and Release.

Flags: needinfo?(ctanase)
Status: NEW → RESOLVED
Closed: 23 days ago
Resolution: --- → FIXED
Keywords: priv-webcompat
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: