Closed Bug 1923721 Opened 4 months ago Closed 3 months ago

Can't view products on lcbo.com in Private Browsing or with strict ETP

Categories

(Web Compatibility :: Privacy: Site Reports, defect, P3)

Product:
Web Compatibility
Component:
Privacy: Site Reports
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jrmuizel, Unassigned)

References

(Depends on 1 open bug,
URL
)

Details

https://www.lcbo.com/en/new-arrivals/wines#t=clp-new_arrivals-wines&sort=relevancy&layout=card shows no wines in private browsing mode. It should show many wines.

Ditto in a non-private window with strict ETP.

Summary: Can't view products on lcbo.com in Private Browsing → Can't view products on lcbo.com in Private Browsing or with strict ETP

This is broken because platform.cloud.coveo.com is still blocked.

Tim, what's the process for unblocking platform.cloud.coveo.com in our list?

Flags: needinfo?(tihuang)

We open an issue on Disconnect's repo to request a change on Disconnect's list. Disconnect will review and decide whether to update the list. Then, they will batch the changes and submit a PR for us to deploy them.

Flags: needinfo?(tihuang)

I filed https://github.com/disconnectme/disconnect-tracking-protection/issues/372, can we override the block in Firefox in the mean time?

Flags: needinfo?(tihuang)

As previously communicated directly to Coveo, on several occasions, based on policy and technical reviews these domains are properly categorized. In addition, our most recent review revealed that additional Coveo domains may be properly classified in Advertising.

Finally, we were unable to correlate the breakage you describe to our tracker blocking protection list. Rather the breakage appears to be related to not allowing location tracking in the browser.

In Firefox Private browsing using Standard protection settings, we found:
⁃ When visiting https://www.lcbo.com/en/new-arrivals/wines#t=clp-new_arrivals-wines&sort=relevancy&layout=card, the product/wines section did not load.
⁃ After hitting “Allow” on browser prompt to allow the page to collect location data AND turning ETP off for the page (order does not matter), the product/wines section loaded properly on the page.
⁃ Just turning ETP off for the page (including manually refreshing the page after turning off ETP) did not allow the product/wines section to load properly.

Even assuming breakage described is related to blocking, the prevalence of this subdomain along with our review does not appear to justify a move to Content.

(In reply to admin from comment #7)

As previously communicated directly to Coveo, on several occasions, based on policy and technical reviews these domains are properly categorized. In addition, our most recent review revealed that additional Coveo domains may be properly classified in Advertising.

Finally, we were unable to correlate the breakage you describe to our tracker blocking protection list. Rather the breakage appears to be related to not allowing location tracking in the browser.

I hadn't seen the location tracking breakage when I checked last time, but I do see it now. I think the site is just a bit confused and not guessing a location if you block the location request.

Here's a more thorough steps to reproduce:

  • In Private Browsing mode load https://www.lcbo.com
  • Block the location request
  • Go to "Products" -> "Red Wine"
  • Usually the site guesses a location at this point. If a location is not guessed you might need to navigate a bit more.
  • No wines load

Close the Private window and add platform.cloud.coveo.com to urlclassifier.trackingSkipURLs in about:config and repeat the steps above.
Now the wines load.

Admin, do those steps work for you?

Flags: needinfo?(admin)

We only do temporary allowlist in the following two cases.

  1. The disconnect list has removed the domain from the tracker list, and the change is still being processed. We believe the breakage is severe enough to be allowed earlier to expedite the fix.
  2. The affected website has committed to removing the tracker.

The temporary allowlisting is described in the AntiTracking policy.

Flags: needinfo?(tihuang)
Component: Site Reports → Privacy: Site Reports
Depends on: tp-breakage

(In reply to Jeff Muizelaar [:jrmuizel] from comment #8)

(In reply to admin from comment #7)

As previously communicated directly to Coveo, on several occasions, based on policy and technical reviews these domains are properly categorized. In addition, our most recent review revealed that additional Coveo domains may be properly classified in Advertising.

Finally, we were unable to correlate the breakage you describe to our tracker blocking protection list. Rather the breakage appears to be related to not allowing location tracking in the browser.

I hadn't seen the location tracking breakage when I checked last time, but I do see it now. I think the site is just a bit confused and not guessing a location if you block the location request.

Here's a more thorough steps to reproduce:

  • In Private Browsing mode load https://www.lcbo.com
  • Block the location request
  • Go to "Products" -> "Red Wine"
  • Usually the site guesses a location at this point. If a location is not guessed you might need to navigate a bit more.
  • No wines load

Close the Private window and add platform.cloud.coveo.com to urlclassifier.trackingSkipURLs in about:config and repeat the steps above.
Now the wines load.

Admin, do those steps work for you?

Thank you for the detailed steps. Following the steps and manually adding platform.cloud.coveo.com as an unblock in about:config does allow the red wine product section to load. However using the toggle to turn Enhanced Tracker Protection off for the site does not allow the wines to load, even after hitting the Block location option and reloading the page.

As stated in our previous reply, according to our tracker protection policies this domain is properly classified as the review found the domain fits our definition of tracking, and the prevalence of this subdomain and the nature of the breakage does not justify a move to Content.

Flags: needinfo?(admin)

(In reply to admin from comment #10)

Thank you for the detailed steps. Following the steps and manually adding platform.cloud.coveo.com as an unblock in about:config does allow the red wine product section to load. However using the toggle to turn Enhanced Tracker Protection off for the site does not allow the wines to load, even after hitting the Block location option and reloading the page.

I cannot confirm this. The site works fine for me just by disabling ETP even if I block location access.

Furthermore, it is visible in the requests that platform.cloud.coveo.com is actually serving the content of the page itself. A POST request is made to https://platform.cloud.coveo.com/rest/search/v2?organizationId=lcboproductionx2kwygnc that retrieves the actual search results for the red wine category:

[...]
  "results" : [ {
    "title" : "Caymus Zinfandel 2021",
    "uri" : "https://www.lcbo.com/en/caymus-napa-valley-zinfandel-2019-718759",
    "printableUri" : "https://www.lcbo.com/en/caymus-napa-valley-zinfandel-2019-718759",
    "clickUri" : "https://www.lcbo.com/en/caymus-napa-valley-zinfandel-2019-718759",
    "uniqueId" : "42.6601$https://www.lcbo.com/en/caymus-napa-valley-zinfandel-2019-718759",
    "excerpt" : "Charlie Wagner Sr. was a big fan of Zinfandel, so the winery still produces a small amount ... The 2021 is a varietally correct packed full of bright red fruit reminiscent of a ... Score - 89.",
    "firstSentences" : "Charlie Wagner Sr. was a big fan of Zinfandel, so the winery still produces a small amount of California Zinfandel yearly. The 2021 is a varietally correct packed full of bright red fruit ...",
    "summary" : null,
    "flags" : "HasHtmlVersion;SkipSentencesScoring",
    "hasHtmlVersion" : true,
[...]

Without these search results, the page simply has nothing to display.

Flags: needinfo?(admin)
Severity: -- → S3
Priority: -- → P3
Severity: S3 → S2

In Nightly 134.0a1 the wines are not displayed in PBM / ETP Strict due to the blocking of coveo.com.

Either disabling ETP or setting it to Standard mode will allow the wines to load, independent of the location permission.

Leaving open for discussion in privacy breakage.

(Sry for severity changes, reproduced incorrectly first).

Severity: S2 → S3

Disconnect has submitted a PR to move platform.cloud.coveo.com to the Content category. This should fix the issue. I will merge the PR and deploy it as soon as possible.

Flags: needinfo?(admin)
See Also: → 1901436

The list change has taken effect and product images are now loading. Verified in PBM and ETP Strict mode (Fx134 Nightly and Fx133 Beta).

Status: NEW → RESOLVED
Closed: 3 months ago
Resolution: --- → FIXED
See Also: → https://github.com/mozilla-services/shavar-prod-lists/commit/d95e0324d4cd1aa9f64a67e262b26d33e5a89541?diff=split&w=0
You need to log in before you can comment on or make changes to this bug.