Zelle bank-transfer-service won't load in Nightly, at sfcu.org (due to network.cookie.cookieBehavior.optInPartitioning being default-enabled now)
Categories
(Web Compatibility :: Privacy: Site Reports, defect, P3)
Tracking
(firefox-esr128 unaffected, firefox131 unaffected, firefox132 disabled, firefox133 disabled, firefox134 disabled, firefox135 disabled, firefox136 disabled)
| Tracking | Status | |
|---|---|---|
| firefox-esr128 | --- | unaffected |
| firefox131 | --- | unaffected |
| firefox132 | --- | disabled |
| firefox133 | --- | disabled |
| firefox134 | --- | disabled |
| firefox135 | --- | disabled |
| firefox136 | --- | disabled |
People
(Reporter: dholbert, Unassigned)
References
(Blocks 1 open bug, Regression, )
Details
(Keywords: regression)
STR:
- Log in to your bank or credit union that supports Zelle for money-transfers (https://www.sfcu.org/ in my case)
- Click to open Zelle.
ACTUAL RESULTS:
Blank page.
EXPECTED RESULTS:
Successful load of Zelle UI.
mozregression points to https://bugzilla.mozilla.org/show_bug.cgi?id=1915383 as the regressor here.
If I revert the effects of that bug by setting network.cookie.cookieBehavior.optInPartitioning to false, then I get EXPECTED RESULTS.
(I don't know how broadly Zelle uses the same framing/authentication strategy across various banks, so I'm not sure if this affects all Zelle usages vs. just the one at SFCU.)
|
Reporter | |
Updated•10 months ago
|
|
|
Reporter | |
Comment 1•10 months ago
|
||
(the regressing pref-flip landed in the 132 nightly cycle, but fortunately it enabled the pref in a Nightly-only way ( https://hg.mozilla.org/mozilla-central/rev/272abc23ad36 ), so we can mark this disabled for 132 now that it's on beta.)
|
||
Comment 2•10 months ago
|
||
Set release status flags based on info from the regressing bug 1915383
:timhuang, since you are the author of the regressor, bug 1915383, could you take a look? Also, could you set the severity field?
For more information, please visit BugBot documentation.
|
||
Updated•10 months ago
|
|
||
Comment 3•10 months ago
|
||
FYI: I could not repro this bug with Wells Fargo nor Bank of America.
|
|
Reporter | |
Comment 4•10 months ago
•
|
||
Dan/Tim: let me know if there's any data that'd be useful for me to gather, or configuration that'd be useful to test here, to assist in getting this addressed or papered-over. (happy to hop on Zoom if synchronous investigation is worthwhile/useful too.)
|
|
Reporter | |
Updated•10 months ago
|
|
|
Reporter | |
Updated•10 months ago
|
|
||
Comment 5•10 months ago
|
||
Pref: network.cookie.cookieBehavior.optInPartitioning
|
||
Updated•9 months ago
|
|
|
Reporter | |
Comment 6•9 months ago
•
|
||
I just retested and confirmed that this does still affect Nightly (unless I flip the aforementioned optInPartitioning pref to false).
One additional note for folks testing this in the future: today I happened to be initially testing with Mozilla VPN turned on (using Houston TX as my exit node), and that prevented Zelle from from working in any browser/configuration on my machine -- Zelle would render a page saying that the request was blocked, with status 403 showing up in DevTools' network pane. I suspect Zelle (or some piece of it) might block known VPN exit nodes, or at least certain ones where they've seen suspicious traffic, perhaps. Anyway - after I turned off my VPN, I was able to repro the same results described in comment 0 (blank zelle UI in the default configuration, working Zelle UI when I flip the pref.
|
||
Updated•7 months ago
|
|
|
||
Comment 7•7 months ago
|
||
Hi Daniel,
Could you share which domains received partitioned cookies and storage access when you encountered the issue? The Devtool console log should show the message Partitioned cookie or storage access was provided to <URL>....
|
|
||
Comment 8•7 months ago
|
||
Oh, sorry.
We should check the message Cookie has been rejected because it is foreign and does not have the “Partitioned“ attribute instead but not the one I mentioned before.
|
|
Reporter | |
Comment 9•7 months ago
•
|
||
The log message doesn't mention the domain, but I imagine the URL of the script is sufficient; if not, let me know.
I just performed the STR and the first such message in my console is:
Cookie “.AUTH” has been rejected because it is foreign and does not have the “Partitioned“ attribute. RemoteAccess
...where "RemoteAccess" is linked to this URL: https://ppl.ibanking-services.com/PP_FIS-9995/RemoteAccess
There are 4 distinct versions of this log message for that^ URL (with differently named cookies), and then there are two copies of this message for these two URLs:
https://ppl.ibanking-services.com/PP_FIS-9995/Zelle/ZellePay/Home/ac0798b0-6733-47a3-b80c-784ff9bde79c
https://cds-sdkcfg.onlineaccess1.com/common.js
|
|
Reporter | |
Comment 10•7 months ago
|
||
Additionally: simply at login to the SFCU web-banking site (before trying to launch Zelle), I get some other copies of that same cookie-has-been-rejected message. Nothing obviously breaks when these appear, but they might conceivably be associated with downstream breakage, whether Zelle or elsewhere...
Here are those URLs:
https://q2smart.q2ebanking.com/ecom/spaces/serve?company=5105&space=10&user=210353&containerId=ember73&_=1738170378126
https://sdk-cdn.onlineaccess1.com/sdk-nginx-prd/sdkcdn/sdk-q2-accounts-prd-6a9ef001/Accounts/assets/index.html?tct-id=Accounts_AccountWidget.Accounts.AccountWidget&tct-maxHeight=&tct-maxWidth=&tct-outlet-name=Accounts_AccountWidget#/account-block
|
|
||
Comment 11•7 months ago
|
||
Thanks,
Could you check if setting the pref network.cookie.cookieBehavior.optInPartitioning.skip_list to https://sfcu.org,https://ibanking-services.com can fix the issue?
|
|
||
Updated•6 months ago
|
|
||
Updated•2 months ago
|
Description
•