Closed Bug 1930467 Opened 1 year ago Closed 1 year ago

apps.facebook.com - Dragonkingmahjong is not loading with ETP Strict

Categories

(Web Compatibility :: Privacy: Site Reports, defect, P2)

Product:
Web Compatibility
Component:
Privacy: Site Reports
Platform:
Desktop
Windows 10
Type:
defect

Tracking

(firefox135 fixed)

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox135 --- fixed

People

(Reporter: railioaie, Assigned: bvandersloot)

References

(Blocks 1 open bug,
URL
)

Details

(Keywords: webcompat:site-report, Whiteboard: [webcompat-source:web-bugs])

Attachments

(2 files)

Bug 1930467 - Channel classification should not be performed on foreign channels that are same site to the top level - r=timhuang!
48 bytes, text/x-phabricator-request
Details | Review
Screenshot 2024-12-03 at 10.29.09.png
91.33 KB, image/png
Details

Environment:
Operating system: Windows 10
Firefox version: Firefox 128.0

Preconditions:
Clean profile
ETP Strict

Steps to reproduce:

  1. Navigate to: https://apps.facebook.com/dragonkingmahjong/?ref=bookmarks&fb_source=web_shortcut&count=0
  2. Observe

Expected Behavior:
The game is loading

Actual Behavior::
The game is not loading

Notes:

  • Reproduces in ETP Strict mode only
  • Reproduces in firefox-nightly, and firefox-release
  • Does not reproduce in chrome

Created from https://github.com/webcompat/web-bugs/issues/143715

Blocks: tp-breakage-fb-games
No longer depends on: tp-breakage
Severity: -- → S3

The breakage comes from some Facebook games using Facebook's gaming domains for serving content. The base domain is on the entity list, but the subdomains the games use are not. The subdomains are arbitrary / specific to the game which means we can't list them all explicitly in our entity list.
Our entity list does not apply automatically for all subdomains of a given entity list domain entry. We should change behavior on Gecko side to fix these breakages.

Assignee: nobody → bvandersloot
Status: NEW → ASSIGNED
Priority: -- → P2

Should we change behavior if the domain is on the PSL? E.g. if we have an entity list entry for github.io should we still treat *.github.io as the same entity?

Flags: needinfo?(bvandersloot)

I think so. I think we should only match down to PSL+1. And luckily, I am pretty sure that is what my draft does because that is the behavior of getNextSubdomain: https://searchfox.org/mozilla-central/source/netwerk/dns/nsIEffectiveTLDService.idl#219.

Flags: needinfo?(bvandersloot)

Perfect!

Our entity list does not apply automatically for all subdomains of a given entity list domain entry. We should change behavior on Gecko side to fix these breakages.

This actually isn't true. Our entitylist does apply for all subdomains of entity list domains. The top level is always a base domain in the entitylist and the resources are tested down 4 levels, per safebrowsing spec. It seems that the behavior may actually be a different Gecko bug having to do with first-partyness. It turns out that the game's resource subdomain is a facebook.com subdomain, and the game is hosted on apps.facebook.com (according to :timhuang; I don't have Facebook). I don't think we should be checking any of these lists in that case- it isn't foreign! We also don't include an entitylist entry in shavar for this case because of this: https://github.com/mozilla-services/shavar-list-creation/blob/main/lists2safebrowsing.py#L364-L365.

I'm going to be chasing down this lead for a little bit, seeing if I can repro this explanation without a Facebook account using some test domains.

It turns out that in a quick test I wrote, on top level http://test1.example.org, http://tracking.example.org is not flagged as a tracker.

Tim: any chance you can re-confirm that we are blocking a same-site subresource?

Flags: needinfo?(tihuang)

This is what I see in the Devtool network panel. AllowListing www.facebook.com and graph.facebook.com does fix the game.

Flags: needinfo?(tihuang)
Attachment #9440260 - Attachment description: WIP: Bug 1930467 - entitylist should automatically include all subdomains - WIP → Bug 1930467 - Channel classification should not be performed on foreign channels that are same site to the top level - r=timhuang!
Pushed by bvandersloot@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/320415b14dee Channel classification should not be performed on foreign channels that are same site to the top level - r=timhuang

Backed out for causing bc failures on browser_doublyNestedTracker.js

Backout link

Push with failures

Failure log

Flags: needinfo?(bvandersloot)

This interacted with the recently fixed Bug 1918336 to cause this failure. Fixing that test.

Flags: needinfo?(bvandersloot)
Pushed by bvandersloot@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/1ae3ac5ab2be Channel classification should not be performed on foreign channels that are same site to the top level - r=timhuang

Backed out for causing mochitests failures in browser_storageAccessThirdPartyChecks_alwaysPartition.js.

Backout link

Push with failures

Failure log

Flags: needinfo?(bvandersloot)
Pushed by bvandersloot@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/7d6930e6c76a Channel classification should not be performed on foreign channels that are same site to the top level - r=timhuang
Flags: needinfo?(bvandersloot)

https://hg.mozilla.org/mozilla-central/rev/7d6930e6c76a

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox135: --- → fixed
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: