Open Bug 2005066 Opened 2 months ago Updated 1 month ago

Firefox iOS getting "Untrusted app" scary warning on Amazon

Categories

(Web Compatibility :: Site Reports, defect, P2)

Product:
Web Compatibility
Component:
Site Reports
Platform:
Unspecified
iOS
Type:
defect

Tracking

(Webcompat Priority:P2, Webcompat Score:6)

Project Flags:
Webcompat Priority P2
Webcompat Score 6

People

(Reporter: mgaudet, Unassigned)

References

(Depends on 1 open bug,
URL
)

Details

(Keywords: webcompat:contact-in-progress, webcompat:site-report, Whiteboard: [webcompat:sightline])

User Story

user-impact-score:300
platform:ios
impact:unsupported-warning
configuration:general
affects:all
branch:release
diagnosis-team:webcompat
outreach-assignee:jrmuizel
outreach-contact-date:2025-12-15
outreach-response-date:2025-12-15

Attachments

(1 file)

Warning
176.60 KB, image/png
Details
Attached image Warning

Trying to log into Amazon(.ca) on my iPhone in Firefox gets me this scary warning.

Interesting to note: I -do not- get the warning in private browsing mode.

User Story: (updated)
Webcompat Score: --- → 1
URL: https://www.amazon.ca
Severity: -- → S4
User Story: (updated)
Webcompat Priority: --- → P2
Webcompat Score: 1 → 6
Depends on: firefox-not-supported-warning
Keywords: webcompat:needs-contact, webcompat:site-report
Priority: -- → P2
Whiteboard: [webcompat:sightline]
User Story: (updated)

I'm not sure bugbot got the platform:android right for this iOS report.

FWIW, this has also been seen on .com and .co.uk from other reports online apparently.

User Story: (updated)

Jan, could we add a debug option for spoofing Safari in iOS? That would help to test if this is UA sniffing.

Flags: needinfo?(g3b034lff)

I'm not sure if this is (just?) uasniffing as it's happy in PBM at the same time — they seemingly add some previous session/device knowledge to the mix here, so it could be interesting to do the opposite — use desktop browser in multitouch media simulation with FxiOS uastring and introspect the site storage, and/or keep changing the uastrings between logins to see what triggers the dialog, if anything.

(I wanted to try e.g. iOS 18 vs. 26 et al. to see any difference, but Amazon served me quite different templates across OSes, so there was not much in common to base this on.)

Reporter can also turn on "desktop site" mode in FxiOS menu to see how things fare with a non-Firefox user agent (albeit desktop one, though).

Given FxiOS can currently only target eTLD+1 with uastring tweaks and not supporting any patterns, URLs, path substrings etc. shipping a patch in tree changing the user agent here would mean targeting all amazon.* domains around the globe, enumerating them one by one, and targeting each and every page and single request for every user for this… could mean breaking more than fixing.

(If there are more granular targeting needs expected in the future, and it's not already scoped in the remote-settings—based approach, it might be prudent liaising with mobile PMs about putting such enablement and refactor scope in their backlog to prioritize at some point.)

For the debug menu, I've raised https://github.com/mozilla-mobile/firefox-ios/issues/31315 — I certainly see the utility and would use it myself a lot, maybe I'll start looking into adding it in some spare time…

Flags: needinfo?(g3b034lff)

Amazon let us know that they're working on this.

User Story: (updated)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: