Cannot access camera on the banking site for QR code (https://online.csob.cz )
Categories
(Web Compatibility :: Site Reports, defect, P1)
Tracking
(Webcompat Priority:P1, Webcompat Score:8)
People
(Reporter: mcepl, Unassigned)
References
()
Details
(Keywords: webcompat:needs-diagnosis, webcompat:site-report)
User Story
user-impact-score:800 platform:windows,mac,linux,android impact:workflow-broken configuration:general affects:all branch:release diagnosis-team:video-conferencing
Attachments
(4 files)
When in the online form shown in the screenshot (for scanning QR code for payments) the screen with the camera shot just blicks and then I get an error “Chyba v přístupu ke kameře. Zkontrolujte, zda je kamera zapnutá a zda má prohlížeč ke kameře oprávnění.” (“Camera access error. Check that the camera is turned on and that the browser has permission to access the camera.” in Czech). Protection against spoofing and uBlock origin are both switched off the given page.
These are the uploads from Firefox Profile https://share.firefox.dev/3QBRp9X and (shorter) https://share.firefox.dev/4cN8Pcj
The only two warnings (not even errors I see from time to time, like 90% not always) in the console are:
-
Bylo zabráněno automatickému spuštění funkce AudioContext. Musí být vytvořena nebo obnovena po uživatelském gestu na stránce. wrapper.js:1:329787 (AudioContext function was prevented from being automatically started. It must be created or restored after a user gesture on the page. wrapper.js:1:329787)
-
Content-Security-Policy: Nastavení stránky zablokovalo spuštění vloženého skriptu (script-src-elem), protože porušuje direktivu “script-src 'self' 'sha256-/BtHHqIcYw77uLkO/U/wjJ/k59YWlAYT4ty+gzedGDM=' 'sha256-D05LlVtx/Hk7p+GnfVbRZewaOkir6OglDIvsVmzkhd4=' 'sha256-7h50/PRQ/HBK0V6KvG+vYKr5mOkDereXbhXZ9KGxT4o=' 'sha256-dmbf3QsXPDd7MzUDgR2EpWDE+YrpFGmZOxd66u2WmFk=' 'sha256-JRA1b6rlHl7wcs4S6dlMHWUG9bGM4QbZyuohfIibM88=' 'sha256-JWQMCWvLK/RVKW2vwAmvSQTRP5a5dPpROkPxPyAZKzI=' 'sha256-eMiZWnw1kXW4L93B6zAHKgPy+cjsBOIngwR3T+SJFQI=' 'sha256-9pyM5ylrzgxbXuYzY5ZJGvVf2Zw46yhDZFA6018JtX8=' 'sha256-uqQKqHw/hQ5yI6xUZpXWaTRJADtEvlMUsd6hVh67hhw=' 'sha256-1kBmud/KrKIz5uOEVHYT99EvAecJIw0MEhZZ2EFqz+4=' 'sha256-0b2bqRj2SS4uqk9gG5L/uisImv71g5Du9wRK8rp2Qvw=' 'sha256-obeGIYb6DCe6WkLaCmmYJPZ1koP32McH19wICdLy5aM=' 'sha256-HAZvBGoeKyy7xAAgy/qjYBu5ieUoehiiNsQ7KUiC54U=' 'sha256-KCM7VOfrz/TRqLXLM30IydXlbn8TjTYdyCtycvVfQog=' 'sha256-XwowxmLqu5zl+Rj2EtiWw0soNm4ho/AXU5rkm2i6ioM=' 'sha256-Sd8S3bJHcMg2rr2K4YOu5IDHVxwfYCoh204NV5q2E6E=' 'sha256-Q7gdGsgDzfTaHZNxRZ8Is6mxZ2EG48FGdPsGXY6iXYc=' 'sha256-pnNhQjx2nyq3bZQMCg9iGiqwae+k1RPZkYlstKkGJxw=' 'sha256-Ii7l8fRmsg9s8BllocMs9OnWZFDsgTEeHpxpu4+D0hM=' 'sha256-HVHN5Crp8Cw6VWeTfxFEwMqk4ShQgibadQQOZhmrhmQ=' 'sha256-nSTGwkgVhMvLj2rHAwjhkxwJwY3hsE71a1sVXKLRavs=' 'unsafe-eval' https://statistics.csob.cz https://identita.csob.cz/flfethemes/wrapper.js”. Zvažte použití hashe ('sha256-7rsF8t35E7xh27RH3bcD6zYuLy5aiCEMbv0NcLE9szU=') nebo nonce. content-fontface.js:50:26 (which is “Content-Security-Policy: The page settings blocked the execution of the embedded script (script-src-elem) because it violates the directive “script-src 'self' '”).
Yes, I can reproduce this in the Anonymous Window (Ctrl-Shift-P)
| Reporter | ||
Comment 1•2 months ago
|
||
| Reporter | ||
Comment 2•2 months ago
|
||
Two more additions:
- Another error message which shown up when opening the main Internet banking page:
Zdroj na adrese “https://statistics.csob.cz/1IB/LAUNCH/6.38/launch-ENee9cf1230feb4e35a3582bff04c5f1b8.min.js” byl zablokován kvůli rozdílnému MIME typu (“text/html”) (X-Content-Type-Options: nosniff). jednorazova-platba
(The resource at “https://statistics.csob.cz/1IB/LAUNCH/6.38/launch-ENee9cf1230feb4e35a3582bff04c5f1b8.min.js” was blocked due to a different MIME type (“text/html”) (X-Content-Type-Options: nosniff). one-time-payment)
- Attaching screenshot of the console.
| Reporter | ||
Comment 3•2 months ago
|
||
One more profile, this time in the Troubleshoot mode, https://share.firefox.dev/4ejdPq9
| Reporter | ||
Comment 4•2 months ago
|
||
| Reporter | ||
Comment 5•2 months ago
|
||
I have confirmed the following:
- The camera WORKS perfectly on other WebRTC sites (Google Meet, Jitsi) in this same Firefox
instance. This rules out Flatpak sandbox issues or driver/hardware failures. - The issue is fully reproducible in Troubleshoot Mode.
Environment details:
- OS: Linux (Flatpak version of Firefox)
- Portal permissions: devices=all (confirmed via flatpak info)
Comment 6•1 month ago
|
||
The severity field is not set for this bug.
:emz, could you have a look please?
For more information, please visit BugBot documentation.
Comment 7•1 month ago
|
||
Unlikely to be Site Permission (permission UI) related.
I'd be curious if this also reproduces in Firefox Nightly.
| Reporter | ||
Comment 8•1 month ago
|
||
(In reply to Emma Zühlcke [:emz] from comment #7)
Unlikely to be Site Permission (permission UI) related.
I'd be curious if this also reproduces in Firefox Nightly.
With the Desktop Firefox Nightly https://share.firefox.dev/4eUhrPO reproduces absolutely the same.
Console messages:
Synchronous XMLHttpRequest on the main thread is deprecated because of its detrimental effects to the end user’s experience. For more help https://xhr.spec.whatwg.org/#sync-warning jquery.min.js:2:82295
Referrer Policy: Ignoring the less restricted referrer policy “no-referrer-when-downgrade” for the cross-site request: https://resources.digital-cloud.medallia.eu/wdceu/779006/onsite/onsiteData.json onsiteData.json
InstallTrigger is deprecated and will be removed in the future. EX33711d877bdd4e1bba23e6a99dfe18df-libraryCode_source.min.js:2:26680
Fingerprinting Protection is altering screen.availWidth and screen.availHeight. These values may not match your actual screen dimensions. This protection helps prevent websites building a fingerprint that can be used to track users. Learn more: https://support.mozilla.org/kb/firefox-protection-against-fingerprinting wrapper.js:1:314994
An AudioContext was prevented from starting automatically. It must be created or resumed after a user gesture on the page. wrapper.js:1:332722
Adding listener for 'fsLogout' in iframe 'iframeRP'. jednorazova-platba:8:300
Trying to find all callback-button elements. callbackRegisterListeners.min.js:2:245
Synchronous XMLHttpRequest on the main thread is deprecated because of its detrimental effects to the end user’s experience. For more help https://xhr.spec.whatwg.org/#sync-warning main.0f0d042a5328853b.js:1:15344
Adding listener for 'fsLogout' in iframe 'iframeRP'. jednorazova-platba:8:300
JS module loaded successfully: https://online.csob.cz/html/static/VAADIN/jsQR/v7f-jsQR-loader.js?v=v7f-client-2-31-10-build-2025-10-16-13-06 jednorazova-platba:1:1296
JS module loaded successfully: https://online.csob.cz/html/static/VAADIN/pdfjs/pdf.mjs?v=v7f-client-2-31-10-build-2025-10-16-13-06 jednorazova-platba:1:1296
Source map error: Error: request failed with status 404
Stack in the worker:networkRequest@resource://devtools/client/shared/source-map-loader/utils/network-request.js:43:9
Resource URL: https://online.csob.cz/o/pui-theme-oneib-ng/css/v01/profiles/csob/profile.css?browserId=firefox&themeId=puioneibng_WAR_puithemeoneibng&minifierType=css&languageId=cs_CZ&b=7307&t=1777493254000
Source Map URL: profile.css.map
Window.fullScreen attribute is deprecated and will be removed in the future. jednorazova-platba
onmozfullscreenchange is deprecated. jednorazova-platba
onmozfullscreenerror is deprecated. jednorazova-platba
JS module loaded successfully: https://online.csob.cz/html/static/VAADIN/jsQR/v7f-jsQR-loader.js?v=v7f-client-2-31-10-build-2025-10-16-13-06 jednorazova-platba:1:23396
Source map error: Error: NetworkError when attempting to fetch resource.
Resource URL: https://identita.csob.cz/op-iframe/main.0f0d042a5328853b.js
Source Map URL: main.0f0d042a5328853b.js.map
I can download some of these JavaScript files or something? Should I retest with Fennec on Android (it's a bit more hassle to do that)?
Comment 9•1 month ago
|
||
Thanks for confirming! Let's see what the media folks think.
Comment 10•1 month ago
|
||
The severity field is not set for this bug.
:jib, could you have a look please?
For more information, please visit BugBot documentation.
Comment 11•1 month ago
|
||
If this is indeed a camera access problem we should be able to diagnose it with webrtc logs. Could you go to about:logging, select the webrtc preset and record the issue again? When you stop logging, the firefox profiler will open. Make sure to include hidden threads when you upload, or manually make visible all threads in the parent process. Thanks!
| Reporter | ||
Comment 12•1 month ago
|
||
(In reply to Andreas Pehrson [:pehrsons] from comment #11)
If this is indeed a camera access problem we should be able to diagnose it with webrtc logs. Could you go to about:logging, select the webrtc preset and record the issue again? When you stop logging, the firefox profiler will open. Make sure to include hidden threads when you upload, or manually make visible all threads in the parent process. Thanks!
https://share.firefox.dev/3RmqbVb
Is that it?
Updated•1 month ago
|
Comment 13•1 month ago
|
||
Thanks for the profile. There's no trace of them using any camera API. I'm not sure what they're gating this on. If you install a UA string switcher extension and play with that (try e.g. non-linux Firefox, then another browser), do you see a difference?
Updated•1 month ago
|
| Reporter | ||
Comment 14•1 month ago
|
||
(In reply to Andreas Pehrson [:pehrsons] from comment #13)
Thanks for the profile. There's no trace of them using any camera API. I'm not sure what they're gating this on. If you install a UA string switcher extension and play with that (try e.g. non-linux Firefox, then another browser), do you see a difference?
This is physically from Firefox/Linux (151.0.2, from the Mozilla Flatpak, the computer is Lenovo Thinkpad T14s with built-in camera which works with Firefox and Google Meet, for example):
- Firefox/Windows https://share.firefox.dev/4ag8LzR
- Firefox/Mac OS X https://share.firefox.dev/4wPvD33
- Chrome/Linux https://share.firefox.dev/4dT2Ly5
- Chrome/Windows page refuses to load
- Chrome/Mac OS X page refuses to load
This one is from physical Firefox/Android (Fennec from F-Droid):
- Firefox/Windows https://share.firefox.dev/3POk5MK
- Safari/Mac OS X https://share.firefox.dev/4dWbxeW
- Safari/iPhone https://share.firefox.dev/49rHfz5
- Chrome/Android page refuses to load
In all cases enhanced protection was switched off and per-site caches were cleared
Comment 15•1 month ago
|
||
I looked at one of the profiles but no improvement there. I did see some peerconnection pref reads in the profile though which got me curious. I went back to the first logging profile you posted since it had stacks for log messages, and it indeed showed a getUserMedia call, but this path being taken. Meaning they made a call like navigator.mediaDevices.getUserMedia({}) or similar, i.e. without requesting video.
That's weird and not supported by spec, or Chrome.
The js files you attached are minified so it's near impossible to tell where those invalid constraints are coming from. It would be easier in a js debugger, if you're up for that.
| Reporter | ||
Comment 16•1 month ago
|
||
(In reply to Andreas Pehrson [:pehrsons] from comment #15)
The js files you attached are minified so it's near impossible to tell where those invalid constraints are coming from. It would be easier in a js debugger, if you're up for that.
Not without very careful hand-holding, I haven’t debugged JavaScript application for years and even those were much more simple (actually, the last time I can think about was when I was still maintaining https://gitlab.com/mcepl/bugzilla-triage and the website was this and RH bugzillas). My Matrix ID is @matej:ceplovi.cz if you want to organise some kind of live session debugging (and I live in Prague, Czechia, so it is CEST time zone).
Description
•