Closed Bug 680365 Opened 9 years ago Closed 4 years ago

Content of m.youtube.com, mobile.twitter.com is not displayed if "Allow Cookies" is set to "No" - window.sessionStorage can be read but not used

Categories

(Firefox :: Preferences, defect, P2)

ARM
Android
defect

Tracking

()

RESOLVED WORKSFORME
Tracking Status
platform-rel --- ?
firefox17 --- affected
firefox18 --- affected
firefox19 --- affected
firefox29 --- affected
firefox30 --- affected
firefox31 --- affected

People

(Reporter: csuciu, Unassigned)

References

(Blocks 2 open bugs)

Details

(Whiteboard: [platform-rel-Youtube][platform-rel-Twitter])

Attachments

(1 file)

Build id : Mozilla/5.0 (Android;Linux armv7l;rv:9.0a1)Gecko/20110818
Firefox/9.0a1 Fennec/9.0a1
Device: HTC Desire
OS: Android 2.2

Steps to reproduce:
1. Open Fennec App
2. Go to Preferences > Feedback Tools tab and enable the Error Console
3. Go to Preferences and set "Allow Cookies" to No
4. Exit Preferences and try to open "www.m.youtube.com"  
5. Go to Preferences > Feedback Tools tab and enable the Error Console
6. Browse to www.google.com
7. Close the tab opened at step 6.

Expected result:
The content of "m.youtube" should be properly loaded and no error should be present in the Error Console

Actual result:
The content of "m.youtube" is not loaded. A blank white page is displayed without any content in it. 
Also the following error is generated continuously while the page is open:
Error: uncaught exception:[Exception..."Security error" code:"1000" nsresult:"0x805303e8(NS_ERROR_DOM_SECURITY_ERR)" location:"http://m.youtube.com/index?desktop_uri=%2F&gl=US Line:612"]
Please ignore steps 5, 6 and 7. These steps were added by mistake.
desktop shows the youtube, and plays youtube videos.
Priority: -- → P3
Priority: P3 → --
Summary: Content of m.youtube.com is not displayed if "Allow Cokies" is set to "No" → Content of m.youtube.com is not displayed if "Allow Cookies" is set to "No"
Confirmed that I see this as well on Firefox mobile. Need to determine if this is a Firefox or website issue.
 It seems like a user agent specific issue.  iPhone 3 user agent also makes the screen go blank.

Switched user agent to fennec on the desktop Firefox and set the privacy controls in the about:config :

network.cookie.cookieBehavior;2
privacy.item.cookies;true

I got the same result as fennec; the web page was blank.
With the privacy setting still the same and the user agent switched to Firefox, I do see the videos.
Assignee: nobody → english-us
Component: General → English US
Product: Fennec → Tech Evangelism
QA Contact: general → english-us
Version: Trunk → unspecified
Depends on: 739832
Assignee: english-us → nobody
Component: English US → Evangelism
Product: Tech Evangelism → Fennec Native
QA Contact: english-us → evangelism
Just tried this on the 4/5/2012 Nightly build. Confirmed this is still happening.
No longer depends on: 739832
blocking-kilimanjaro: --- → ?
Youtube is a top site/app. Not showing content at all in a case where cookies are disabled could be troublesome, although I could see the argument that use case could happen less often, but I don't know. Might want to review this for kilimanjaro, as this relates to kilimanjaro.
blocking-kilimanjaro: ? → +
No longer blocks: google-evangelism
Jason, have you looked into the cause of this bug? Comment 0 about the error makes it sounds like there is a chance this is an issue in our code base. Of course comment 4 makes it sounds like the issue is with YouTube - and I can confirm that the site functions (although it is not the same mobile site) using the desktop UA on mobile with cookies disabled. If we do need to pass this issue on to YouTube do we have any more information to provide to them?
Priority: -- → P2
(In reply to Lawrence Mandel [:lmandel] from comment #7)
> Jason, have you looked into the cause of this bug? Comment 0 about the error
> makes it sounds like there is a chance this is an issue in our code base. Of
> course comment 4 makes it sounds like the issue is with YouTube - and I can
> confirm that the site functions (although it is not the same mobile site)
> using the desktop UA on mobile with cookies disabled. If we do need to pass
> this issue on to YouTube do we have any more information to provide to them?

Comparing stock vs. fennec native, stock does not reproduce this behavior when cookies are disabled, fennec native does. Are we sure this isn't a problem on our end? Exceptions thrown (the NS_ERROR things) are more likely to imply that it's a problem on our end (usually we catch them and report "useful" error messages). Moving to Core --> Security to check if this is a problem on our end.
Component: Evangelism → Security
Product: Fennec Native → Core
QA Contact: evangelism → toolkit
Priority: P2 → --
Unnoming nomination - I don't think minor issues with top sites should be blockers for k9o.
blocking-kilimanjaro: + → ?
I set P2 to indicate that this is a minor issue. Having P2 set causes the issue to show as minor on the compatibility dashboard. We can reset the priority based on any security feedback.
Priority: -- → P2
Leaving as k9o? until we can investigate the issue to identify whether this is a problem in our platform and whether there is any security concern.
Same issue on mobile.twitter.com. 
Page content is not displayed if cookies are disabled
Mark, Brad - Any idea what's going on in the YouTube and Twitter cases when cookies are disabled?
blocking-kilimanjaro: ? → ---
If I search for something with Twitter Search Engine and Cookies are disabled, a grey screen is displayed.

--
Firefox 19.0a1 (2012-10-10)
Device: Galaxy Note
OS: Android 4.0.4
Cristian - Are you saying that this issue is reproducible on Twitter as well as YouTube? Can you reproduce the issue on any other sites?
(In reply to Lawrence Mandel [:lmandel] from comment #15)
> Cristian - Are you saying that this issue is reproducible on Twitter as well
> as YouTube? Can you reproduce the issue on any other sites?

Yes, there is the same behavior for both. I didn't see the same issue for a different website so far, but I will post a comment if I will find another page.
Blocks: twitter.com
Summary: Content of m.youtube.com is not displayed if "Allow Cookies" is set to "No" → Content of m.youtube.com, mobile.twitter.com is not displayed if "Allow Cookies" is set to "No"
Hi,

is there an update to this?

Thanks
This is still an issue on the latest builds
In the Web console I get:

# YOUTUBE - Cookies blocked
GET http://m.youtube.com/ [HTTP/1.1 200 OK 131ms]
GET https://accounts.google.com/ServiceLogin [HTTP/1.1 200 OK 81ms]
SecurityError: The operation is insecure. m.youtube.com:175
TypeError: Fv is undefined m.youtube.com:557
GET http://m.youtube.com/gen_204 [HTTP/1.1 200 OK 57ms]
Load denied by X-Frame-Options: https://accounts.google.com/ServiceLogin?hl=en&passive=true&uilel=3&ltmpl=mobile&service=youtube&continue=http%3A%2F%2Fm.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Dm%26feature%3Dmobile_passive%26hl%3Den%26next%3Dhttp%253A%252F%252Fm.youtube.com%252Fsignin_passive%253Foriginal_url%253Dhttp%25253A%25252F%25252Fm.youtube.com%25252F does not permit framing.


# TWITTER - Cookies Blocked
GET https://mobile.twitter.com/ [HTTP/1.1 200 OK 922ms]
"Revision: babe59e70c003facec64103e9ea4124f2523fa4a" mobile.twitter.com:51
SecurityError: The operation is insecure. mobile.twitter.com:41
SecurityError: The operation is insecure. mobile.twitter.com:142


fwiw by putting Chrome UA, iphone UA, Opera UA in Firefox Desktop (instead of Firefox Android UA), we get the same behavior.


So I don't think there is an evangelization issue here. I tried other Web sites. Facebook is working well, Mixi is working well. I tried Le Monde. BostonGlobe, they all displayed fine.

I wonder if it's a blocking script which absolutely needs a cookie before processing further.
Is reading window.localStorage supposed to throw security errors when cookies are disabled?

Not sure if that is the main issue but it seems likely (I know Twitter also uses localStorage)
(It also sure looks strange that they add a 0px times 0px IFRAME referencing an accounts.google.com URL that comes with X-Frame-Options header preventing it from actually loading into the IFRAME..)

First security exception is thrown here:
function Be(){var a=null;try{a=window.localStorage||null}catch(b){}this.B=a}
This code obviously expects that localStorage can throw, and handles it by assigning null instead. However, it also tries to see if window.sessionStorage is available - and here Firefox is inconsistent, we allow reading sessionStorage but throw exceptions if you try to *use* it. Bad..
Summary: Content of m.youtube.com, mobile.twitter.com is not displayed if "Allow Cookies" is set to "No" → Content of m.youtube.com, mobile.twitter.com is not displayed if "Allow Cookies" is set to "No" - window.sessionStorage can be read but not used
platform-rel: --- → ?
Whiteboard: [platform-rel-Youtube]
Whiteboard: [platform-rel-Youtube] → [platform-rel-Youtube][platform-rel-Twitter]
I'm not sure who would own this and/or decide if we're ever going to work on it... ? (Note: I can't check STR)
Flags: needinfo?(sworkman)
Flags: needinfo?(sarentz)
Clearing the needinfo for Stefan.

Chris, I know Cookies has overlap with Networking, but this is a privacy-related issue. Which component backlog do you think we should put this in?
Flags: needinfo?(sworkman)
Flags: needinfo?(sarentz)
Flags: needinfo?(ckerschb)
(In reply to Steve Workman [:sworkman] (please use needinfo) from comment #24)
> Chris, I know Cookies has overlap with Networking, but this is a
> privacy-related issue. Which component backlog do you think we should put
> this in?

Well, I agree it's tricky, but it sounds to me the problem is related to Preferences, hence I would categories this bug as:
Product:Firefox
Component: Preferences
Flags: needinfo?(ckerschb)
Is this bug still valid? I am unable to reproduce this issue by disabling cookies on Fennec.

It's important to the Platform Reltations team that we understand if there's a problem here as it has  impact on external partners (Twitter, YouTube, and possibly others)
Flags: needinfo?(sdeckelmann)
Flags: needinfo?(dbolter)
Let's try moving this to preferences per comment 25.
Component: Security → Preferences
Flags: needinfo?(dbolter)
Product: Core → Firefox
This issue was retested and it WFM on 54.0a1 (31.01.2017) and 52.0b2 by using the following devices: Prestigio Multi phone duo (Android 4.4.2), Nexus 4 (Android 5.1.1), Samsung Galaxy S6 EDGE (Android 6.0) and Nexus 6P(Android 7.0)
This also works for me with the STR.

Let's go ahead and close.
Status: NEW → RESOLVED
Closed: 4 years ago
Flags: needinfo?(sdeckelmann)
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.