680365 - Content of m.youtube.com, mobile.twitter.com is not displayed if "Allow Cookies" is set to "No" - window.sessionStorage can be read but not used

Status: RESOLVED WORKSFORME

(Firefox :: Settings UI, defect, P2)

Description

[Catalin Suciu [:csuciu]]

Build id : Mozilla/5.0 (Android;Linux armv7l;rv:9.0a1)Gecko/20110818
Firefox/9.0a1 Fennec/9.0a1
Device: HTC Desire
OS: Android 2.2

Steps to reproduce:
1. Open Fennec App
2. Go to Preferences > Feedback Tools tab and enable the Error Console
3. Go to Preferences and set "Allow Cookies" to No
4. Exit Preferences and try to open "www.m.youtube.com"  
5. Go to Preferences > Feedback Tools tab and enable the Error Console
6. Browse to www.google.com
7. Close the tab opened at step 6.

Expected result:
The content of "m.youtube" should be properly loaded and no error should be present in the Error Console

Actual result:
The content of "m.youtube" is not loaded. A blank white page is displayed without any content in it. 
Also the following error is generated continuously while the page is open:
Error: uncaught exception:[Exception..."Security error" code:"1000" nsresult:"0x805303e8(NS_ERROR_DOM_SECURITY_ERR)" location:"http://m.youtube.com/index?desktop_uri=%2F&gl=US Line:612"]

Comment 1

[Catalin Suciu [:csuciu]]

Please ignore steps 5, 6 and 7. These steps were added by mistake.

Comment 2

[Naoki Hirata :nhirata (please use needinfo instead of cc)]

desktop shows the youtube, and plays youtube videos.

Comment 3

[Kevin Brosnan [Ex-Mozilla]]

Confirmed that I see this as well on Firefox mobile. Need to determine if this is a Firefox or website issue.

Comment 4

[Naoki Hirata :nhirata (please use needinfo instead of cc)]

 It seems like a user agent specific issue.  iPhone 3 user agent also makes the screen go blank.

Switched user agent to fennec on the desktop Firefox and set the privacy controls in the about:config :

network.cookie.cookieBehavior;2
privacy.item.cookies;true

I got the same result as fennec; the web page was blank.
With the privacy setting still the same and the user agent switched to Firefox, I do see the videos.

Comment 5

[Jason Smith [:jsmith]]

Just tried this on the 4/5/2012 Nightly build. Confirmed this is still happening.

Comment 6

[Jason Smith [:jsmith]]

Youtube is a top site/app. Not showing content at all in a case where cookies are disabled could be troublesome, although I could see the argument that use case could happen less often, but I don't know. Might want to review this for kilimanjaro, as this relates to kilimanjaro.

Comment 7

[Lawrence Mandel [:lmandel] (use needinfo)]

Jason, have you looked into the cause of this bug? Comment 0 about the error makes it sounds like there is a chance this is an issue in our code base. Of course comment 4 makes it sounds like the issue is with YouTube - and I can confirm that the site functions (although it is not the same mobile site) using the desktop UA on mobile with cookies disabled. If we do need to pass this issue on to YouTube do we have any more information to provide to them?

Comment 8

[Jason Smith [:jsmith]]

(In reply to Lawrence Mandel [:lmandel] from comment #7)
> Jason, have you looked into the cause of this bug? Comment 0 about the error
> makes it sounds like there is a chance this is an issue in our code base. Of
> course comment 4 makes it sounds like the issue is with YouTube - and I can
> confirm that the site functions (although it is not the same mobile site)
> using the desktop UA on mobile with cookies disabled. If we do need to pass
> this issue on to YouTube do we have any more information to provide to them?

Comparing stock vs. fennec native, stock does not reproduce this behavior when cookies are disabled, fennec native does. Are we sure this isn't a problem on our end? Exceptions thrown (the NS_ERROR things) are more likely to imply that it's a problem on our end (usually we catch them and report "useful" error messages). Moving to Core --> Security to check if this is a problem on our end.

Comment 9

[Jason Smith [:jsmith]]

Unnoming nomination - I don't think minor issues with top sites should be blockers for k9o.

Comment 10

[Lawrence Mandel [:lmandel] (use needinfo)]

I set P2 to indicate that this is a minor issue. Having P2 set causes the issue to show as minor on the compatibility dashboard. We can reset the priority based on any security feedback.

Comment 11

[Lawrence Mandel [:lmandel] (use needinfo)]

Leaving as k9o? until we can investigate the issue to identify whether this is a problem in our platform and whether there is any security concern.

Comment 12

[Catalin Suciu [:csuciu]]

Same issue on mobile.twitter.com. 
Page content is not displayed if cookies are disabled

Comment 13

[Lawrence Mandel [:lmandel] (use needinfo)]

Mark, Brad - Any idea what's going on in the YouTube and Twitter cases when cookies are disabled?

Comment 14

[Cristian Nicolae (:xti)]

If I search for something with Twitter Search Engine and Cookies are disabled, a grey screen is displayed.

--
Firefox 19.0a1 (2012-10-10)
Device: Galaxy Note
OS: Android 4.0.4

Comment 15

[Lawrence Mandel [:lmandel] (use needinfo)]

Cristian - Are you saying that this issue is reproducible on Twitter as well as YouTube? Can you reproduce the issue on any other sites?

Comment 16

[Cristian Nicolae (:xti)]

(In reply to Lawrence Mandel [:lmandel] from comment #15)
> Cristian - Are you saying that this issue is reproducible on Twitter as well
> as YouTube? Can you reproduce the issue on any other sites?

Yes, there is the same behavior for both. I didn't see the same issue for a different website so far, but I will post a comment if I will find another page.

Comment 17

[bug.zilla]

Hi,

is there an update to this?

Thanks

Comment 18

[Catalin Suciu [:csuciu]]

This is still an issue on the latest builds

Comment 19

[Karl Dubost💡 :karlcow]

In the Web console I get:

# YOUTUBE - Cookies blocked
GET http://m.youtube.com/ [HTTP/1.1 200 OK 131ms]
GET https://accounts.google.com/ServiceLogin [HTTP/1.1 200 OK 81ms]
SecurityError: The operation is insecure. m.youtube.com:175
TypeError: Fv is undefined m.youtube.com:557
GET http://m.youtube.com/gen_204 [HTTP/1.1 200 OK 57ms]
Load denied by X-Frame-Options: https://accounts.google.com/ServiceLogin?hl=en&passive=true&uilel=3&ltmpl=mobile&service=youtube&continue=http%3A%2F%2Fm.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Dm%26feature%3Dmobile_passive%26hl%3Den%26next%3Dhttp%253A%252F%252Fm.youtube.com%252Fsignin_passive%253Foriginal_url%253Dhttp%25253A%25252F%25252Fm.youtube.com%25252F does not permit framing.


# TWITTER - Cookies Blocked
GET https://mobile.twitter.com/ [HTTP/1.1 200 OK 922ms]
"Revision: babe59e70c003facec64103e9ea4124f2523fa4a" mobile.twitter.com:51
SecurityError: The operation is insecure. mobile.twitter.com:41
SecurityError: The operation is insecure. mobile.twitter.com:142


fwiw by putting Chrome UA, iphone UA, Opera UA in Firefox Desktop (instead of Firefox Android UA), we get the same behavior.


So I don't think there is an evangelization issue here. I tried other Web sites. Facebook is working well, Mixi is working well. I tried Le Monde. BostonGlobe, they all displayed fine.

I wonder if it's a blocking script which absolutely needs a cookie before processing further.

Comment 20

[Hallvord R. M. Steen [:hallvors]]

Is reading window.localStorage supposed to throw security errors when cookies are disabled?

Not sure if that is the main issue but it seems likely (I know Twitter also uses localStorage)

Comment 21

[Hallvord R. M. Steen [:hallvors]]

(It also sure looks strange that they add a 0px times 0px IFRAME referencing an accounts.google.com URL that comes with X-Frame-Options header preventing it from actually loading into the IFRAME..)

First security exception is thrown here:
function Be(){var a=null;try{a=window.localStorage||null}catch(b){}this.B=a}
This code obviously expects that localStorage can throw, and handles it by assigning null instead. However, it also tries to see if window.sessionStorage is available - and here Firefox is inconsistent, we allow reading sessionStorage but throw exceptions if you try to *use* it. Bad..

Comment 22

[Hallvord R. M. Steen [:hallvors]]

Attachment: local storage/session storage - run test with cookies disabled

Comment 23

[David Bolter [:davidb] (NeedInfo me for attention)]

I'm not sure who would own this and/or decide if we're ever going to work on it... ? (Note: I can't check STR)

Comment 24

[Steve Workman [:sworkman] (INACTIVE)]

Clearing the needinfo for Stefan.

Chris, I know Cookies has overlap with Networking, but this is a privacy-related issue. Which component backlog do you think we should put this in?

Comment 25

[Christoph Kerschbaumer [:ckerschb]]

(In reply to Steve Workman [:sworkman] (please use needinfo) from comment #24)
> Chris, I know Cookies has overlap with Networking, but this is a
> privacy-related issue. Which component backlog do you think we should put
> this in?

Well, I agree it's tricky, but it sounds to me the problem is related to Preferences, hence I would categories this bug as:
Product:Firefox
Component: Preferences

Comment 26

[Thomas Elin [:relaas]]

Is this bug still valid? I am unable to reproduce this issue by disabling cookies on Fennec.

It's important to the Platform Reltations team that we understand if there's a problem here as it has  impact on external partners (Twitter, YouTube, and possibly others)

Comment 27

[David Bolter [:davidb] (NeedInfo me for attention)]

Let's try moving this to preferences per comment 25.

Comment 28

[u549602]

This issue was retested and it WFM on 54.0a1 (31.01.2017) and 52.0b2 by using the following devices: Prestigio Multi phone duo (Android 4.4.2), Nexus 4 (Android 5.1.1), Samsung Galaxy S6 EDGE (Android 6.0) and Nexus 6P(Android 7.0)

Comment 29

[Mike Taylor [:miketaylr]]

This also works for me with the STR.

Let's go ahead and close.