Edit buttons on blogspot broken by dFPI
Categories
(Core :: Privacy: Anti-Tracking, defect, P2)
Tracking
()
People
(Reporter: cgeorgiu, Unassigned)
References
(Blocks 1 open bug)
Details
Affected versions
- latest Nightly 75.0a1
- RC2 74.0
- Release 73.0
Affected platforms
- Windows 10 x64
- macOS 10.13
- Ubuntu 18.04 x64
Steps to reproduce
- Launch Firefox.
- Make sure that Standard option is set in about:preferences#privacy (or set
network.cookie.cookieBehavior
pref on 4). - Access http://dfgxvxcdfgdg.blogspot.com/ in a new tab.
Expected result
- No missing elements on the page: the writing icon pen (bottom of the page), and setting tools (right part of the page).
Actual result
- Missing elements on the page: the writing icon pen (bottom of the page), and setting tools (right part of the page).
Regression range
- Not a regression, I was able to reproduce this on older Nightly builds as well (e.g. 2019-08-10).
Additional notes
- In the privacy panel, www.blogger.com, apis.google.com seems to be blocked in the Cross-site tracking cookies categories, so maybe one of this tracker is causing the breakage.
Updated•4 years ago
|
Comment 1•4 years ago
|
||
I'm not able to reproduce. I see the same page with and without ETP enabled. Would you mind to post a screenshot of the diff? Do you need to be logged in?
Reporter | ||
Comment 2•4 years ago
|
||
Yes, you need to be logged into blogspot.com to see the breakage (totally missed this step, sorry about that). Let me know if there's anything else I can help with.
Comment 3•4 years ago
|
||
(In reply to Ciprian Georgiu [:ciprian_georgiu], Release Desktop QA from comment #2)
Yes, you need to be logged into blogspot.com to see the breakage (totally missed this step, sorry about that). Let me know if there's anything else I can help with.
Thanks that's helpful. I was able to reproduce with one extra piece of context: these edit buttons only seem to be available if you're on your own site. So I had to create a test site myself.
ETP blocks cookies from two origins on the page apis.google.com
and blogger.com
. Skiplisting blogger.com
fixes the issue, so it seems like that should be added as a property to the Google entity list. Blogger is on the Level 2 list.
Comment 4•4 years ago
|
||
I've filed https://github.com/disconnectme/disconnect-tracking-protection/issues/164 to report to Disconnect and will update this bug when that gets added.
Updated•4 years ago
|
Updated•4 years ago
|
Comment 5•4 years ago
|
||
This was fixed for etp level 2 cookie blocking by https://github.com/mozilla-services/shavar-prod-lists/pull/172.
However it is still broken by dynamic fpi.
Updated•4 years ago
|
Updated•4 years ago
|
Comment 6•3 years ago
|
||
The "Edit post" icon is hidden by default. The blogspot.com
will load a CSS file authorization.css
from www.blogger.com
. The www.blogger.com
will verify the login data to see if the request came from an admin user. If it's from an admin user, the authorization.css
will contain the CSS rule which unhides the icon.
In the dFPI case, the storage of www.blogger.com
will be partitioned since it is third-party. It won't have the cookie of the admin user. So, the "Edit post" icon won't be shown.
Comment 7•3 years ago
|
||
I think we should reach out to Google to let them know about this issue. The blogger.com
requires storage access when it's loaded under first-party blogspot.com
. They should use the Storage Access API to acquire access.
Steve, would you be able to do this? Thanks.
Comment 8•3 years ago
|
||
I've sent an email to our discussion list with Google. I also tested in Chrome Incognito (which blocks all third-party cookies) and observe the same breakage.
Comment 9•3 years ago
|
||
Thanks, any outcome from discussions with Google?
dFPI will be enabled for users of strict ETP in Firefox 86, to be released two days from now.
Comment 10•3 years ago
|
||
This reproduces when creating a new blog on blogger.com and writing a new blog post, then create a comment. On that comment the "Delete" button will be missing with dFPI turned on.
Updated•3 years ago
|
Description
•