ETP Standard breaks embedded Twitter videos (e.g., on The Verge and NYT)
Categories
(Core :: Privacy: Anti-Tracking, defect, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr68 | --- | unaffected |
firefox77 | --- | wontfix |
firefox78 | --- | fixed |
firefox79 | --- | fixed |
firefox80 | --- | fixed |
People
(Reporter: csasca, Assigned: englehardt)
References
(Blocks 1 open bug)
Details
(Keywords: regression)
Affected versions
- Firefox 77.0
- Firefox 78.0a1
Affected platforms
- macOS 10.15
- Windows 7
- Ubuntu 18.04
Steps to reproduce
- Launch Firefox
- Access an article from The Verge, for example and scroll down to where the video is located
- Click on play
Expected result
- The video is played without issues
Actual result
- The video is not played back
Regression range
- Will see for a regression, it seems that 68.9.0esr is not affected
Additional notes
- The issue can be seen in the following attachment
Reporter | ||
Updated•4 years ago
|
Comment 1•4 years ago
|
||
Turn off ETP on this website and the video will work.
Updated•4 years ago
|
Comment 2•4 years ago
|
||
S1 or S2 bugs need an assignee - could you find someone for this bug?
Assignee | ||
Comment 3•4 years ago
|
||
The Twitter video is embedded in the iframe: https://twitter.com/i/videos/tweet/1265444495488880649?embed_source=clientlib&player_id=0&rpc_init=1&autoplay=1&language_code=en&use_syndication_guest_id=true
. Since twitter.com
is on the blocklist, this iframe does not have storage access.
This iframe embeds the script: https://abs.twimg.com/web-video-player/TwitterVideoPlayerIframe.cefd459559024bfb.js
which does the following storage access checks:
f = function() {
var e = d && window.indexedDB || "undefined" != typeof self && self.indexedDB;
if (e && d) try {
window.localStorage.setItem("test", "a"), window.localStorage.removeItem("test")
} catch (e) {
return !1
}
return e
},
When window.indexedDB
is accessed, an uncaught SecurityError
is thrown and the video never loads.
Uncaught DOMException: The operation is insecure. TwitterVideoPlayerIframe.cefd459559024bfb.js:76
This is unfortunate because the code here is clearly trying to test whether it has access to window.indexedDB
(which it doesn't) and then fall back to local storage (which will also throw a security error). If Twitter were to include indexedDB in the try-catch the video would likely load.
We also have a few options on our end. If scripts do indeed expect window.indexedDB
to be null instead of throw a SecurityError, that might be a better approach.
Alternatively, we can consider adding something similar to isolated localStorage.
Assignee | ||
Comment 4•4 years ago
|
||
Mike, do you know if we have contacts at Twitter who can help?
Comment 5•4 years ago
|
||
Hi, I tried to get a regression range for this issue and I went back as far as I could, but it seems between the 2018-09-01 and 2018-08-31 there was not enough data to bisect.
Here are the pushlogs from the Last known good build and the First known bad build, I was unable to pin point the issue causing it but maybe it helps someone who knows more about it:
Assignee | ||
Comment 6•4 years ago
|
||
This also reproduces on https://www.nytimes.com/2020/05/28/us/george-floyd-national-guard.html. I suspect this happens with all embedded Twitter videos.
Assignee | ||
Comment 7•4 years ago
|
||
We've shipped a skiplist intervention (Bug 1641969) and are planning to migrate to a webcompat intervention (Bug 1641998).
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Updated•4 years ago
|
Updated•4 years ago
|
Comment 8•4 years ago
|
||
I sent an email to our internal Mozilla/Twitter list.
Assignee | ||
Updated•4 years ago
|
Updated•4 years ago
|
Assignee | ||
Comment 10•4 years ago
|
||
I've verified that this is now fixed in Nightly 80 and Release 78.
Updated•4 years ago
|
Updated•4 years ago
|
Description
•