Closed Bug 1621729 Opened 5 years ago Closed 2 years ago

privacy.resistFingerprinting set to true breaks login at https://appleid.apple.com

Categories

(Core :: DOM: Security, defect, P2)

Product:
Core
Component:
DOM: Security
Version:
74 Branch
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: herbert, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [tor][fingerprinting][domsecurity-backlog1])

Attachments

(2 files)

resistFingerprintingIsOn.png
3.13 MB, image/png
Details
resistFingerprintingIsOff.png
3.47 MB, image/png
Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0

Steps to reproduce:

privacy.resistFingerprinting set to true

Visit https://appleid.apple.com to sign in.

Actual results:

SIgn-in part does not load.

Expected results:

Sign-in part should load.

Blocks: fingerprinting-breakage
Priority: -- → P2
Whiteboard: [tor][fingerprinting][domsecurity-backlog1]

Tom and Tim, have we seen this kind of breakage in the past? Do you have ideas on why resistFingerprinting would cause this problem?

Flags: needinfo?(tom)
Flags: needinfo?(tihuang)

They're calling window.performance.getEntriesByName() and assuming it will return values and then indexing into the result (which has no values.) This causes a JavaScript error and the page breaks and stops loading.

Flags: needinfo?(tom)
Flags: needinfo?(tihuang)

No promises, but I'm told that we will let Apple know about this issue and perhaps they will fix it.

Apple engineer who winds up on this page: Here is our behavior. To test:

  1. go to about:config
  2. search for privacy.resistFingerprinting and set it to True

I've reached out to a contact at Apple about this.

(In reply to Peter Saint-Andre [:stpeter] from comment #6)

I've reached out to a contact at Apple about this.

Did they respond that they'll fix their website as Tom mentioned?

Status: UNCONFIRMED → NEW
Ever confirmed: true

https://www.svtplay.se is also similarly broken by perfomance API spoofing (website fails to load).

TypeError: "can't access property "duration", window.performance.getEntriesByName(...)[0] is undefined"

(In reply to Ethan Tseng [:ethan] from comment #7)

(In reply to Peter Saint-Andre [:stpeter] from comment #6)

I've reached out to a contact at Apple about this.

Did they respond that they'll fix their website as Tom mentioned?

My contact is figuring out how to route this issue at Apple.

Peter, did your contact figured out how to route this issue to Apple?

Severity: normal → S3

This is still an issue in FF 78.0.2. Is this something that could be brought up with the WebCompat team to work with Apple on?

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE

After a 7 months this is stil an issue on FF 81.0.1.

Can't believe that apple login is closed and set as a duplicate to some porn stuff.
I see it as is discourage for future bug reporting.

Sorry, my mistake and thanks for confirming it is still an issue. Bug 1637985 looks like it should have fixed the issue mentioned in Comment 4 in FF 79 and my Comment 8 test case with a similar problem now works but the apple login is still broken:

Uncaught TypeError: can't access property "startTime", d[(d.length - 1)] is undefined
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---

RFP off, array is populated
RFP on, array is empty

.measure should return results with 100ms precision or something like that

https://developer.mozilla.org/en-US/docs/Web/API/Performance/measure

	try {
		const markerNameA = "example-marker-a"
		const markerNameB = "example-marker-b"
		performance.mark(markerNameA)
		setTimeout(function() {
			performance.mark(markerNameB)
			setTimeout(function() {
				// create
				performance.measure("measure a to b", markerNameA, markerNameB)
				performance.measure("measure a to now", markerNameA)
				performance.measure("measure from navigation start to b", undefined, markerNameB)
				performance.measure("measure from navigation start to now")
				// console
				console.log(performance.getEntriesByType("measure"))
				// cleanup
				performance.clearMarks()
				performance.clearMeasures()
			}, 20)
		}, 10)
	} catch(e) {
		console.error(e.name, e.message)
	}

hotels.com with RFP enabled

   TypeError: can't access property "startTime", o.performanceMetrics.findMark(...) is undefined

Word Press / OpenWeb comments (if you block wp.com the error does not occur)

 TypeError: can't access property "duration", v is undefined

nike.com logins breaks when RFP is on.

Steps to reproduce:

  • create an account (I used a disposable email like firefox relay)
  • enable RFP
  • try to login

Result:

  • an error message is shown, as well as a failed POST request in the console with output:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://unite.nike.com/login?...

(Reason: CORS header ‘Access-Control-Allow-Origin’ missing)

If I disable RFP I can login just fine.

https://www.travelocity.com/ has a similar behavior to https://bugzilla.mozilla.org/show_bug.cgi?id=1621729#c16. With RFP on:

TypeError: o.performanceMetrics.findMark(...) is undefined
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://oms.expedia.com/b/ss/expediaglobal/10/JS-2.6.0/s77722092331113. (Reason: CORS request did not succeed). Status code: (null).

twitch.tv logins are broken on Linux when RFP is on.

Steps to reproduce when using Firefox on Linux:

  • enable RFP
  • try to login

Result:

  • an error is shown, saying the browser is not supported
  • https://passport.twitch.tv/integrity is the check, it sets a 7 day cookie that prevents subsequent logins even with RFP disabled (unless the cookie is cleared)

Notes:

  • the issue doesn't occur on macOS even with RFP enabled
  • testing doesn't require an account, random credentials are fine because on macOS it shows "invalid password" while on Linux it says the browser is not supported
  • the issue can be reproduced by enabling RFP on macOS and spoofing the Navigator API to Linux (I used Canvas Blocker for this test)

Fixed by Bug 1811567: speed.cloudflare.com, zillow.com, expedia.com, hotels.com, travelocity.com, bazaarvoice.com reviews, openweb.com comments.

Already working: svtplay.se, appleid.apple.com.

Still not working: twitch.tv login, nike.com login (Bug 1805101).

Status: REOPENED → RESOLVED
Closed: 5 years ago2 years ago
Depends on: 1811567
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: