Closed
Bug 1505585
Opened 6 years ago
Closed 6 years ago
Tracking cookie blocking + Strict list breaks the Google Plus sign-in flow
Categories
(Firefox :: Protections UI, defect, P2)
Firefox
Protections UI
Tracking
()
RESOLVED
DUPLICATE
of bug 1505212
People
(Reporter: englehardt, Unassigned)
References
(Blocks 2 open bugs)
Details
(Whiteboard: [privacy65])
Tracking cookie blocking + the strict list breaks Google Plus' sign-in flow for sites that use a custom button. This sign-in flow is documented deprecated in favor of their new flow (also broken, Bug 1505571). Documentation for the old sign in flow can be found here: https://web.archive.org/web/20150317143723/https://developers.google.com/+/web/signin/customize and https://developers.google.com/+/web/signin/
I added the demo code from the archived documentation here: https://senglehardt.com/test/identity_providers/google_plus.html
STR:
1. Click the Google button
2. Nothing happens
Expected result:
A pop-up should be shown. Note that I haven't properly integrated google plus with my domain, so the pop-up will show an error message.
This appears to be the root cause of the breakage observed in Bug 1502316 as well as on https://9gag.com/login. In all three cases, we see a click handler on the login button with the following code:
function() {
_.Ix(f, g)
}
This handler will fail as described in Bug 1502316 Comment 12.
Reporter | ||
Updated•6 years ago
|
Reporter | ||
Updated•6 years ago
|
Updated•6 years ago
|
Priority: -- → P2
Whiteboard: [privacy65]
Comment 1•6 years ago
|
||
With bug 1505212 fixed, the google_plus.html test page opens a popup pointing to <https://accounts.google.com/o/oauth2/auth?response_type=permission%20id_token%20code&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fplus.login%20profile%20email&openid.realm=&include_granted_scopes=true&redirect_uri=storagerelay%3A%2F%2Fhttps%2Fsenglehardt.com%3Fid%3Dauth787097&client_id=841077041629.apps.googleusercontent.com&ss_domain=https%3A%2F%2Fsenglehardt.com&gsiwebsdk=shim&access_type=offline> with the following text:
400. That’s an error.
Error: redirect_uri_mismatch
The JavaScript origin in the request, https://senglehardt.com, does not match the ones authorized for the OAuth client. Visit https://console.developers.google.com/apis/credentials/oauthclient/841077041629.apps.googleusercontent.com?project=841077041629 to update the authorized JavaScript origins.
Learn more
Request Details
That’s all we know.
Does this mean the bug is fixed?
Flags: needinfo?(senglehardt)
Reporter | ||
Comment 2•6 years ago
|
||
Yes that error is expected since I didn't fully configure the Google Plus integration. The important part is that we're now able to trigger a pop-up. If Bug 1502316 and 9gag's logins are fixed, I think it's safe to close this. If we see more breakage we can file a new bug to investigate.
Flags: needinfo?(senglehardt)
You need to log in
before you can comment on or make changes to this bug.
Description
•