User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0 Steps to reproduce: go to bbcamerica website and click live tv. It will ask to sign in to your cable account to verify that you have access to bbc america. Actual results: Forced to retry logging in an infinite amount of times with cable company because it is not validating the login Expected results: it should return to the video player and allow you to play the live tv stream

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0 (20181206214149) I was able to reproduce the mentioned behavior on Windows 10 x64 using the latest Nightly and Fx release builds. When using my DirectTV account credentials I`m forced to repeat this step infinite amount of time, hence the LiveTV does not start. The same behavior is not reproducible in the competitor browsers. Browser console output when trying to login: Password fields present on an insecure (http://) page. This is a security risk that allows user login credentials to be stolen.[Learn More] livestream [AccessEnablerProxy.js][info] Version: 3.4.2-3ff3b09 RELEASE AccessEnablerProxy.js:1:17229 Request to access cookie or storage on “https://sp.auth.adobe.com/entitlement/js/AccessEnablerProxy.html?925f2c3d39000521e496#http%3A%2F%2Fwww.bbcamerica.com%2Flivestream” was blocked because it came from a tracker and content blocking is enabled. I will move this issue to Core:Networking::HTTP. However, please change if this is not the correct component.

Moving to Tracking Protection according to comment 1

Sign-in breakage with cookie restrictions...

I can reproduce this with Standard settings. Looking into it more.

Any updates here, Tanvi?

Please capture a log with MOZ_LOG=AntiTracking:5 if possible. Thanks!

I tested this today, and here is what I've found out so far. The origin that gets blocked and causes problems here is https://sp.auth.adobe.com. Upon logging in, the user clicks on an image from the first-party document, so there is no chance for our heuristic to get engaged. The main page has a display:none iframe with src set to https://sp.auth.adobe.com/entitlement/v4/AccessEnablerProxy.... When you click on the provider icon (e.g. Dish) you get sent to this URL as the first party: https://sp.auth.adobe.com/adobe-services/authenticate/saml?reg_code=SEHJJX4&noflash=true&mso_id=Dish&requestor_id=BBCA&no_iframe=false&domain_name=adobe.com&redirect_url=http://www.bbcamerica.com/livestream It gives you the following HTML: <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <body onload="document.forms[0].submit()"> <noscript> <p> <strong>Note:</strong> Since your browser does not support JavaScript, you must press the Continue button once to proceed. </p> </noscript> <p>Please wait while we send you to your provider to log in...</p><br/> <form action="https&#x3a;&#x2f;&#x2f;identity1.dishnetwork.com&#x2f;saml&#x2f;saml2&#x2f;idp&#x2f;SSOService.php" method="post"> <div> <input type="hidden" name="RelayState" value="base64-encoded-blob"/> <input type="hidden" name="SAMLRequest" value="base64-encoded-blob"/> </div> <noscript> <div> <input type="submit" value="Continue"/> </div> </noscript> </form> </body> </html> From there through a bunch of redirects you get to the login page: https://identity1.dishnetwork.com/saml/module.php/sociallogin/login.php?AuthState=longstringhere There is no sign of sp.auth.adobe.com on the page where you enter your password. After you do that and press submit, through a redirect chain you end up on https://sp.auth.adobe.com/sp/saml/SAMLAssertionConsumer which redirects you back to http://www.bbcamerica.com/livestream. The disturbing thing is that on one of the pages in this redirect chain there is a pixel with this URL: <https://synacor.112.2o7.net/b/ss/synacortveauth/1/H.24.4/s81816974326677?AQB=1&ndh=1&t=20/11/2018 19:25:17 4 300&ce=UTF-8&ns=synacor&pageName=Federated Login&g=https://identity1.dishnetwork.com/saml/module.php/sociallogin/login.php?AuthState=longstringhere&r=https://identity1.dishnetwork.com/saml/module.php/authbypass/firstbookend.php?AuthState=longstringhere&cc=USD&c1=DISH&c3=https://saml.sp.auth.adobe.com&c4=https://identity1.dishnetwork.com/saml/saml2/idp/metadata.php&c6=Federated Login&c7=409e3efea04e3f464da5c2e973ab027c&s=1920x1080&c=24&j=1.6&v=N&k=Y&bw=1280&bh=872&AQE=1> and it seems this is how the two SSO systems are syncing their login states! Then on the livestream page the adobe.com iframe tries to access its cookies, and that fails, and the login fails with this message: "You do not have a subscription to view the requested content. To upgrade your programming go to mydish.com/programming and then log back in to view content." Right now, I can't imagine us being able to design a heuristic which would be able to handle this in a generic way. :-(

Hi Chris, Can you tell us what Firefox version number and release you were using? Firefox 63 release? It would be super helpful if you could type about:config in your url bar and search for "urlclassifier.trackingAnnotationTable" and tell us the value of that preference. Thank you!