[BUG] Can't add Yahoo account to Thunderbird (OAuth2 + ReCaptcha)

oleole39 commented 1 year ago

Hello,

Describe the bug Not really a bug I guess, but I would like to add a Yahoo account to a Thunderbird profile with thunderbird-user.js & user.js-overrides from 12bytes.org.

After configuration of the account in TB, a webpage pops up displaying Yahoo's login screen (OAuth2). It first asks for the email address (pre-filled field), then I click "Next" and it displays the following error message within the page "Oops, something went wrong".

The URL of this page is of the following format (portions with braces are actually replacing some tokens in original URL): https://login.yahoo.net/account/challenge/recaptcha/recaptcha-script?src=oauth&client_id={clientIDToken}--&redirect_uri=http%3A%2F%2Flocalhost&done=https%3A%2F%2Fapi.login.yahoo.com%2Foauth2%2Fauthorize%3F.scrumb%3D0%26client_id%3D{clientIDToken}--%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%26response_type%3Dcode%26scope%3Dmail-w&sessionIndex=QQ--&acrumb={smallToken}&display=login&authMechanism=primary&lang=en-US&siteKey={siteKeyToken}&recaptchaLang=en&recaptchaDomain=www.google.com

It looks like a ReCaptcha issue, also I've tried what is advised at the top of this thread :

privacy.resistFingerprinting - false privacy.firstparty.isolate.restrict_opener_access - false privacy.firstparty.isolate - false dom.targetBlankNoOpener.enabled - false dom.webaudio.enabled - true and google.com/recaptcha & gstatic.com/recaptcha 3rd party stuff whitelisted in extensions also google likes 3rd party cookies for their services to run also don't mess with windows.name (script, CanvasBlocker: whitelist it)

More precisely I set the 5 first prefs as indicated, and authorized all cookies (not sure what are extensions' whitelist and window.name referring to). But no success.

Environment

Thunderbird version used (X.Y.Z) : 102.7.1
thunderbird user.js template version used (X.Y or commit SHA) : 102.1
Operating system and version : Linux Mint 21

Additional context This happens on a freshly created TB profile with thunderbird-user.js and user.js-overrides applied using arkenfox's updater.sh (in which I modified the update URL so that it points to this repo and not arkenfox's) and prefsCleaner.js

Checklist

[X] I can confirm the bug is due to thunderbird user.js template and not an overridden preference nor an add-on ;
[X] I have searched for [SETUP-*] tags and read them up ;
[X] I have searched the GitHub project (issues and Wiki) for my issue.

HorlogeSkynet commented 1 year ago

Hey @oleole39, before anything else, as you've overridden this template using 12bytes.org's preferences, I must ask : have you tried using this template without it ? Have you encountered the same issue ? If Yahoo's OAuth2 page uses JavaScript (which I guess is the case if Google's ReCaptcha is enforced), have you tried setting javascript.enabled to true ?

Thanks, bye :wave:

oleole39 commented 1 year ago

Thank you for the quick feedback. Yes of course I forgot to mention that I did try with Javascript enabled on the top of what I mentioned.

However I had not tried without the overrides. I've done a new test on a fresh profile with only thunderbird-user.js 102.1 applied using updater.sh and prefsCleaner.sh, changing prefs indicated hereinabove, accepting cookies, and enabling Javascript - it still fails to perform the OAuth. But I get different error messages in the debugging output:

Missing resource in locale fr: messenger/messenger.ftl
NS_ERROR_NOT_IMPLEMENTED: Component returned failure code: 0x80004001 (NS_ERROR_NOT_IMPLEMENTED) [nsIRequest.name] 3 OAuth2.jsm:170
    onStateChange resource:///modules/OAuth2.jsm:170
Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified
Some cookies are misusing the recommended “SameSite“ attribute 6
Cookie “AS” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite login.yahoo.com
Cookie “rx” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite rapid-3.53.30.js:1:41610
Cookie “AS” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite 2 login.yahoo.com
Cookie “rx” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite rapid-3.53.30.js:1:41610
Cookie “rxx” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite rapid-3.53.30.js:1:1149
Cookie “rx” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite rapid-3.53.30.js:1:41610
This page uses the non standard property “zoom”. Consider using calc() in the relevant property values, or using “transform” along with “transform-origin: 0 0”. login.yahoo.com
Blocked https://login.yahoo.com/?src=oauth&client_id={ClientIDToken}--&crumb=&login_hint={emailAdress}&redirect_uri=http%3A%2F%2Flocalhost&done=https%3A%2F%2Fapi.login.yahoo.com%2Foauth2%2Fauthorize%3F.scrumb%3D0%26client_id%3D{ClientIDToken}--%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%26response_type%3Dcode%26scope%3Dmail-w from extracting canvas data because no user input was detected. bundle.js:2:18428
Blocked https://login.yahoo.com/?src=oauth&client_id={ClientIDToken}--&crumb=&login_hint={emailAdress}&redirect_uri=http%3A%2F%2Flocalhost&done=https%3A%2F%2Fapi.login.yahoo.com%2Foauth2%2Fauthorize%3F.scrumb%3D0%26client_id%3D{ClientIDToken}--%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%26response_type%3Dcode%26scope%3Dmail-w from extracting canvas data because no user input was detected. bundle.js:2:19275
Failed to create WebGL context: WebGL is currently disabled. bundle.js:2:26831
Failed to create WebGL context: WebGL is currently disabled. bundle.js:2:26854
Failed to create WebGL context: WebGL is currently disabled. bundle.js:2:26831
Failed to create WebGL context: WebGL is currently disabled. bundle.js:2:26854
NS_ERROR_NOT_IMPLEMENTED: Component returned failure code: 0x80004001 (NS_ERROR_NOT_IMPLEMENTED) [nsIRequest.name] OAuth2.jsm:170
    onStateChange resource:///modules/OAuth2.jsm:170
NS_ERROR_NOT_IMPLEMENTED: Component returned failure code: 0x80004001 (NS_ERROR_NOT_IMPLEMENTED) [nsIRequest.name] OAuth2.jsm:170
    onStateChange resource:///modules/OAuth2.jsm:170
Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified 2
Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified 2
This page uses the non standard property “zoom”. Consider using calc() in the relevant property values, or using “transform” along with “transform-origin: 0 0”. recaptcha
Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified 4
Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified
Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified
Invalid X-Frame-Options header was found when loading “https://login.yahoo.net/account/challenge/recaptcha/recaptcha-script?src=oauth&client_id={ClientIDToken}--&redirect_uri=http%3A%2F%2Flocalhost&done=https%3A%2F%2Fapi.login.yahoo.com%2Foauth2%2Fauthorize%3F.scrumb%3D0%26client_id%3D{ClientIDToken}--%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%26response_type%3Dcode%26scope%3Dmail-w&sessionIndex=QQ--&acrumb={acrumbToken}&display=login&authMechanism=primary&lang=en-US&siteKey={siteKeyToken}&recaptchaLang=en&recaptchaDomain=www.google.com”: “ALLOW-FROM https://login.yahoo.net” is not a valid directive. recaptcha-script
NS_ERROR_NOT_IMPLEMENTED: Component returned failure code: 0x80004001 (NS_ERROR_NOT_IMPLEMENTED) [nsIRequest.name] OAuth2.jsm:170
    onStateChange resource:///modules/OAuth2.jsm:170
Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified
Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified
This page uses the non standard property “zoom”. Consider using calc() in the relevant property values, or using “transform” along with “transform-origin: 0 0”. recaptcha-script
Content Security Policy: The page’s settings blocked the loading of a resource at https://3p-udc.yahoo.com/v2/public/yql?yhlVer=2&yhlClient=rapid&yhlS={someParams}&yhlCT=2&yhlBTMS={someOtherParams}&yhlClientVer=3.53.30&yhlRnd={someDifferentParams}&yhlCompressed=0 (“connect-src”). rapid-3.53.30.js:1:13260
NS_ERROR_NOT_IMPLEMENTED: Component returned failure code: 0x80004001 (NS_ERROR_NOT_IMPLEMENTED) [nsIRequest.name] 2 OAuth2.jsm:170
    onStateChange resource:///modules/OAuth2.jsm:170
Content Security Policy: The page’s settings blocked the loading of a resource at https://3p-geo.yahoo.com/p?s={someParam}&t={someParamWithCommas}&_I=&_AO=0&_NOL=0&_R=&_P=3.53.30%05_rx%03{sommeOtherParams}%033.53.30%04A_cn%03VERSIONED-PROD%04_bt%03rapid%04src%03oauth%04client_id%03{ClientIDToken}--%04redirect_uri%03http%3A%2F%2Flocalhost%04done%03https%3A%2F%2Fapi.login.yahoo.com%2Foauth2%2Fauthorize%3F.scrumb%3D0%26client_id%3D{ClientIDToken}--%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%26response_type%3Dcode%26scope%3Dmail-w%04sessionIndex%03QQ--%04acrumb%03{acrumbToken}%04display%03login%04authMechanism%03primary%04lang%03en-US%04siteKey%03{siteKeyToken}%04recaptchaLang%03en%04recaptchaDomain%03www.google.com%04A_pr%03https%04A_tzoff%030%04A_sid%03{A_sidToken}%03log rapid-3.53.30.js:1:11195

Noticing the mention of webGL, I set webGL.disable to false in the prefs, and then got the following:

Missing resource in locale fr: messenger/messenger.ftl
NS_ERROR_NOT_IMPLEMENTED: Component returned failure code: 0x80004001 (NS_ERROR_NOT_IMPLEMENTED) [nsIRequest.name] 3 OAuth2.jsm:170
    onStateChange resource:///modules/OAuth2.jsm:170
Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified
Some cookies are misusing the recommended “SameSite“ attribute 6
Cookie “AS” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite login.yahoo.com
Cookie “rx” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite rapid-3.53.30.js:1:41610
Cookie “AS” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite 2 login.yahoo.com
Cookie “rx” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite rapid-3.53.30.js:1:41610
Cookie “rxx” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite rapid-3.53.30.js:1:1149
Cookie “rx” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite rapid-3.53.30.js:1:41610
This page uses the non standard property “zoom”. Consider using calc() in the relevant property values, or using “transform” along with “transform-origin: 0 0”. login.yahoo.com
Blocked https://login.yahoo.com/?src=oauth&client_id={ClientIDToken}--&crumb=&login_hint={emailAdress}&redirect_uri=http%3A%2F%2Flocalhost&done=https%3A%2F%2Fapi.login.yahoo.com%2Foauth2%2Fauthorize%3F.scrumb%3D0%26client_id%3D{ClientIDToken}--%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%26response_type%3Dcode%26scope%3Dmail-w from extracting canvas data because no user input was detected. bundle.js:2:18428
Blocked https://login.yahoo.com/?src=oauth&client_id={ClientIDToken}--&crumb=&login_hint={emailAdress}&redirect_uri=http%3A%2F%2Flocalhost&done=https%3A%2F%2Fapi.login.yahoo.com%2Foauth2%2Fauthorize%3F.scrumb%3D0%26client_id%3D{ClientIDToken}--%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%26response_type%3Dcode%26scope%3Dmail-w from extracting canvas data because no user input was detected. bundle.js:2:19275
Blocked https://login.yahoo.com/?src=oauth&client_id={ClientIDToken}--&crumb=&login_hint={emailAdress}&redirect_uri=http%3A%2F%2Flocalhost&done=https%3A%2F%2Fapi.login.yahoo.com%2Foauth2%2Fauthorize%3F.scrumb%3D0%26client_id%3D{ClientIDToken}--%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%26response_type%3Dcode%26scope%3Dmail-w from extracting canvas data because no user input was detected. bundle.js:2:20546
NS_ERROR_NOT_IMPLEMENTED: Component returned failure code: 0x80004001 (NS_ERROR_NOT_IMPLEMENTED) [nsIRequest.name] OAuth2.jsm:170
    onStateChange resource:///modules/OAuth2.jsm:170
NS_ERROR_NOT_IMPLEMENTED: Component returned failure code: 0x80004001 (NS_ERROR_NOT_IMPLEMENTED) [nsIRequest.name] OAuth2.jsm:170
    onStateChange resource:///modules/OAuth2.jsm:170
Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified 2
Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified 2
This page uses the non standard property “zoom”. Consider using calc() in the relevant property values, or using “transform” along with “transform-origin: 0 0”. recaptcha
Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified 4
Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified
Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified
Invalid X-Frame-Options header was found when loading “https://login.yahoo.net/account/challenge/recaptcha/recaptcha-script?src=oauth&client_id={ClientIDToken}--&redirect_uri=http%3A%2F%2Flocalhost&done=https%3A%2F%2Fapi.login.yahoo.com%2Foauth2%2Fauthorize%3F.scrumb%3D0%26client_id%3D{ClientIDToken}--%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%26response_type%3Dcode%26scope%3Dmail-w&sessionIndex=QQ--&acrumb={acrumbToken}&display=login&authMechanism=primary&lang=en-US&siteKey={siteKeyToken}&recaptchaLang=en&recaptchaDomain=www.google.com”: “ALLOW-FROM https://login.yahoo.net” is not a valid directive. recaptcha-script
NS_ERROR_NOT_IMPLEMENTED: Component returned failure code: 0x80004001 (NS_ERROR_NOT_IMPLEMENTED) [nsIRequest.name] OAuth2.jsm:170
    onStateChange resource:///modules/OAuth2.jsm:170
Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified
Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified
This page uses the non standard property “zoom”. Consider using calc() in the relevant property values, or using “transform” along with “transform-origin: 0 0”. recaptcha-script
Content Security Policy: The page’s settings blocked the loading of a resource at https://3p-udc.yahoo.com/v2/public/yql?yhlVer=2&yhlClient=rapid&yhlS={someParams}&yhlCT=2&yhlBTMS={someOtherParams}&yhlClientVer=3.53.30&yhlRnd={someDifferentParams}&yhlCompressed=0 (“connect-src”). rapid-3.53.30.js:1:13260
NS_ERROR_NOT_IMPLEMENTED: Component returned failure code: 0x80004001 (NS_ERROR_NOT_IMPLEMENTED) [nsIRequest.name] 2 OAuth2.jsm:170
    onStateChange resource:///modules/OAuth2.jsm:170
Content Security Policy: The page’s settings blocked the loading of a resource at https://3p-geo.yahoo.com/p?s={someParams}&t={someParamsWithCommas}&_I=&_AO=0&_NOL=0&_R=&_P=3.53.30%05_rx{someVariousParams}3.53.30%04A_cn%03VERSIONED-PROD%04_bt%03rapid%04src%03oauth%04client_id%03{ClientIDToken}--%04redirect_uri%03http%3A%2F%2Flocalhost%04done%03https%3A%2F%2Fapi.login.yahoo.com%2Foauth2%2Fauthorize%3F.scrumb%3D0%26client_id%3D{ClientIDToken}--%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%26response_type%3Dcode%26scope%3Dmail-w%04sessionIndex%03QQ--%04acrumb%03{acrumbToken}%04display%03login%04authMechanism%03primary%04lang%03en-US%04siteKey%03{siteKeyToken}%04recaptchaLang%03en%04recaptchaDomain%03www.google.com%04A_pr%03https%04A_tzoff%030%04A_sid%03{A_sidToken}%03l rapid-3.53.30.js:1:11195

Not that easy to read as such, but basically I can see errors and warnings related to:

recaptcha script's page (seems to be the one to be displayed in my Thunderbird pop-up window
https://s.yimg.com/ss/rapid-3.53.30.js (loaded on same recaptcha page)
https://s.yimg.com/wm/mbr/3687bedecffabfc08130675f7d2a592f974f139f/bundle.js (loaded on same recaptcha page)
mention of "transform-origin:"; related to canvas ?

Just in case you wonder, it does work if I add the account before applying the user.js.

HorlogeSkynet commented 1 year ago

Thanks for these extended debugging traces.

I am not sure whether a WebGL context is required for this to work, but let's only change one thing at a time. There are some logs about CSP blocking resources loading ; Could you try with network.http.referer.XOriginPolicy relaxed to 1 (or even 0) ? It is known to break many authentication processes...

Good luck :wave:

oleole39 commented 1 year ago

On the top of that custom setup

cookies, including third party, accepted via privacy settings' panel
privacy.resistFingerprinting - false
privacy.firstparty.isolate.restrict_opener_access - false
privacy.firstparty.isolate - false
dom.targetBlankNoOpener.enabled - false
dom.webaudio.enabled - true
javascript.enabled - true
webgl.disabled - false

...I have set network.http.referer.XOriginPolicy to 1 then 0. Both led to the same result (same as before) and to the same debug output result, which is slightly different than before, with the script bundle.js which seems unblocked and now warning twice about some deprecated WebGL debug renderer info.

Here is the log (which is the same whether XOriginPolicy is set to 1 or 0):

Missing resource in locale fr: messenger/messenger.ftl
NS_ERROR_NOT_IMPLEMENTED: Component returned failure code: 0x80004001 (NS_ERROR_NOT_IMPLEMENTED) [nsIRequest.name] 3 OAuth2.jsm:170
    onStateChange resource:///modules/OAuth2.jsm:170
Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified
Some cookies are misusing the recommended “SameSite“ attribute 6
Cookie “AS” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite login.yahoo.com
Cookie “rx” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite rapid-3.53.30.js:1:41610
Cookie “AS” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite 2 login.yahoo.com
Cookie “rx” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite rapid-3.53.30.js:1:41610
Cookie “rxx” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite rapid-3.53.30.js:1:1149
Cookie “rx” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite rapid-3.53.30.js:1:41610
This page uses the non standard property “zoom”. Consider using calc() in the relevant property values, or using “transform” along with “transform-origin: 0 0”. login.yahoo.com
WEBGL_debug_renderer_info is deprecated in Firefox and will be removed. Please use RENDERER. bundle.js:2:22709
WEBGL_debug_renderer_info is deprecated in Firefox and will be removed. Please use RENDERER. bundle.js:2:23362
NS_ERROR_NOT_IMPLEMENTED: Component returned failure code: 0x80004001 (NS_ERROR_NOT_IMPLEMENTED) [nsIRequest.name] OAuth2.jsm:170
    onStateChange resource:///modules/OAuth2.jsm:170
NS_ERROR_NOT_IMPLEMENTED: Component returned failure code: 0x80004001 (NS_ERROR_NOT_IMPLEMENTED) [nsIRequest.name] OAuth2.jsm:170
    onStateChange resource:///modules/OAuth2.jsm:170
Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified 2
Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified 2
This page uses the non standard property “zoom”. Consider using calc() in the relevant property values, or using “transform” along with “transform-origin: 0 0”. recaptcha
Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified 4
Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified
Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified
Invalid X-Frame-Options header was found when loading “https://login.yahoo.net/account/challenge/recaptcha/recaptcha-script?src=oauth&client_id={ClientIDToken}--&redirect_uri=http%3A%2F%2Flocalhost&done=https%3A%2F%2Fapi.login.yahoo.com%2Foauth2%2Fauthorize%3F.scrumb%3D0%26client_id%3D{ClientIDToken}--%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%26response_type%3Dcode%26scope%3Dmail-w&sessionIndex=QQ--&acrumb={acrumbToken}&display=login&authMechanism=primary&lang=en-US&siteKey={siteKeyToken}&recaptchaLang=en&recaptchaDomain=www.google.com”: “ALLOW-FROM https://login.yahoo.net” is not a valid directive. recaptcha-script
NS_ERROR_NOT_IMPLEMENTED: Component returned failure code: 0x80004001 (NS_ERROR_NOT_IMPLEMENTED) [nsIRequest.name] OAuth2.jsm:170
    onStateChange resource:///modules/OAuth2.jsm:170
Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified
Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified
This page uses the non standard property “zoom”. Consider using calc() in the relevant property values, or using “transform” along with “transform-origin: 0 0”. recaptcha-script
Content Security Policy: The page’s settings blocked the loading of a resource at https://3p-udc.yahoo.com/v2/public/yql?yhlVer=2&yhlClient=rapid&yhlS={someParams}&yhlCT=2&yhlBTMS={someOtherParams}&yhlClientVer=3.53.30&yhlRnd={someDifferentParams}&yhlCompressed=0 (“connect-src”). rapid-3.53.30.js:1:13260
NS_ERROR_NOT_IMPLEMENTED: Component returned failure code: 0x80004001 (NS_ERROR_NOT_IMPLEMENTED) [nsIRequest.name] 2 OAuth2.jsm:170
    onStateChange resource:///modules/OAuth2.jsm:170
Content Security Policy: The page’s settings blocked the loading of a resource at https://3p-geo.yahoo.com/p?s={someParams}&t={someParamsWithCommas}&_I=&_AO=0&_NOL=0&_R=&_P=3.53.30%05_rx{someVariousParams}3.53.30%04A_cn%03VERSIONED-PROD%04_bt%03rapid%04src%03oauth%04client_id%03{ClientIDToken}--%04redirect_uri%03http%3A%2F%2Flocalhost%04done%03https%3A%2F%2Fapi.login.yahoo.com%2Foauth2%2Fauthorize%3F.scrumb%3D0%26client_id%3D{ClientIDToken}--%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%26response_type%3Dcode%26scope%3Dmail-w%04sessionIndex%03QQ--%04acrumb%03{acrumbToken}%04display%03login%04authMechanism%03primary%04lang%03en-US%04siteKey%03{siteKeyToken}%04recaptchaLang%03en%04recaptchaDomain%03www.google.com%04A_pr%03https%04A_tzoff%030%04A_sid%03{A_sidToken}%03l rapid-3.53.30.js:1:11195

One potential use of WegGL in such context - https://www.bleepingcomputer.com/news/security/researchers-use-gpu-fingerprinting-to-track-users-online/ (by the way a comment at the bottom of that article recommends setting webgl.min_capability_mode to true; I assume in order to be able to use webGL without all the tracking?). I have just experimented with this setting in addition to others mentioned in this post, and basically, the bundle.js' warning in the debug outputs is replaced with another warning:

Failed to create WebGL context: WebGL creation failed: 
*  () bundle.js:2:26831

HorlogeSkynet commented 1 year ago

So, I've (quickly) taken another look to each enforced preference, and my guessing reached an end (as you disabled RFP and FPI, this is strange). I fear we might require one more level of logging to narrow down this issue. Although, care about sensitive information that you may attach here (you can email me using my Git identity address if you want).

oleole39 commented 1 year ago

one more level of logging

Not sure to get what you referring to here ?

HorlogeSkynet commented 1 year ago

I was referring to, somehow, this : https://wiki.mozilla.org/MailNews:Logging#Thunderbird_Logging

In the meantime, I encountered these two maybe related issues : arkenfox/user.js#1545 & arkenfox/user.js#1628

HorlogeSkynet commented 1 year ago

Some new candidates for you if testing this is not too much time-consuming :

network.auth.subresource-http-auth-allow relaxed to 2
disabling ETP (unlikely, but who knows ?) : privacy.trackingprotection.enabled
pricacy.partition.serviceWorkers relaxed to false (low priority)

See you 👋

oleole39 commented 1 year ago

Not sure whether I got your point about logging correctly but I tried the following

cookies, including third party, accepted via privacy settings' panel
privacy.resistFingerprinting - false
privacy.firstparty.isolate.restrict_opener_access - false
privacy.firstparty.isolate - false
dom.targetBlankNoOpener.enabled - false
dom.webaudio.enabled - true
javascript.enabled - true
webgl.disabled - false
network.http.referer.XOriginPolicy - 0
mailnews.imap.loglevel - All
mailnews.smtp.loglevel - All

I don't think there is anything sensitive information in the debug log (as I have replaced and email address with placeholders), but if you don't think the same please let me know. Debug log output shows slightly more details, but nothing I could personally see interest in. I paste here the log, with a screenshot of the window for you to have a better Idea:

yahoo

Exception { name: "NS_ERROR_NOT_AVAILABLE", message: "Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIDocShell.domWindow]", result: 2147746065, filename: "resource://devtools/server/actors/targets/window-global.js", lineNumber: 422, columnNumber: 0, data: null, stack: "get window@resource://devtools/server/actors/targets/window-global.js:422:5\n_windowReady@resource://devtools/server/actors/targets/window-global.js:1408:24\nwatch@resource://devtools/server/actors/targets/window-global.js:1676:25\n_onDocShellCreated/<@resource://devtools/server/actors/targets/window-global.js:954:32\nexports.makeInfallible/<@resource://devtools/shared/ThreadSafeDevToolsUtils.js:103:22\n", location: XPCWrappedNative_NoHelper }
ThreadSafeDevToolsUtils.js:82:13
Missing resource in locale fr: messenger/messenger.ftl
Exception { name: "NS_ERROR_NOT_AVAILABLE", message: "Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIDocShell.domWindow]", result: 2147746065, filename: "resource://devtools/server/actors/targets/window-global.js", lineNumber: 422, columnNumber: 0, data: null, stack: "get window@resource://devtools/server/actors/targets/window-global.js:422:5\n_windowReady@resource://devtools/server/actors/targets/window-global.js:1408:24\nDebuggerProgressListener.prototype.onWindowCreated<@resource://devtools/server/actors/targets/window-global.js:1782:23\nexports.makeInfallible/<@resource://devtools/shared/ThreadSafeDevToolsUtils.js:103:22\n", location: XPCWrappedNative_NoHelper }
ThreadSafeDevToolsUtils.js:82:13
Exception { name: "NS_ERROR_NOT_AVAILABLE", message: "Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIDocShell.domWindow]", result: 2147746065, filename: "resource://devtools/server/actors/targets/window-global.js", lineNumber: 422, columnNumber: 0, data: null, stack: "get window@resource://devtools/server/actors/targets/window-global.js:422:5\n_willNavigate@resource://devtools/server/actors/targets/window-global.js:1474:22\nDebuggerProgressListener.prototype.onStateChange<@resource://devtools/server/actors/targets/window-global.js:1883:25\nexports.makeInfallible/<@resource://devtools/shared/ThreadSafeDevToolsUtils.js:103:22\n", location: XPCWrappedNative_NoHelper }
ThreadSafeDevToolsUtils.js:82:13
Exception { name: "NS_ERROR_NOT_AVAILABLE", message: "Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIDocShell.domWindow]", result: 2147746065, filename: "resource://devtools/server/actors/targets/window-global.js", lineNumber: 422, columnNumber: 0, data: null, stack: "get window@resource://devtools/server/actors/targets/window-global.js:422:5\n_windowReady@resource://devtools/server/actors/targets/window-global.js:1408:24\nDebuggerProgressListener.prototype.onWindowCreated<@resource://devtools/server/actors/targets/window-global.js:1782:23\nexports.makeInfallible/<@resource://devtools/shared/ThreadSafeDevToolsUtils.js:103:22\n", location: XPCWrappedNative_NoHelper }
ThreadSafeDevToolsUtils.js:82:13
Exception { name: "NS_ERROR_NOT_AVAILABLE", message: "Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIDocShell.domWindow]", result: 2147746065, filename: "resource://devtools/server/actors/targets/window-global.js", lineNumber: 422, columnNumber: 0, data: null, stack: "get window@resource://devtools/server/actors/targets/window-global.js:422:5\n_windowDestroyed@resource://devtools/server/actors/targets/window-global.js:1441:24\nDebuggerProgressListener.prototype.observe<@resource://devtools/server/actors/targets/window-global.js:1827:25\nexports.makeInfallible/<@resource://devtools/shared/ThreadSafeDevToolsUtils.js:103:22\n", location: XPCWrappedNative_NoHelper }
ThreadSafeDevToolsUtils.js:82:13
Exception { name: "NS_ERROR_NOT_AVAILABLE", message: "Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIDocShell.domWindow]", result: 2147746065, filename: "resource://devtools/server/actors/targets/window-global.js", lineNumber: 422, columnNumber: 0, data: null, stack: "get window@resource://devtools/server/actors/targets/window-global.js:422:5\nget originalWindow@resource://devtools/server/actors/targets/window-global.js:496:5\n_docShellToWindow@resource://devtools/server/actors/targets/window-global.js:1033:7\n_docShellsToWindows/<@resource://devtools/server/actors/targets/window-global.js:1053:29\n_docShellsToWindows@resource://devtools/server/actors/targets/window-global.js:1053:8\n_notifyDocShellsUpdate@resource://devtools/server/actors/targets/window-global.js:1063:26\nDebuggerProgressListener.prototype.onStateChange<@resource://devtools/server/actors/targets/window-global.js:1875:25\nexports.makeInfallible/<@resource://devtools/shared/ThreadSafeDevToolsUtils.js:103:22\n", location: XPCWrappedNative_NoHelper }
ThreadSafeDevToolsUtils.js:82:13
Exception { name: "NS_ERROR_NOT_AVAILABLE", message: "Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIDocShell.domWindow]", result: 2147746065, filename: "resource://devtools/server/actors/targets/window-global.js", lineNumber: 422, columnNumber: 0, data: null, stack: "get window@resource://devtools/server/actors/targets/window-global.js:422:5\n_navigate@resource://devtools/server/actors/targets/window-global.js:1532:24\nDebuggerProgressListener.prototype.onStateChange<@resource://devtools/server/actors/targets/window-global.js:1918:27\nexports.makeInfallible/<@resource://devtools/shared/ThreadSafeDevToolsUtils.js:103:22\n", location: XPCWrappedNative_NoHelper }
ThreadSafeDevToolsUtils.js:82:13
Exception { name: "NS_ERROR_NOT_AVAILABLE", message: "Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIDocShell.domWindow]", result: 2147746065, filename: "resource://devtools/server/actors/targets/window-global.js", lineNumber: 422, columnNumber: 0, data: null, stack: "get window@resource://devtools/server/actors/targets/window-global.js:422:5\nget originalWindow@resource://devtools/server/actors/targets/window-global.js:496:5\n_docShellToWindow@resource://devtools/server/actors/targets/window-global.js:1033:7\n_docShellsToWindows/<@resource://devtools/server/actors/targets/window-global.js:1053:29\n_docShellsToWindows@resource://devtools/server/actors/targets/window-global.js:1053:8\n_notifyDocShellsUpdate@resource://devtools/server/actors/targets/window-global.js:1063:26\nDebuggerProgressListener.prototype.onStateChange<@resource://devtools/server/actors/targets/window-global.js:1875:25\nexports.makeInfallible/<@resource://devtools/shared/ThreadSafeDevToolsUtils.js:103:22\n", location: XPCWrappedNative_NoHelper }
ThreadSafeDevToolsUtils.js:82:13
NS_ERROR_NOT_AVAILABLE: Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIDocShell.domWindow] window-global.js:422
    get window resource://devtools/server/actors/targets/window-global.js:422
    _onDocShellDestroy resource://devtools/server/actors/targets/window-global.js:993
    observe resource://devtools/server/actors/targets/window-global.js:931
    observe resource://devtools/server/actors/targets/parent-process.js:130
    changeRemoteness resource:///modules/MailE10SUtils.jsm:81
    loadURI resource:///modules/MailE10SUtils.jsm:54
    loadRequestedUrl chrome://messenger/content/browserRequest.js:141
    onload chrome://messenger/content/browserRequest.xhtml:1
Exception { name: "NS_ERROR_NOT_AVAILABLE", message: "Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIDocShell.domWindow]", result: 2147746065, filename: "resource://devtools/server/actors/targets/window-global.js", lineNumber: 422, columnNumber: 0, data: null, stack: "get window@resource://devtools/server/actors/targets/window-global.js:422:5\n_windowReady@resource://devtools/server/actors/targets/window-global.js:1408:24\nDebuggerProgressListener.prototype.onWindowCreated<@resource://devtools/server/actors/targets/window-global.js:1782:23\nexports.makeInfallible/<@resource://devtools/shared/ThreadSafeDevToolsUtils.js:103:22\n", location: XPCWrappedNative_NoHelper }
ThreadSafeDevToolsUtils.js:82:13
    reportException resource://devtools/shared/ThreadSafeDevToolsUtils.js:82
    makeInfallible resource://devtools/shared/ThreadSafeDevToolsUtils.js:109
Exception { name: "NS_ERROR_NOT_AVAILABLE", message: "Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIDocShell.domWindow]", result: 2147746065, filename: "resource://devtools/server/actors/targets/window-global.js", lineNumber: 422, columnNumber: 0, data: null, stack: "get window@resource://devtools/server/actors/targets/window-global.js:422:5\n_windowDestroyed@resource://devtools/server/actors/targets/window-global.js:1441:24\nDebuggerProgressListener.prototype.observe<@resource://devtools/server/actors/targets/window-global.js:1827:25\nexports.makeInfallible/<@resource://devtools/shared/ThreadSafeDevToolsUtils.js:103:22\n", location: XPCWrappedNative_NoHelper }
ThreadSafeDevToolsUtils.js:82:13
    reportException resource://devtools/shared/ThreadSafeDevToolsUtils.js:82
    makeInfallible resource://devtools/shared/ThreadSafeDevToolsUtils.js:109
NS_ERROR_NOT_IMPLEMENTED: Component returned failure code: 0x80004001 (NS_ERROR_NOT_IMPLEMENTED) [nsIRequest.name] 3 OAuth2.jsm:170
    onStateChange resource:///modules/OAuth2.jsm:170
Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified
Some cookies are misusing the recommended “SameSite“ attribute 6
Cookie “AS” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite login.yahoo.com
Cookie “rx” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite rapid-3.53.30.js:1:41610
Cookie “AS” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite 2 login.yahoo.com
Cookie “rx” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite rapid-3.53.30.js:1:41610
Cookie “rxx” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite rapid-3.53.30.js:1:1149
Cookie “rx” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite rapid-3.53.30.js:1:41610
This page uses the non standard property “zoom”. Consider using calc() in the relevant property values, or using “transform” along with “transform-origin: 0 0”. login.yahoo.com
WEBGL_debug_renderer_info is deprecated in Firefox and will be removed. Please use RENDERER. bundle.js:2:22709
WEBGL_debug_renderer_info is deprecated in Firefox and will be removed. Please use RENDERER. bundle.js:2:23362
NS_ERROR_NOT_IMPLEMENTED: Component returned failure code: 0x80004001 (NS_ERROR_NOT_IMPLEMENTED) [nsIRequest.name] OAuth2.jsm:170
    onStateChange resource:///modules/OAuth2.jsm:170

When pressing "Next", the pop-up window displays another page and some more content is added to the console output.

yahoo2

NS_ERROR_NOT_IMPLEMENTED: Component returned failure code: 0x80004001 (NS_ERROR_NOT_IMPLEMENTED) [nsIRequest.name] OAuth2.jsm:170
    onStateChange resource:///modules/OAuth2.jsm:170
Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified 2
Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified 2
This page uses the non standard property “zoom”. Consider using calc() in the relevant property values, or using “transform” along with “transform-origin: 0 0”. recaptcha
Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified 4
Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified
Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified
Invalid X-Frame-Options header was found when loading “https://login.yahoo.net/account/challenge/recaptcha/recaptcha-script?src=oauth&client_id={ClientIDToken}--&redirect_uri=http%3A%2F%2Flocalhost&done=https%3A%2F%2Fapi.login.yahoo.com%2Foauth2%2Fauthorize%3F.scrumb%3D0%26client_id%3D{ClientIDToken}--%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%26response_type%3Dcode%26scope%3Dmail-w&sessionIndex=QQ--&acrumb={acrumbToken}&display=login&authMechanism=primary&lang=en-US&siteKey={siteKeyToken}&recaptchaLang=en&recaptchaDomain=www.google.com”: “ALLOW-FROM https://login.yahoo.net” is not a valid directive. recaptcha-script
NS_ERROR_NOT_IMPLEMENTED: Component returned failure code: 0x80004001 (NS_ERROR_NOT_IMPLEMENTED) [nsIRequest.name] OAuth2.jsm:170
    onStateChange resource:///modules/OAuth2.jsm:170
Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified
Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified
This page uses the non standard property “zoom”. Consider using calc() in the relevant property values, or using “transform” along with “transform-origin: 0 0”. recaptcha-script
Content Security Policy: The page’s settings blocked the loading of a resource at https://3p-udc.yahoo.com/v2/public/yql?yhlVer=2&yhlClient=rapid&yhlS={someParams}&yhlCT=2&yhlBTMS={someOtherParams}&yhlClientVer=3.53.30&yhlRnd={someDifferentParams}&yhlCompressed=0 (“connect-src”). rapid-3.53.30.js:1:13260

Eventually, if I press "Continue", nothing happens. When closing the pop-up window, the following is appended on the console output:

NS_ERROR_NOT_IMPLEMENTED: Component returned failure code: 0x80004001 (NS_ERROR_NO  T_IMPLEMENTED) [nsIRequest.name] 2 OAuth2.jsm:170
    onStateChange resource:///modules/OAuth2.jsm:170
[Exception... "Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIDocShell.domWindow]"  nsresult: "0x80040111 (NS_ERROR_NOT_AVAILABLE)"  location: "JS frame :: resource://devtools/server/actors/targets/window-global.js :: get window :: line 422"  data: no] window-global.js:422:5
Content Security Policy: The page’s settings blocked the loading of a resource at https://3p-geo.yahoo.com/p?s={someParams}&t={someParamsWithCommas}&_I=&_AO=0&_NOL=0&_R=&_P=3.53.30%05_rx{someVariousParams}3.53.30%04A_cn%03VERSIONED-PROD%04_bt%03rapid%04src%03oauth%04client_id%03{ClientIDToken}--%04redirect_uri%03http%3A%2F%2Flocalhost%04done%03https%3A%2F%2Fapi.login.yahoo.com%2Foauth2%2Fauthorize%3F.scrumb%3D0%26client_id%3D{ClientIDToken}--%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%26response_type%3Dcode%26scope%3Dmail-w%04sessionIndex%03QQ--%04acrumb%03{acrumbToken}%04display%03login%04authMechanism%03primary%04lang%03en-US%04siteKey%03{siteKeyToken}%04recaptchaLang%03en%04recaptchaDomain%03www.google.com%04A_pr%03https%04A_tzoff%030%04A_sid%03{A_sidToken}%03l rapid-3.53.30.js:1:11195

Regarding the other GH issues you pointed out:

do you expect me to try these overrides ?
debug log does indeed mention some worker-src, but on my current test profile there is no extension installed, not even uBO.

Some new candidates for you

Setting the 3 prefs as mentioned unfortunately leads to the same debug output.

if testing this is not too much time-consuming

Well, testing is rather quick, but I don't want to use too much of your time either. I am considering to stop using Yahoo... the hard way, but for the better I guess.

HorlogeSkynet commented 1 year ago

Thanks for your detailed follow-up !

I am wondering whether we should focus on the NS_ERROR_NOT_IMPLEMENTED errors or rather the CSP ones :smiling_face_with_tear: I guess the first kind is related to some lack of API support (storage, media, geolocation, ...), whereas I cannot figure the origin of these CSP errors.

Even if you drop Yahoo, this issue won't be resolved and one may encounter it in the future :shrug: I don't have a Yahoo account to try reproducing on my own; My help is very limited.

If you are highly motivated, you can try to narrow down the guilty preference by using dichotomy (only keep the first half of preferences enforced and repeat the process on other "halves" according to the result of the previous iteration...). Not very effective but sometimes relevant.

Bye :wave:

oleole39 commented 1 year ago

This issue won't be resolved and one may encounter it in the future

I am fine with digging further the issue, but I am likely to need guidance :)

I am wondering whether we should focus on the NS_ERROR_NOT_IMPLEMENTED errors or rather the CSP ones 🥲

I have just tried looking at the debugging output when adding an account to TB which I knew was working with standard thunderbird-user.js without any tweaking, but here with the same prefs setup than the previous debug log. It still works and here is the debug output leading to successful integration of the account to Thunderbird.

Exception { name: "NS_ERROR_NOT_AVAILABLE", message: "Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIDocShell.domWindow]", result: 2147746065, filename: "resource://devtools/server/actors/targets/window-global.js", lineNumber: 422, columnNumber: 0, data: null, stack: "get window@resource://devtools/server/actors/targets/window-global.js:422:5\n_windowReady@resource://devtools/server/actors/targets/window-global.js:1408:24\nwatch@resource://devtools/server/actors/targets/window-global.js:1676:25\n_onDocShellCreated/<@resource://devtools/server/actors/targets/window-global.js:954:32\nexports.makeInfallible/<@resource://devtools/shared/ThreadSafeDevToolsUtils.js:103:22\n", location: XPCWrappedNative_NoHelper }
ThreadSafeDevToolsUtils.js:82:13
Missing resource in locale fr: messenger/messenger.ftl
Exception { name: "NS_ERROR_NOT_AVAILABLE", message: "Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIDocShell.domWindow]", result: 2147746065, filename: "resource://devtools/server/actors/targets/window-global.js", lineNumber: 422, columnNumber: 0, data: null, stack: "get window@resource://devtools/server/actors/targets/window-global.js:422:5\n_windowReady@resource://devtools/server/actors/targets/window-global.js:1408:24\nDebuggerProgressListener.prototype.onWindowCreated<@resource://devtools/server/actors/targets/window-global.js:1782:23\nexports.makeInfallible/<@resource://devtools/shared/ThreadSafeDevToolsUtils.js:103:22\n", location: XPCWrappedNative_NoHelper }
ThreadSafeDevToolsUtils.js:82:13
Exception { name: "NS_ERROR_NOT_AVAILABLE", message: "Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIDocShell.domWindow]", result: 2147746065, filename: "resource://devtools/server/actors/targets/window-global.js", lineNumber: 422, columnNumber: 0, data: null, stack: "get window@resource://devtools/server/actors/targets/window-global.js:422:5\n_willNavigate@resource://devtools/server/actors/targets/window-global.js:1474:22\nDebuggerProgressListener.prototype.onStateChange<@resource://devtools/server/actors/targets/window-global.js:1883:25\nexports.makeInfallible/<@resource://devtools/shared/ThreadSafeDevToolsUtils.js:103:22\n", location: XPCWrappedNative_NoHelper }
ThreadSafeDevToolsUtils.js:82:13
Exception { name: "NS_ERROR_NOT_AVAILABLE", message: "Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIDocShell.domWindow]", result: 2147746065, filename: "resource://devtools/server/actors/targets/window-global.js", lineNumber: 422, columnNumber: 0, data: null, stack: "get window@resource://devtools/server/actors/targets/window-global.js:422:5\n_windowReady@resource://devtools/server/actors/targets/window-global.js:1408:24\nDebuggerProgressListener.prototype.onWindowCreated<@resource://devtools/server/actors/targets/window-global.js:1782:23\nexports.makeInfallible/<@resource://devtools/shared/ThreadSafeDevToolsUtils.js:103:22\n", location: XPCWrappedNative_NoHelper }
ThreadSafeDevToolsUtils.js:82:13
Exception { name: "NS_ERROR_NOT_AVAILABLE", message: "Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIDocShell.domWindow]", result: 2147746065, filename: "resource://devtools/server/actors/targets/window-global.js", lineNumber: 422, columnNumber: 0, data: null, stack: "get window@resource://devtools/server/actors/targets/window-global.js:422:5\n_windowDestroyed@resource://devtools/server/actors/targets/window-global.js:1441:24\nDebuggerProgressListener.prototype.observe<@resource://devtools/server/actors/targets/window-global.js:1827:25\nexports.makeInfallible/<@resource://devtools/shared/ThreadSafeDevToolsUtils.js:103:22\n", location: XPCWrappedNative_NoHelper }
ThreadSafeDevToolsUtils.js:82:13
Exception { name: "NS_ERROR_NOT_AVAILABLE", message: "Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIDocShell.domWindow]", result: 2147746065, filename: "resource://devtools/server/actors/targets/window-global.js", lineNumber: 422, columnNumber: 0, data: null, stack: "get window@resource://devtools/server/actors/targets/window-global.js:422:5\nget originalWindow@resource://devtools/server/actors/targets/window-global.js:496:5\n_docShellToWindow@resource://devtools/server/actors/targets/window-global.js:1033:7\n_docShellsToWindows/<@resource://devtools/server/actors/targets/window-global.js:1053:29\n_docShellsToWindows@resource://devtools/server/actors/targets/window-global.js:1053:8\n_notifyDocShellsUpdate@resource://devtools/server/actors/targets/window-global.js:1063:26\nDebuggerProgressListener.prototype.onStateChange<@resource://devtools/server/actors/targets/window-global.js:1875:25\nexports.makeInfallible/<@resource://devtools/shared/ThreadSafeDevToolsUtils.js:103:22\n", location: XPCWrappedNative_NoHelper }
ThreadSafeDevToolsUtils.js:82:13
Exception { name: "NS_ERROR_NOT_AVAILABLE", message: "Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIDocShell.domWindow]", result: 2147746065, filename: "resource://devtools/server/actors/targets/window-global.js", lineNumber: 422, columnNumber: 0, data: null, stack: "get window@resource://devtools/server/actors/targets/window-global.js:422:5\n_navigate@resource://devtools/server/actors/targets/window-global.js:1532:24\nDebuggerProgressListener.prototype.onStateChange<@resource://devtools/server/actors/targets/window-global.js:1918:27\nexports.makeInfallible/<@resource://devtools/shared/ThreadSafeDevToolsUtils.js:103:22\n", location: XPCWrappedNative_NoHelper }
ThreadSafeDevToolsUtils.js:82:13
Exception { name: "NS_ERROR_NOT_AVAILABLE", message: "Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIDocShell.domWindow]", result: 2147746065, filename: "resource://devtools/server/actors/targets/window-global.js", lineNumber: 422, columnNumber: 0, data: null, stack: "get window@resource://devtools/server/actors/targets/window-global.js:422:5\nget originalWindow@resource://devtools/server/actors/targets/window-global.js:496:5\n_docShellToWindow@resource://devtools/server/actors/targets/window-global.js:1033:7\n_docShellsToWindows/<@resource://devtools/server/actors/targets/window-global.js:1053:29\n_docShellsToWindows@resource://devtools/server/actors/targets/window-global.js:1053:8\n_notifyDocShellsUpdate@resource://devtools/server/actors/targets/window-global.js:1063:26\nDebuggerProgressListener.prototype.onStateChange<@resource://devtools/server/actors/targets/window-global.js:1875:25\nexports.makeInfallible/<@resource://devtools/shared/ThreadSafeDevToolsUtils.js:103:22\n", location: XPCWrappedNative_NoHelper }
ThreadSafeDevToolsUtils.js:82:13
    reportException resource://devtools/shared/ThreadSafeDevToolsUtils.js:82
    makeInfallible resource://devtools/shared/ThreadSafeDevToolsUtils.js:109
TypeError: this.transport is null
    send resource://devtools/server/devtools-server-connection.js:99
    _sendEvent resource://devtools/shared/protocol/Actor.js:72
    initialize resource://devtools/shared/protocol/Actor.js:46
    _emit resource://devtools/shared/event-emitter.js:242
    emit resource://devtools/shared/event-emitter.js:186
    emit resource://devtools/shared/event-emitter.js:330
    _notifyDocShellDestroy resource://devtools/server/actors/targets/window-global.js:1088
    _onDocShellDestroy resource://devtools/server/actors/targets/window-global.js:968
    observe resource://devtools/server/actors/targets/window-global.js:931
    observe resource://devtools/server/actors/targets/parent-process.js:130
    changeRemoteness resource:///modules/MailE10SUtils.jsm:81
    loadURI resource:///modules/MailE10SUtils.jsm:54
    loadRequestedUrl chrome://messenger/content/browserRequest.js:141
    onload chrome://messenger/content/browserRequest.xhtml:1
event-emitter.js:257:19
NS_ERROR_NOT_AVAILABLE: Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIDocShell.domWindow] window-global.js:422
Exception { name: "NS_ERROR_NOT_AVAILABLE", message: "Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIDocShell.domWindow]", result: 2147746065, filename: "resource://devtools/server/actors/targets/window-global.js", lineNumber: 422, columnNumber: 0, data: null, stack: "get window@resource://devtools/server/actors/targets/window-global.js:422:5\n_windowReady@resource://devtools/server/actors/targets/window-global.js:1408:24\nDebuggerProgressListener.prototype.onWindowCreated<@resource://devtools/server/actors/targets/window-global.js:1782:23\nexports.makeInfallible/<@resource://devtools/shared/ThreadSafeDevToolsUtils.js:103:22\n", location: XPCWrappedNative_NoHelper }
ThreadSafeDevToolsUtils.js:82:13
Exception { name: "NS_ERROR_NOT_AVAILABLE", message: "Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIDocShell.domWindow]", result: 2147746065, filename: "resource://devtools/server/actors/targets/window-global.js", lineNumber: 422, columnNumber: 0, data: null, stack: "get window@resource://devtools/server/actors/targets/window-global.js:422:5\n_windowDestroyed@resource://devtools/server/actors/targets/window-global.js:1441:24\nDebuggerProgressListener.prototype.observe<@resource://devtools/server/actors/targets/window-global.js:1827:25\nexports.makeInfallible/<@resource://devtools/shared/ThreadSafeDevToolsUtils.js:103:22\n", location: XPCWrappedNative_NoHelper }
ThreadSafeDevToolsUtils.js:82:13
NS_ERROR_NOT_IMPLEMENTED: Component returned failure code: 0x80004001 (NS_ERROR_NOT_IMPLEMENTED) [nsIRequest.name] 3 OAuth2.jsm:170
NS_ERROR_NOT_IMPLEMENTED: Component returned failure code: 0x80004001 (NS_ERROR_NOT_IMPLEMENTED) [nsIRequest.name] OAuth2.jsm:170
Not showing popup notification password with the message Save login for {domain}? browserRequest.js:12:13
NS_ERROR_NOT_IMPLEMENTED: Component returned failure code: 0x80004001 (NS_ERROR_NOT_IMPLEMENTED) [nsIRequest.name] OAuth2.jsm:170
NS_ERROR_NOT_IMPLEMENTED: Component returned failure code: 0x80004001 (NS_ERROR_NOT_IMPLEMENTED) [nsIRequest.name] 2 OAuth2.jsm:170
NS_ERROR_NOT_IMPLEMENTED: Component returned failure code: 0x80004001 (NS_ERROR_NOT_IMPLEMENTED) [nsIRequest.name] OAuth2.jsm:170
TypeError: this.transport is null
    send resource://devtools/server/devtools-server-connection.js:99
    _sendEvent resource://devtools/shared/protocol/Actor.js:72
    initialize resource://devtools/shared/protocol/Actor.js:46
    _emit resource://devtools/shared/event-emitter.js:242
    emit resource://devtools/shared/event-emitter.js:186
    emit resource://devtools/shared/event-emitter.js:330
    _notifyDocShellDestroy resource://devtools/server/actors/targets/window-global.js:1088
    _onDocShellDestroy resource://devtools/server/actors/targets/window-global.js:968
    observe resource://devtools/server/actors/targets/parent-process.js:140
event-emitter.js:257:19
    _emit resource://devtools/shared/event-emitter.js:257
    emit resource://devtools/shared/event-emitter.js:186
    emit resource://devtools/shared/event-emitter.js:330
    _notifyDocShellDestroy resource://devtools/server/actors/targets/window-global.js:1088
    _onDocShellDestroy resource://devtools/server/actors/targets/window-global.js:968
    observe resource://devtools/server/actors/targets/parent-process.js:140
NS_ERROR_NOT_AVAILABLE: Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIDocShell.domWindow] window-global.js:422
Loading failed for the <script> with source “chrome://global/content/netError.js”. neterror:128:4
[Exception... "Component returned failure code: 0x80520012 (NS_ERROR_FILE_NOT_FOUND) [nsIMsgAccountManager.loadVirtualFolders]"  nsresult: "0x80520012 (NS_ERROR_FILE_NOT_FOUND)"  location: "JS frame :: chrome://messenger/content/msgMail3PaneWindow.js :: loadPostAccountWizard :: line 928"  data: no] msgMail3PaneWindow.js:928:20
PROPFIND{domain_URL}/.well-known/carddav
[HTTP/1.1 405 Not Allowed 227ms]

HTTPS-Only Mode: Not upgrading insecure request “http://ocsp.globalsign.com/{certificateID}” because it is exempt.
PROPFIND{domain_URL}
[HTTP/1.1 405 Not Allowed 32ms]

mail.setup: 
Exception { name: "NS_ERROR_FAILURE", message: "Address book discovery failed", result: 2147500037, filename: "resource:///modules/CardDAVUtils.jsm", lineNumber: 423, columnNumber: 0, data: null, stack: "detectAddressBooks@resource:///modules/CardDAVUtils.jsm:423:13\n", location: XPCWrappedNative_NoHelper }
accountSetup.js:2466
PROPFIND{domain_URL}/.well-known/caldav
[HTTP/1.1 405 Not Allowed 114ms]

PROPFIND{domain_URL}
[HTTP/1.1 405 Not Allowed 122ms]

PROPFIND{domain_URL}
[HTTP/1.1 405 Not Allowed 116ms]

PUT{domain_URL}
[HTTP/1.1 405 Not Allowed 114ms]

mail.setup: NoneFoundError: 
    DetectionError resource:///modules/calendar/utils/calProviderDetectionUtils.jsm:20
    <anonymous> resource:///modules/calendar/utils/calProviderDetectionUtils.jsm:31
    detect resource:///modules/calendar/utils/calProviderDetectionUtils.jsm:164
accountSetup.js:2589
This page is in Quirks Mode. Page layout may be impacted. For Standards Mode use “<!DOCTYPE html>”. 7 MimeMessage.jsm:621:24
<Provider> does not support changing `store` on the fly. It is most likely that you see this error because you updated to Redux 2.x and React Redux 2.x which no longer hot reload reducers automatically. See https://github.com/reactjs/react-redux/releases/tag/v2.0.0 for the migration instructions. react-redux.js:881:13

There are plenty of NS_ERROR_NOT_IMPLEMENTED as well, looking the same than in previous debug log. As the result is successful, that makes those errors less likely to be the ones blocking the Yahoo Oauth. However no CSP error there so they may well be an issue.

Referring to Yahoo's debug log from previous post, do you know whether we can exclude from the investigation the warnings about:

cookies, complaining at the beginning they have no "proper same site attribute" ?
WebGL issues ? maybe related to canvas extraction in the first log, with the remaining mention in all Yahoo logs of transform-origin: 0 0?

you can try to narrow down the guilty preference by using dichotomy (only keep the first half of preferences enforced and repeat the process on other "halves" according to the result of the previous iteration...). Not very effective but sometimes relevant.

Do you refer to all thunderbird-user.js' modified prefs as base set of prefs to analyze ?

oleole39 commented 1 year ago

the script rapid mentioned in the log seems to accomplish the following noble task, as per that source:

Rapid works by buffering the instrumentation it collects about the user behavior on the page and periodically sending that back to the Yahoo Ad Tech cloud.

Not sure how this will be useful here, but they give examples of used parameters (in a different context) there That compares more or less with some URL in Oauth debug process which uses the following parameters that I attempted to parse (between brackets are my anonymization placeholders)

 https://3p-geo.yahoo.com/p?
 s={someParam}&
 t={someParamWithCommas}&
_I=&
_AO=0&
_NOL=0&
_R=&
_P=3.53.30%05
_rx%03{sommeOtherParams}%033.53.30%04
A_cn%03VERSIONED-PROD%04
_bt%03rapid%04
src%03oauth%04
client_id%03{ClientIDToken}--%04
redirect_uri%03http%3A%2F%2Flocalhost%04
done%03https%3A%2F%2Fapi.login.yahoo.com%2Foauth2%2Fauthorize%3F.scrumb%3D0%26client_id%3D{ClientIDToken}--%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%26response_type%3Dcode%26scope%3Dmail-w%04
sessionIndex%03QQ--%04
acrumb%03{acrumbToken}%04
display%03login%04
authMechanism%03primary%04
lang%03en-US%04
siteKey%03{siteKeyToken}%04
recaptchaLang%03en%04
recaptchaDomain%03www.google.com%04
A_pr%03https%04
A_tzoff%030%04
A_sid%03{A_sidToken}%03log

Base URL https://3p-geo.yahoo.com appears in EasyPrivacy's blocking list named "Third Party".

HorlogeSkynet commented 1 year ago

Referring to Yahoo's debug log from previous post, do you know whether we can exclude from the investigation the warnings about:
* cookies, complaining at the beginning they have no "proper same site attribute" ?

* WebGL issues ? maybe related to canvas extraction in the first log, with the remaining mention in all Yahoo logs of `transform-origin: 0 0`?

About cookies and "same site" issues, they actually look like "deprecation warnings" due to future behavior changes. I guess we can ignore them (for now :stuck_out_tongue_winking_eye:). On the second hand, WebGL and canvas extraction definitely look like remains of RFP-like defense (which I don't understand as you actually disabled it).

Thanks to your trial of a successful account addition, we can assume that's on CSP then (or something else "close" raises an error that is caught like it was).

Do you refer to all thunderbird-user.js' modified prefs as base set of prefs to analyze ?

Yes I do... :roll_eyes:

What a noble task indeed... If background requests are made not on the user behalf, it's very likely that a protection is triggered. I am still wondering whether they are required for the OAuth process to complete.

If all of these JavaScript code happens to gather many data using all available methods, you could easily switch some media.* preferences back to true to check whether it "helps" (:sweat_smile:).

:wave:

oleole39 commented 1 year ago

Yes I do... 🙄

Took some time but eventually paid off, and you were right in focusing on CSP errors. Thank you for your support & guidance.

Here is the magical recipe to perform Yahoo Oauth. One can ignore all what was said hereinabove and just apply the following (tested on a fresh TB profile with thunderbird-user.js v102.1 alone, as well as together with 12bytes.org's user.js-overrides v102r2):

user_pref("network.cookie.cookieBehavior", 1);      // required for Yahoo Oauth = 1 (accept same-origin cookies) / default TB-user.js = 2 (block all cookies)
user_pref("network.http.referer.XOriginPolicy", 0); // required for Yahoo Oauth = 0 (always send cross-origin referrer) / default TB-user.js = 2 (send cross-origin referrer only if hosts match) 
user_pref("network.http.sendRefererHeader", 2);     // required for Yahoo Oauth = 2 (send referer header when clicking on a link or loading an image, and set document.referrer for the following page. ) / default TB-user.js = 0 (never send the Referer header or set document.referrer)         
user_pref("javascript.enabled", true);              // required for Yahoo Oauth = true / default TB-user.js = false
user_pref("permissions.default.image", 3);          // only required for Yahoo Oauth if image captcha (and not audio) is chosen = 3 (prevent third-party images from loading)/ default TB-user.js = 2 (block all images from loading)
user_pref("dom.webaudio.enabled", true);            // only required for Yahoo Oauth if audio captcha (and not picture) is chosen = true ()/ default TB-user.js = false

Notes:

Only one of the two last prefs is mandatory (depending on whether you prefer visual or audio captcha)
Once the OAuth was performed, all preferences can be reset to TB-user.js default's and emails will still continue to synchronize, at least until potential OAuth token's expiration.

Successfully tested TB account config:

Incoming:
- Protocol: IMAP
- Hostname: imap.mail.yahoo.com
- Port: 993
- Connection security: SSL/TLS
- Authentification method: Oauth2
- Username: {full email address}
Outgoing:
- Protocol: SMTP
- Hostname: smtp.mail.yahoo.com
- Port: 465
- Connection security: SSL/TLS
- Authentification method: Oauth2
- Username: {full email address}

oleole39 commented 1 year ago

@HorlogeSkynet I recommend replacing this wiki page by the following (apparently I cannot PR a forked version myself)

 ## About OAuth2 authentification method

If you've got [2FA authentication](https://en.wikipedia.org/wiki/Multi-factor_authentication) then there is a possibility of your provider supporting [OAuth2 authentication](https://en.wikipedia.org/wiki/OAuth#OAuth_2.0).

By 2023, some providers seem to ONLY supports OAuth2 authentification.

To make things easier (i.e. avoid manual account configuration), you might want to set the preference `mailnews.auto_config_url` to a value that contains the XML file for your provider. If you're concerned about contacting the Mozilla server, you could set this to some server that you control as long as the XML file for your provider is present.

## Gmail
Gmail [now requires JavaScript](https://security.googleblog.com/2018/10/announcing-some-security-treats-to.html) for authentication. When you add a Gmail account to Thunderbird this option is presented when Thunderbird requests the [auto configuration file](https://autoconfig.thunderbird.net/v1.1/gmail.com).

OAuth2 authentication should be used and is preferred to using [less secure](https://support.google.com/accounts/answer/6010255) methods of authentication such as [application specific passwords](https://support.google.com/accounts/answer/185833).

- `javascript.enabled` must be set to `true`

Once authenticated you can revert this preference to default.

## Microsoft Office 365

To have OAuth2 working with an Office365 mail account, you will need to modify the following preferences:
- `network.cookie.cookieBehavior` to `1` (TB-user.js' default = `2`)
- `javascript.enabled`  to `true` (TB-user.js' default = `false`)

Once authenticated you can revert these preferences to default. 

## Yahoo

To have OAuth2 working with an Yahoo mail account, you will need to modify the following preferences:
- `network.cookie.cookieBehavior` to `1`  (TB-user.js' default = `2`)
- `network.http.referer.XOriginPolicy` to `0`  (TB-user.js' default = `2`)
- `network.http.sendRefererHeader` to `2`  (TB-user.js' default = `0`)
- `javascript.enabled`  to `true` (TB-user.js' default = `false`)
- if you prefer to use the visual captcha, `permissions.default.image` to `3` (TB-user.js' default = `2`)
- if you prefer to use the audio captcha, `dom.webaudio.enabled` to `true` (TB-user.js' default = `false`)

Once authenticated you can revert these preferences to default.

HorlogeSkynet commented 1 year ago

Thank you very much for your messages and congratulations for your achievements ! :tada:

The OAuth2 wiki page has been updated with your additions :pray:

Bye, see you around :wave:

HorlogeSkynet / thunderbird-user.js

[BUG] Can't add Yahoo account to Thunderbird (OAuth2 + ReCaptcha) #32