Braintree (payment processor blocked)

AndrewPenry commented 2 years ago

Requests for https://js.braintreegateway.com/web/3.67.0/js/data-collector.min.js are being blocked. This prevent Braintree Payments from loading, at least in Magento 2 sites, making payment via CC impossible for customers.

Steps to Reproduce

Visit a site that uses Braintree on Magento: https://magnanni.com (note that only the US version of the site uses Braintree).
Add an item to the cart and go to checkout. Fill in an address to get to the payment step
The payment page requests https://js.braintreegateway.com/web/3.67.0/js/data-collector.min.js which loads the payment form.

Expected behavior: https://js.braintreegateway.com/web/3.67.0/js/data-collector.min.js is not blocked.

Actual behavior: https://js.braintreegateway.com/web/3.67.0/js/data-collector.min.js is blocked.

Extension: 2021.9.30
Browser: Chrome 96.0.4664.110 (Official Build) (64-bit)
OS: Windows 10 Home

shakyShane commented 2 years ago

I did some initial investigation into this to save some time, here are my findings:

That script is listed in our tracker radar data, with the following entry

{
  "domain": "braintreegateway.com",
  "owner": {
    "name": "PayPal, Inc.",
    "displayName": "PayPal",
    "privacyPolicy": "https://www.paypal.com/us/webapps/mpp/ua/privacy-full",
    "url": "http://paypal.com"
  },
  "prevalence": 0.00067,
  "fingerprinting": 2,
  "cookies": 0,
  "categories": [],
  "default": "ignore",
  "rules": [
    {
      "rule": "braintreegateway\\.com\\/web\\/3\\.67\\.0\\/js\\/data-collector\\.min\\.js",
      "fingerprinting": 3,
      "cookies": 0
    }
  ]
}

The site in question, https://magnanni.com/ is running on Magento 2, which uses RequireJS as a module system.

It references the blocked script in 2 places

in both instances, it uses the alias braintreeDataCollector within the define array, such as

define([
    'jquery',
    'braintree',
    'braintreeDataCollector',
    'braintreeHostedFields',
    'Magento_Checkout/js/model/full-screen-loader',
    'Magento_Ui/js/model/messageList',
    'mage/translate'
], function ($, braintree, dataCollector) { // snip }

that alias, braintreeDataCollector has a mapping to the blocked file defined in requirejs-config

var config = {

   // snip

    paths: {
        "braintreePayPalCheckout": "https://js.braintreegateway.com/web/3.67.0/js/paypal-checkout.min",
        "braintreeHostedFields": "https://js.braintreegateway.com/web/3.67.0/js/hosted-fields.min",
        "braintreeDataCollector": "https://js.braintreegateway.com/web/3.67.0/js/data-collector.min",
        // snip
    }
};

So, RequireJS is failing to load https://js.braintreegateway.com/web/3.67.0/js/data-collector.min (because it's blocked) which has the knock-on effect of causing the two modules listed above to never execute their callbacks. That's part of the design of RequireJS - if it cannot resolve all dependencies then it does not execute your module.

duffner commented 2 years ago

I wanted to confirm this is a valid issue with our customers who use Magento and Braintree. As well. @shakyShane, did you end up figuring out a solution here from the Magento side?

sammacbeth commented 2 years ago

This specific script is being blocked because we detected it using the DeviceMotionEvent.prototype.accelerationIncludingGravity during our tracker-radar crawls (you can see the data entry here).

In the latest crawl we didn't pick up this API anymore, so when we generate the next version of the blocklist (probably next week), this script should no longer be blocked. To avoid this kind of blocking happening in the future, Braintree can try to avoid using JS APIs which are associated with fingerprinting in their scripts.

duffner commented 2 years ago

Hi @sammacbeth, thanks for the update! Braintree has to monitor fingerprints to ensure fraud does not occur, so I believe this to be kind of a false positive. However, I do agree there are other ways to work with data.

duckduckgo / duckduckgo-privacy-extension

Braintree (payment processor blocked) #1005

Steps to Reproduce