FPI breaks "Sign in with Amazon" on washingtonpost.com (and others)

[pgarnett]

Subscribers to washingtonpost.com through Amazon (for a hefty discount) must sign in using their Amazon credentials. This addon webext_firstpartyisolation breaks the sign-in process, leaving the subscriber stuck in limbo. Since this addon doesn't appear to have a way to disable it for a single site, I'm forced to disable or uninstall it.

It's otherwise a terrific addon and I'd love to continue using it, but can't in its current form.

[mozfreddyb]

Sorry, but Firefox provides me with a global on/off switch. The granularity of the given API does not allow anyone to write code that would fix your problem.

Unfortunately, the only thing you can do is follow this work-around:

• temporarily disallow FPI globally (resetting all cookies for the website and all other websites)
• reload the affected tab and log-in with the relying party (e.g., washingtonpost)
• do the authentication dance to your identity provider and back (here: Amazon)
• disable FPI when the page has been loaded, which resets the cookies for this website again
• but do not refresh the page, because of the reset mentioned above. ugh :unamused:

[coofercat]

WIthout wanting to start a "me too" and "+1" storm, but the issue with Atlassian (in #7) means I can't use FPI in my work life because pretty much all of my clients use Jira and/or Confluence.

I can appreciate the FPI plugin can only do what FIrefox allows it to do, and it doesn't allow any site-specific exceptions. I'd be happy to hear how I can help in "adding to the weight" of any request to have Firefox change to support FPI exceptions. To my mind, FPI should be the default behaviour, and to allow exceptions where they are required, so I'd be happy to work towards that goal if it's something worth pursuing.

[varjolintu]

@mozfreddyb Are you certain that this is not possible to do for a single site using browser.tabs.onActivated? I made an experimental extension which uses this for whitelisting.

[mozfreddyb]

As I stated in my previous comment, it might cause a logout on all other tabs: If you disable and re-eanble without interacting with a static website, it can't really notice it. But many front-end heavy websites like Google Docs or Github will disable all links and forms and tell you to re-login because your session has expired (because storage became inaccessible), making all interactions fragile and cause data loss for comments and other unsubmitted data.

I understand this is a trade-off and I'm curious to hear more about your epxerience @varjolintu, but I'm not willing to take the stability risk for this addon for now.

I really think the problem is easier solved with Multi-Account Containers, which allows you to tag cookies not by first-party but by some other label that is both explicitly visible and easily controlled. Multi-Account Containers is made by Mozilla. If you want to discard storage more radically, you might even want to consider Temporary Containers, but I haven't really vetted it.

[varjolintu]

@mozfreddyb Thank you for the reply. I already use both of the container extensions and for now it's good enough. It would be nice if FPI could support exceptions in the future, just like proposed in the earlier messages.

I'm going to make some more testing with my experimental extension and see if any kind of trade-off's exists you mentioned. Anyone else interested can find it here.