Not able do access workplace

[niklas-holmstrand]

• Facebook Container Version: 2.1.1
• Operating System + Version: Win 10 enterprise , 1809
• Firefox Version: 79.0
• Other installed Add-ons + Version + Enabled/Disabled-Status: No

Actual behavior

Logging in to workplace. When done broken line page as in attached screenshot is displayed

Expected behavior

Being able to access workplace

Steps to reproduce

1. open new tab
2. clock workplace shortcut
3. try logging in

Notes

[maxxcrawford]

Can you confirm if the *.workplace.com domain is opening inside the Facebook Container?

The URL bar should look like this:

[niklas-holmstrand]

Yes, sorry, my screenshot was a bit skimpy. Here is a new one. /Niklas

[niklas-holmstrand]

Screens when logging in. After these the broken one is displayed.

[maxxcrawford]

Ahh! Okay. It redirects you to Microsoft. You'll need to add https://login.microsoftonline.com to the Facebook Container. Follow the directions from the docs. Once both sites open inside the Facebook Container, it will work!

[niklas-holmstrand]

Aha, perfect, works fine now. Thank you very much!

[maxxcrawford]

@niklas-holmstrand Awesome! Happy to hear it. 😀

[niklas-holmstrand]

I am afraid there was a new problem; After adding login.microsoftonline.com to the container, today it was not possible to log in to other services not related to workplace. Then the login page kept reloading ca once per second for a while (perhaps 10 times) before giving up. Worked after removing login.microsoftonline.com from the container.

---

From: Maxx Crawford notifications@github.com Sent: Saturday, August 29, 2020 01:33 To: mozilla/contain-facebook contain-facebook@noreply.github.com Cc: niklas-holmstrand niklas.holmstrand@gmail.com; Mention mention@noreply.github.com Subject: Re: [mozilla/contain-facebook] Not able do access workplace (#676)

@niklas-holmstrandhttps://github.com/niklas-holmstrand Awesome! Happy to hear it. 😀

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/mozilla/contain-facebook/issues/676#issuecomment-683189970, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AF5RJ6SNU35XPGIIWMIGSTLSDA5E7ANCNFSM4QKYAPPA.

You are hereby formally notified that all information contained in this communication and any attachments shall be deemed strictly confidential, intended for the sole use of the intended recipient(s). If you are not the intended recipient, please notify the sender immediately by replying to this message and destroy all copies of this message and any attachments. For information on Mycronic’s processing of your personal data, please see our Privacy Policyhttp://www.mycronic.com/en/about-mycronic/privacy-policy/.

[maxxcrawford]

@niklas-holmstrand Understood. Reopening this issue for now.

[mvbentes]

@maxxcrawford I am having similar trouble. Should I create another ticket, since this is flagged "As Expected"? I believe "allowed" domains should not be forced to always load in a facebook container, but only when initiated in facebook container. Being able to further restrict this to allow only a subdomain would be preferable.

Workplace login goes through my organization internal authentication SSO. I proceeded to allow our domain into facebook container. On the other hand, every other service which needs our SSO can not login, being redirected in and out of the container.

I had been dealing with it by "allowing" this other services into facebook container, which is not what I wanted, but worked as a temporary patch. The issue is that some redirects go indirectly through other domains and it is not obvious what needs to be allowed into facebook container for it to work. Even worse is that facebook gets access to more than I would want it to have. Right now I can not log into SAP Success factors, because of some redirects it is doing, preventing me to see what I would need to pull into the container.

It seems that what is necessary is for the option to "allow" a domain into the container to do only just that. I.e.: domains "allowed" into the container are being forced into the container, which is different. The container should be allowed to load "allowed" domains, but when a different container tries to load the one of those domains, it should not be moved into facebook container.

[Anne-Gaelle-S]

Same problem here, I can't access to my organisation's workplace when Facebook Container is ON. (Deactivate Facebook Container allows me to connect to workplace) Should I create a new ticket too ?

[pvlmkvn]

Same here. My company uses our own SSO. Without FB Container, the URL immediately takes me to our SSO page. With FB Container, I need to enter my work e-mail address, I am taken to our company SSO page and after successful auth I am taken to the exact same page as the post above.

Adding our corp domain to FB Container, as suggested by @maxxcrawford, resolves the issue, but I don't want my company page in FB Container.

Ahh! Okay. It redirects you to Microsoft. You'll need to add https://login.microsoftonline.com to the Facebook Container. Follow the directions from the docs. Once both sites open inside the Facebook Container, it will work!

[maxxcrawford]

@pvlmkvn is correct – To make any *.workplace.com domain work, the SSO domain auth has to happen inside to the container. (Separate containers do not share cookies) Unfortunately, the only working option is to add all necessary non-Facebook domains into the Facebook Container.

For some use cases, I would recommend looking into Multi-account Containers, but in this case – it would behave the same (exposing both domains to the same cookie store).

@niklas-holmstrand called out the larger issue. Any OTHER services that are dependent on the SSO domains now have to work within the Facebook Container. It's a slippery slope. This bug should remain open, but I don't have an immediate fix to resolve this. We've made some progress in state partitioning. This tech includes a heuristic for SSO logins to work across separate domains.

We'll keep this issue on our radar.

[pvlmkvn]

@maxxcrawford the workaround by adding sites to fbc does not work always ideally - our company has a ServiceNow instance, which we access by domain https://company.service-now.com. Due to having the SSO login domain page added to fbc, but the service-now.com domain not, after authentication on SSO page it starts bouncing between 2 or 3 domains and I am not able to catch the service-now.com to add it to fbc. But I am smart, right? 😎 I go to the parent domain https://service-now.com! Hah, that redirects to https://servicenow.com (without the hyphen!). I am not as smart as I thought 😒 Can I add a page manually to fbc?

[maxxcrawford]

Can I add a page manually to fbc?

@pvlmkvn Not currently. You may be able to through the console in about:debugging. We have a settings page in development (https://github.com/mozilla/contain-facebook/pull/721) right now that may get this feature. I would recommend for this work around to check out Multi-account Containers add-on. It is more manual rules (for which websites stay in/out of containers) but you can manipulate those sites much easier there.

[maxxcrawford]

@pvlmkvn Here's the hacky, console way to add a site manually to the Facebook Container.

⚠️ Warning: Be careful!

1. Go to about:debugging#/runtime/this-firefox
2. Click on "Inspect" in the Facebook Container box [Figure 1]. This will open about:devtools-toolbox?id=%40contain-facebook&type=extension
3. Click on the Console tab.
4. Add the following lines of code, replacing DOMAIN with the URL you want to add. It has to be only the root domain name and the ending TLD. (No subdomains, HTTP, www, etc)
   • Example:
   • ✅ "google.com"
   • ❌ "www.google.com"
   • ❌ "accounts.google.com"

Code to enter:

Note - you may get better results doing this line-by-line instead of pasting the entire block.

var domain = "DOMAIN"
var fbcStorage = await browser.storage.local.get();
fbcStorage.domainsAddedToFacebookContainer.push(domain);
await browser.storage.local.set({"domainsAddedToFacebookContainer": fbcStorage.domainsAddedToFacebookContainer});
browser.tabs.reload();

To confirm it worked, click on the Facebook Container icon and open the panel and click the "Sites allowed in the Facebook Container". [Figure 2] The new URL should be listed there. (You can also try to visit the URL, and it will open inside the Facebook Container)[Figure 3]

Screenshots

Figure 1:

Figure 2:

Figure 3: