search

mozilla / multi-account-containers

Firefox Multi-Account Containers lets you keep parts of your online life separated into color-coded tabs that preserve your privacy. Cookies are separated by container, allowing you to use the web with multiple identities or accounts simultaneously.
https://addons.mozilla.org/firefox/addon/multi-account-containers/
Mozilla Public License 2.0
2.64k stars 322 forks source link

Fidelity: Main site authentication to Net Benefits site breaks. #2575

Open poetnerd opened 9 months ago

poetnerd commented 9 months ago

Before submitting a bug report

Step to reproduce

This is a problem with using the Employer pension account system, Net Benefits from fidelity.com I think that the two subsystems are hoping to share authentication that the container is treating as disallowed cross site scripting.

  1. Sign into fidelity.com
  2. Visit your 401k account in a new tab by Command clicking on the Net Benefits link (as shown in attached screen shot named "1. Cmd Click on NetBenefits link:
  3. Click on your 401k Account. (Link circled in red on attached screen shot named, "2. NB Landing site." Please excuse my blurring out dollars and names.
  4. On the Summary page click on the "Transaction History" virtual tab. (Circled in red on attached screen shot named, "3. 401k page".

Actual behavior

You get a page that says:

[229]The service is experiencing technical difficulties. Please try again later.

REQ650e1337b326599b90d144a72c97aa33

Expected behavior

You land on the Transaction history page.

Additional informations

If instead of going to your account, and clicking on the Transaction history tab, you use the "Quick Links Pull-down and select Transaction History you get where you want.

After getting the error page, all authentication to Net Benefits is poisoned. Clicking on the Net Benefits link as per step 1, fails until you refresh that page. So some kind of cross-site authintication cookie seems to have been damaged or deleted.

This is pretty strange, and I don't expect developers of Firefox extensions to have such accounts. I'm willing to do more debugging. To make things easier, I've tried to attach some screen shots to show what to click on.

1 Cmd Click on NetBenefits link 2 NB Landing site

3 401k page

Provide a copy of Troubleshooting Information page (optional)

No response

poetnerd commented 9 months ago

Additional information: When I follow the steps above in a Private Browsing window, i.e. with containerization disabled, everything just works. So this does very much seem to be a problem with the extension.

poetnerd commented 9 months ago

Additional information. I turned on the Web Developer Tools and compared the action in a Private window versus a container tab. The first outgoing request here for "histories" shows in the Private window an outgoing header containing a cookie that is NOT present in the GET of histories in the Containerized session. I presume it's a session cookie that enables netbenefits to confirm the session is active and logged in. Alas I lack experience with the debugger so I can't figure out how to see source code for histories, or what gets run when I click on the "Transaction History" tab, so I can't tell what kind of cookie it's expecting.

dannycolin commented 6 months ago

I already replied on your other bug report. Both issues might have a similar cause. Does the "Limit to designated sites" is enabled for that container? (See: https://support.mozilla.org/en-US/kb/containers#w_limit-to-designated-sites)

I'm asking this because if the missing cookie comes from a different domain name, this would explain why it's never saved inside your container.