stackblitz / webcontainer-core

Dev environments. In your web app.
https://webcontainers.io
MIT License
3.97k stars 178 forks source link

Add exceptions to cookie blocking NOT working in Firefox #1417

Open qupig opened 7 months ago

qupig commented 7 months ago

https://developer.stackblitz.com/platform/webcontainers/browser-config#firefox

You can work around this issue in a couple ways:

  1. Use the “Strict” mode instead of “Custom” mode. It’s important to note that it's slightly more permissive than “Custom” mode with very strict options. If this is not something you'd like to allow, you can...
  2. Add exceptions to cookie blocking for the domains used to run StackBlitz projects.

According to the above documentation, following method 1 will work in Firefox.

But it still doesn't work after setting it up according to method 2, it's stuck at Booting WebContainer.

Is documentation method 2 no longer valid or needs updating?

I really don't want to use method 1 to relax restrictions on all sites.

I've done several iterations of this with a brand new Firefox user profile, so I don't think there should be any other distractions there.

I noticed that set cookies to Cross-site tracking cookies, and isolate other cross-site cookies in "Custom" mode there is a critical point, above which the option does not work, at or below which it works immediately.

Custom Cookies network.cookie.cookieBehavior Result
Cross-site tracking cookies 4 WORK
Cross-site tracking cookies, and isolate other cross-site cookies 5 WORK
Cookies from unvisited websites 3 NOT WORK
All cross-site cookies (may cause websites to break) 1 NOT WORK
All cookies (will cause websites to break) 2 NOT WORK

This restriction greatly reduces the user-friendliness of stackblitz.com, and many colleagues are reluctant to use the site due to this problem.

Thank you for making this very useful tool, which is what I hoped it would be easier for more people to use with the feedback in the first place.

fvsch commented 7 months ago

It looks like the second workaround broke due to some project isolation work we did.

For instance when opening this project: https://stackblitz.com/edit/node-serve

To be able to run this project correctly in Firefox with the second method, I need to add exceptions for 2 origins:

https://webcontainer.io/
https://nodeserve-cmvq.w-corp-staticblitz.com/

Where https://nodeserve-cmvq.w-corp-staticblitz.com/ is the domain used for a specific instance of this project in a specific browser tab. Which creates a couple issues:

  1. I can't predict the subdomain of w-corp-staticblitz.com that needs to be allowed. I found the domain name in Console errors.
  2. The same project opened in a different tab will have a different subdomain.

I also tried adding https://w-corp-staticblitz.com/ as an allowed site, but that doesn't work (in Firefox Beta, at least) because w-corp-staticblitz.com is registered as a public suffix, so all subdomains of that domain are considered different sites, and as such an exception for https://w-corp-staticblitz.com would not be inherited by subdomains.

qupig commented 7 months ago

Then, first you should update this document so more users don't end up in the same predicament as me.

Secondly, I know the importance of cross-domain security for the site. But if this becomes a barrier that prevents users from using it, or even forces users to lower client security before they can use it, then this is an issue that needs to be thought about and weighed.

Thank you for your investigation and quick response!

fvsch commented 7 months ago

We definitely need to update the docs to reflect those changes and the current possibilities. I’ll need input from more knowledgeable team members like @d3lm to know what we can do exactly.

qupig commented 7 months ago

I found that turning off Enhanced Tracking Protection on the site made it work.

Enhanced Tracking Protection1

It actually adds the site to the Enhanced Tracking Protection exceptions.

Enhanced Tracking Protection2

I think this is a relatively easy approach for users. But I'm still not sure if all users are willing to do that.

qupig commented 7 months ago

Relearning everything, I now think that using "Strict Mode" is the best option right now.

It provides more advanced protection measures than All cross-site cookies/All third party cookies and avoids the disadvantages of rough blocking that leads to website damage.

It’s important to note that it's slightly more permissive than “Custom” mode with very strict options

I think you should change the wording, which is not "more permissive", but a completely different isolation mechanism.

It is also inaccurate to directly compare "Strict" with "Custom", because in fact "Cross-site tracking cookies, and isolate other cross-site cookies" in "Custom" provide the same protection mechanism as "Strict".

network.cookie.cookieBehavior = 5

References:

Firefox "Strict" VS "Custom" Enhanced Tracking Protection https://support.mozilla.org/en-US/questions/1417412#answer-1588689

Enhanced Tracking Protection in Firefox for desktop https://support.mozilla.org/en-US/kb/enhanced-tracking-protection-firefox-desktop

Total Cookie Protection https://blog.mozilla.org/mozilla/firefox-rolls-out-total-cookie-protection-by-default-to-all-users-worldwide/