Open qupig opened 7 months ago
It looks like the second workaround broke due to some project isolation work we did.
For instance when opening this project: https://stackblitz.com/edit/node-serve
To be able to run this project correctly in Firefox with the second method, I need to add exceptions for 2 origins:
https://webcontainer.io/
https://nodeserve-cmvq.w-corp-staticblitz.com/
Where https://nodeserve-cmvq.w-corp-staticblitz.com/
is the domain used for a specific instance of this project in a specific browser tab. Which creates a couple issues:
w-corp-staticblitz.com
that needs to be allowed. I found the domain name in Console errors.I also tried adding https://w-corp-staticblitz.com/
as an allowed site, but that doesn't work (in Firefox Beta, at least) because w-corp-staticblitz.com
is registered as a public suffix, so all subdomains of that domain are considered different sites, and as such an exception for https://w-corp-staticblitz.com
would not be inherited by subdomains.
Then, first you should update this document so more users don't end up in the same predicament as me.
Secondly, I know the importance of cross-domain security for the site. But if this becomes a barrier that prevents users from using it, or even forces users to lower client security before they can use it, then this is an issue that needs to be thought about and weighed.
Thank you for your investigation and quick response!
We definitely need to update the docs to reflect those changes and the current possibilities. I’ll need input from more knowledgeable team members like @d3lm to know what we can do exactly.
I found that turning off Enhanced Tracking Protection
on the site made it work.
It actually adds the site to the Enhanced Tracking Protection
exceptions.
I think this is a relatively easy approach for users. But I'm still not sure if all users are willing to do that.
Relearning everything, I now think that using "Strict Mode" is the best option right now.
It provides more advanced protection measures than All cross-site cookies/All third party cookies
and avoids the disadvantages of rough blocking that leads to website damage.
It’s important to note that it's slightly more permissive than “Custom” mode with very strict options
I think you should change the wording, which is not "more permissive", but a completely different isolation mechanism.
It is also inaccurate to directly compare "Strict" with "Custom", because in fact "Cross-site tracking cookies, and isolate other cross-site cookies" in "Custom" provide the same protection mechanism as "Strict".
network.cookie.cookieBehavior = 5
References:
Firefox "Strict" VS "Custom" Enhanced Tracking Protection https://support.mozilla.org/en-US/questions/1417412#answer-1588689
Enhanced Tracking Protection in Firefox for desktop https://support.mozilla.org/en-US/kb/enhanced-tracking-protection-firefox-desktop
Total Cookie Protection https://blog.mozilla.org/mozilla/firefox-rolls-out-total-cookie-protection-by-default-to-all-users-worldwide/
https://developer.stackblitz.com/platform/webcontainers/browser-config#firefox
According to the above documentation, following method 1 will work in Firefox.
But it still doesn't work after setting it up according to method 2, it's stuck at
Booting WebContainer
.Is documentation method 2 no longer valid or needs updating?
I really don't want to use method 1 to relax restrictions on all sites.
I've done several iterations of this with a brand new Firefox user profile, so I don't think there should be any other distractions there.
I noticed that set
cookies
toCross-site tracking cookies, and isolate other cross-site cookies
in "Custom" mode there is a critical point, above which the option does not work, at or below which it works immediately.network.cookie.cookieBehavior
This restriction greatly reduces the user-friendliness of
stackblitz.com
, and many colleagues are reluctant to use the site due to this problem.Thank you for making this very useful tool, which is what I hoped it would be easier for more people to use with the feedback in the first place.