Opened 2 years ago

Closed 2 years ago

Last modified 2 years ago

#21555 closed defect (fixed)

Twitter like button not working on 6.5

Reported by: isabela Owned by: arthuredelstein
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-usability-website, TorBrowserTeam201703R
Cc: jgay, arthuredelstein, brade, mcs, fdsfgs@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Users are reporting that they can't 'like' tweets anymore on 6.5

https://twitter.com/OlshanskyG/status/835065082581303296

https://twitter.com/PJHdesigns/status/834957066955591680

I test it with all levels of security and its not even working on low level. I tried to retweet and that worked, just like that is not working.

Child Tickets

Change History (24)

comment:1 Changed 2 years ago by isis

Liking sends a POST request to https://api.twitter.com/1.1/favorites/create.json with a parameter specifying the tweet id, and another int for the current number of likes. On 6.5 for me, this results in a response with status code "400 Bad Request". Digging into the JSON object sent in response, it has two fields:

errors: Object {
  0: Object {
    code: 215,
    message: "Bad Authentication data.",
  }
}

As Isabela pointed out, retweeting still works, so I don't see how verification of the auth token is failing here. Perhaps they're trying to check auth cookies in some weird way?

comment:2 Changed 2 years ago by qbi

If I set network.cookie.cookieBehavior to 0 (allow all cookies), the Like button works again. Just another data point: I also can't login to Tweetdeck. If I also set the var above to 0 login works. Don't know if both are related.

comment:3 Changed 2 years ago by yawning

So a dup of #16450?

comment:4 in reply to:  2 ; Changed 2 years ago by gk

Keywords: tbb-usability-website added
Status: newneeds_information

Replying to qbi:

If I set network.cookie.cookieBehavior to 0 (allow all cookies), the Like button works again. Just another data point: I also can't login to Tweetdeck. If I also set the var above to 0 login works. Don't know if both are related.

The Tweetdeck issue is known as yawning pointed out with the hint to #16450. I suspect Twitter changed some things on their end that are now breaking the like button as well? Otherwise I would have expected folks complaining much earlier. 6.5 is around for almost five weeks now. Could someone with Twitter presence double-check that this is not a 6.5 regression by trying to hit the like buttons with 6.0.8? It still can be found under https://dist.torproject.org/torbrowser/. It would be helpful as well if anyone can check whether Firefox 52 with privacy.firstparty.isolate set to true is working. There are first pre-release builds available at: https://archive.mozilla.org/pub/firefox/tinderbox-builds/.

comment:5 Changed 2 years ago by arthuredelstein

Cc: arthuredelstein added

comment:6 Changed 2 years ago by arthuredelstein

Owner: changed from tbb-team to arthuredelstein
Status: needs_informationaccepted

comment:7 Changed 2 years ago by arthuredelstein

Keywords: TorBrowserTeam201702 added

comment:8 Changed 2 years ago by mcs

Cc: brade mcs added

comment:9 Changed 2 years ago by tokotoko

Cc: fdsfgs@… added

comment:10 Changed 2 years ago by qbi

As of today also retweets have stopped working in TBB 7.0a1.

comment:11 Changed 2 years ago by cypherpunks

This problem of Twitter's isn't limited to Tor users, though perhaps Tor Browser is triggering it somehow.

In this poll with 23 votes, 5 non-Tor users are also unable to like things and two tor users are able to (maybe they're running old versions of TBB?) https://twitter.com/wiretapped/status/835984206727622656

comment:12 in reply to:  2 Changed 2 years ago by arthuredelstein

Replying to qbi:

If I set network.cookie.cookieBehavior to 0 (allow all cookies), the Like button works again.

Thanks for reporting this -- I can confirm that. I examined the request headers for the POST observed by Isis in comment:1 under two different pref settings:

  • When network.cookie.cookieBehavior is 0, the header entry

Authorization: Bearer AAAAAAAAAAAAAAAAAAAAA[...]
is included (part of password is omitted in brackets)

  • When network.cookie.cookieBehavior is 1, that Auth header entry is missing, and the response includes message: "Bad Authentication data."

So the next step is to investigate why Firefox does this and also check if Firefox 52 has the same problem.

Last edited 2 years ago by arthuredelstein (previous) (diff)

comment:13 Changed 2 years ago by arthuredelstein

Keywords: TorBrowserTeam201702R added; TorBrowserTeam201702 removed
Status: acceptedneeds_review

Turns out our patch from #13900 is too strict and disallows http auth headers from api.twitter.com under a twitter.com page. Here's a fixup for review:

https://github.com/arthuredelstein/tor-browser/commit/21555

Last edited 2 years ago by arthuredelstein (previous) (diff)

comment:14 Changed 2 years ago by gk

Keywords: TorBrowserTeam201703 added

Moving tickets to March

comment:15 Changed 2 years ago by gk

Keywords: TorBrowserTeam201703R added; TorBrowserTeam201702R TorBrowserTeam201703 removed

comment:16 Changed 2 years ago by mcs

r=brade, r=mcs
Kathy and I did not verify that this fixes the problem, but the patch looks good.

comment:18 in reply to:  4 ; Changed 2 years ago by isis

Replying to gk:

Could someone with Twitter presence double-check that this is not a 6.5 regression by trying to hit the like buttons with 6.0.8?

With network.cookie.cookieBehavior set to 1 on 6.0.8, both retweets and likes are broken. Setting the pref to 0 fixes it.

comment:19 in reply to:  17 Changed 2 years ago by isis

Replying to gk:

Here are test builds with the patch applied. Can anybody hitting this issue in the wild confirm that those builds work while the currently released ones don't? Plus, while we are at it, can anybody test whether the tweetdeck login problem (aka #16540) goes away with that patch as well?

https://people.torproject.org/~gk/testbuilds/tor-browser-linux32-tbb-nightly_ALL_21555.tar.xz
https://people.torproject.org/~gk/testbuilds/tor-browser-linux32-tbb-nightly_ALL_21555.tar.xz.asc

https://people.torproject.org/~gk/testbuilds/tor-browser-linux64-tbb-nightly_ALL_21555.tar.xz
https://people.torproject.org/~gk/testbuilds/tor-browser-linux64-tbb-nightly_ALL_21555.tar.xz.asc

https://people.torproject.org/~gk/testbuilds/torbrowser-install-tbb-nightly_ALL_21555.exe
https://people.torproject.org/~gk/testbuilds/torbrowser-install-tbb-nightly_ALL_21555.exe.asc

https://people.torproject.org/~gk/testbuilds/TorBrowser-tbb-nightly-osx64_ALL_21555.dmg
https://people.torproject.org/~gk/testbuilds/TorBrowser-tbb-nightly-osx64_ALL_21555.dmg.asc


Hi Geko,

I tested the 64-bit linux builds in a new fedora 24 VM, and had mostly good, but slightly mixed results. I logged into a twitter account for one of my bots, and randomly started liking and RTing things, and RTing always worked, liking almost always worked.

Liking occasionally failed, causing the like heart-emoji-thing to animate, and the number went up, but when checking the same tweet (logged into my personal account) in another Tor Browser, it showed the old number (i.e. before my bot account hit the like button). I vaguely suspect that this is because perhaps I had let the circuit expire, since I was multitasking, but I'm not entirely certain. I retested again, and liking always worked, so perhaps there was just some user-induced fluke there.

Overall, the behaviour is a significant improvement over the current stable behaviour.

comment:20 Changed 2 years ago by gk

Resolution: fixed
Status: needs_informationclosed

Thanks for the tests! The patch looks good to me as well. I just pointed to this ticket and #16450 (which I'll claim gets solved with this fix as well) in the commit message in addition to the text already being there.

Commit eb8f7fd0910e831d96dfdef4782e23c6c389e844 and 340377b882408b5de24ff69bcd76e774d9844e4c have the fix (on tor-browser-45.8.0esr-6.5-2 and tor-browser-45.8.0esr-7.0-1) and it will show up in the next release both in the stable and the alpha series.

comment:21 in reply to:  18 ; Changed 2 years ago by cypherpunks

Replying to isis:

Replying to gk:

Could someone with Twitter presence double-check that this is not a 6.5 regression by trying to hit the like buttons with 6.0.8?

With network.cookie.cookieBehavior set to 1 on 6.0.8, both retweets and likes are broken. Setting the pref to 0 fixes it.

It is disconcerting that isis posted a workaround (danke!) six weeks ago but didn't mention the downsides to this workaround (nicht danke!). Now that this is due to be fixed tomorrow (according to https://twitter.com/torproject/status/852640132054360064 anyway) I wonder how many twitter+tor users have forgotten all about this and will permanently leave their cookieBehavior set to 0.

For anybody reading this ticket who doesn't realize: setting cookieBehavior to 0 means that Tor Browser will send 3rd party cookies; eg if you're logged into twitter it will make it so that viewing randomwebsite.com with a "tweet" button will inform twitter that you went to that website (even if you don't click the button).

I think it is a bit irresponsible of isis to recommend this workaround here without informing users of the risks. It seems certain that many people will now leave this setting changed, which negates one of big benefits of using Tor Browser.

Maybe a Tor Browser upgrade should fix the damage done by this advice (and force the setting back to 1)?

comment:22 in reply to:  21 Changed 2 years ago by arthuredelstein

Replying to cypherpunks:

It is disconcerting that isis posted a workaround (danke!) six weeks ago but didn't mention the downsides to this workaround (nicht danke!).

I think it is a bit irresponsible of isis to recommend this workaround here without informing users of the risks.

I think you are misunderstanding the discussion there. In comment:18, Isis did a diagnostic test on an old version of Tor Browser to help with developing a patch for this bug. That purpose was clear from the context -- there's no indication that a workaround was being proposed.

Besides, this bug tracker is intended for discussing software development. As such, ideas will be freely proposed and discarded. So one should be very hesitant to take a bug comment as advice for users.

Maybe a Tor Browser upgrade should fix the damage done by this advice (and force the setting back to 1)?

You do bring up an important point, that nonstandard prefs in Tor Browser are dangerous for users, and perhaps more users are naively changing prefs than we realize. I opened a ticket to examine this overall problem: #21983

comment:23 Changed 2 years ago by cypherpunks

This ticket was linked to on twitter, where users like me found it and applied the workaround.

I am not a developer but I correctly inferred out that the config change Isis mentioned would allow me to retweet. Seems like a workaround to me. (Only later I also figured out that it also allowed 3rd party cookies, by reading mozilla end-user documentation).

Thanks for releasing a proper fix, arthuredelstein et al!

comment:24 in reply to:  23 Changed 2 years ago by isis

Replying to cypherpunks:

This ticket was linked to on twitter, where users like me found it and applied the workaround.

I am not a developer but I correctly inferred out that the config change Isis mentioned would allow me to retweet. Seems like a workaround to me.


I'm not sure why you're so insistent on blaming me for your genius idea to use random about:config settings mentioned on twitter, when I'm not even the person who first mentioned it.

Note: See TracTickets for help on using tickets.