Brave-browser: [Desktop] Can't sign in with firebase website with shields up

Created on 29 Jun 2019 · 30Comments · Source: brave/brave-browser

Description

We use Firebase for sign in with GitHub on EricElliottJS.com. I'm unable to sign in with shields up in Brave. It works great with shields down.

Steps to Reproduce

Go to EricElliottJS.com and click "sign in" in the upper right hand corner.
Make sure you have shields up.
Click "Sign In with GitHub"

Actual result:

{
  code: "auth/web-storage-unsupported",
  message: "This browser is not supported or 3rd party cookies and data may be disabled."
}

Expected result:

Delegated authentication is a common way to improve security and user privacy by reducing the available attack surface for nefarious collectors of usernames and passwords. I hope we can figure out how to enable commonly used authentication methods and still protect user privacy.

Reproduces how often:

Easily reproduced.

Brave version (brave://version info)

0.65.120 Chromium: 75.0.3770.90 (Official Build) (64-bit)

Revision | a6dcaf7e3ec6f70a194cc25e8149475c6590e025-refs/branch-heads/3770@{#1003}
OS | Mac OS X

Version/Channel Information:

Don't know. Don't have time to check.

Can you reproduce this issue with the current release?
Can you reproduce this issue with the beta channel?
Can you reproduce this issue with the dev channel?
Can you reproduce this issue with the nightly channel?

Other Additional Information:

Does the issue resolve itself when disabling Brave Shields?
Yes.
Does the issue resolve itself when disabling Brave Rewards?
Don't know.
Is the issue reproducible on the latest version of Chrome?
No.

Miscellaneous Information:

P.S. Using Brave as my default browser. Looking good. I have high hopes for the future of Brave and the BAT ecosystem.

OWindows QA Pass-Win64 QYes release-noteexclude webcompat

Source

ericelliott

👍2

Most helpful comment

~I'm seeing this now even with shields down. Signing in with Chrome works great.~

Just installed and tried it with Brave Version 0.70.121 Chromium: 78.0.3904.70 (Official Build) (64-bit)

Works with shields down.
Does not work with shields up.

ericelliott on 24 Oct 2019

👍8

All 30 comments

Seems to have fixed itself

ryanbr on 2 Jul 2019

🎉1

Closed, fixed by above commit.

rebron on 5 Jul 2019

🎉1

Just a followup @ericelliott enabling all cookies helps.

ryanbr on 7 Jul 2019

The issue is still reproducible with default shields settings.

Note: Allowing all cookies fixes the issue.

Tested on

Brave | 0.67.110 Chromium: 75.0.3770.100 (Official Build) beta(64-bit)
-- | --
Revision | cd0b15c8b6a4e70c44e27f35c37a4029bad3e3b0-refs/branch-heads/3770@{#1033}
OS | Ubuntu 18.04 LTS

btlechowski on 18 Jul 2019

Reproduced on macOS 10.14.5 x64 using the following build:

Brave | 0.67.117 Chromium: 76.0.3809.62 (Official Build) (64-bit)
-- | --
Revision | 7b77856b3aa34d72f246d12340fc1ded8b2c0e83-refs/branch-heads/3809@{#798}
OS | Mac OS X

kjozwiak on 25 Jul 2019

@ryanbr Can you give this another look? Looks like an issue with something more than firebaseapp

rebron on 25 Jul 2019

Not sure if this is the same but I've got error "The popup has been closed by the user before finalizing the operation." on https://terminal.jcubic.pl#chat when I try to login with GitHub using Firebase, I don't see anything in console.

jcubic on 8 Oct 2019

Can you test in Brave-beta @jcubic ?

ryanbr on 8 Oct 2019

Not sure what causes it, but I could login via /login github in Brave-beta

ryanbr on 8 Oct 2019

Tested on Brave beta, got the same error. But this time the popup was closed, in original brave (on Fedora) the popup remained open but without any visible stuff.

jcubic on 8 Oct 2019

Okay, Just allow all cookies in sheilds on https://terminal.jcubic.pl/#chat

Related to blocking of cookies on coveralls.io.

ryanbr on 8 Oct 2019

coveralls.io is just code coverage report, it's not related. The issue it with GitHub and Firebase. Only those, maybe some other domains from Firebase. Allowing 3rd party cookies is working, but it's not related to coveralls.io. Google use lot of domains in their infrastructure.

Is it possible to enable 3rd party cookies for single domain? I've only seen one dropdown where you can enable or disable all or only 3rd party.

jcubic on 8 Oct 2019

For reference, maybe something will be able to rewrite Firebase login with this: SO: Use Google Firebase Authentication without 3rd Party Cookies I will try when I have time.

jcubic on 8 Oct 2019

Any updates on the issue? I started getting this issue today when trying to login with Google auth with firebase. Works on Chrome.

indreklasn on 22 Oct 2019

@indreklasn I think you need to enable 3rd party cookies for that page. The only solution I can think of is to have one global allow 3rd party cookie place where you can enable cookies from Google and/or Firebase. This may request to investigate what base domain firebase use that need 3rd party cookies, visit that domain and then enable 3rd party cookies so it will enable to use on all firebase websites. Maybe some extension (if brave allow extensions) that will enable Firebase login on any new website, without any other 3rd party cookie.

jcubic on 22 Oct 2019

@jcubic I have already enabled cookies and disabled shields. :/

This answer fixed the issue for me: https://stackoverflow.com/a/51277982/5073961

indreklasn on 23 Oct 2019

~I'm seeing this now even with shields down. Signing in with Chrome works great.~

Just installed and tried it with Brave Version 0.70.121 Chromium: 78.0.3904.70 (Official Build) (64-bit)

Works with shields down.
Does not work with shields up.

ericelliott on 24 Oct 2019

👍8

Facing the same issue here. I just want to link this issue from firebase-js-sdk repo.

AoDev on 6 Jan 2020

No idea if this helps, but here's a specific error message I recently got showing that seemingly all requests from 'googleapis.com' are blocked when shields are up. The site in question does use Firebase for authentication.

{"error":
    {"code":403,"message":"Requests from referer https://www.googleapis.com/ are blocked.","errors": 
       [{"message":"Requests from referer https://www.googleapis.com/ are 
            blocked.","domain":"global","reason":"forbidden"}],
    "status":"PERMISSION_DENIED"}}

I've recently been unable to sign in using google sign-in everywhere I've tried, and the browser even kicks me out of things I'm already signed into sometimes. :sad:

aormsby on 8 Jan 2020

@aormsby do you have Allow Google logins enabled? It's enabled by default, but you can check in brave://settings/socialBlocking

bsclifton on 8 Jan 2020

Nope. I don't even see the option. Hopefully I'm not missing some important detail here.

Screen Shot 2020-01-09 at 18 22 39

Screen Shot 2020-01-09 at 18 30 30

aormsby on 9 Jan 2020

👍1

ah ok - that feature is only on 1.3 and newer (which is on our Beta channel)

bsclifton on 10 Jan 2020

No idea if this helps, but here's a specific error message I recently got showing that seemingly all requests from 'googleapis.com' are blocked when shields are up. The site in question does use Firebase for authentication.

I just ran into this today, discovered that Brave changes the referer header on the request to googleapis.com (instead of myapp.com), so the referer restriction on the API key fails. See https://console.developers.google.com/apis/credentials under "Website restrictions". I'm just going to catch this error and show a message to the user explaining what's happening, unless anyone has any other ideas?

alexlouden on 15 Jan 2020

🎉1

I was getting a 403 error message as well as follows
Screenshot - 2_13_2020 , 2_18_48 PM ..

I had to disable "blocking cross-site cookies" to allow all cookies to get this to work..

Screenshot - 2_13_2020 , 2_13_31 PM

Screenshot - 2_13_2020 , 2_13_10 PM

gkgrepo on 13 Feb 2020

No longer works, here's a project you can test on as well to get the web-page's source code: https://github.com/armand1m/react-firebase-authentication-medium

dginovker on 27 May 2020

We've just made a change to how we modify the referrer on cross-origin POST requests (https://github.com/brave/brave-core/pull/5613). This might address the underlying issue here.

Would anybody be able to test again using Brave Nightly?

fmarier on 15 Jun 2020

🎉1

Only works for me if I change the default "Only block cross-site cookies" to "Allow cookies" in the brave://settings/shields settings. Obviously not ideal.

jperasmus on 25 Jun 2020

Thanks for the testing. It looks like aside from the referrer problems (now fixed), there is also a problem due to third-party cookies: https://github.com/brave/brave-browser/issues/10367

fmarier on 25 Jun 2020

closed with https://github.com/brave/brave-core/pull/5952

pes10k on 26 Jun 2020

🎉1

Verification passed on

Brave | 1.12.104 Chromium: 84.0.4147.89 (Official Build) dev (64-bit)
-- | --
Revision | 19abfe7bcba9318a0b2a6bc6634a67fc834aa592-refs/branch-heads/4147@{#852}
OS | Windows 10 OS Version 1903 (Build 18362.959)

Reproduced issue in 1.11.x

Qi {code: "auth/web-storage-unsupported", message: "This browser is not supported or 3rd party cookies and data may be disabled."}

Verified STR from the description able to "Sign In with GitHub" with default shield settings and there is no 3rd party cookies and data may be disabled message displayed in the console