Compatibility with future Firefox versions

[Trikolon]

I’m a Privacy Engineer at Mozilla. I’m writing to report breakage of the Stackblitz preview feature caused by a new Firefox feature called State Partitioning. The preview browser breaks because it doesn’t get the expected storage access. For a full description of the breakage see: Bug 1668408.

To reproduce this, download Firefox Nightly and enable Strict privacy protections.

State Partitioning is a privacy feature that prevents embedded third-party iframes from having cross-site access to cookies and site data. Instead, these iframes will get a new (partitioned) data store for every top-level site that they are embedded in. For example, this means that when https://rxjs-yo2jz5.stackblitz.io is embedded on https://stackblitz.com it will be unable to access cookies that were set in other contexts (such as when a user visited your website via the url bar).

State Partitioning is currently only enabled by default in Firefox Nightly (our daily developer build), but we are planning to ship it to Firefox release users that have “Strict” privacy protections enabled in version 86 (expected release February 23rd). ~1.5% of Firefox Release users have opted into “Strict” protections. However, our long-term plan is to ship State Partitioning as part of “Standard” privacy protections, which is the default for most of our users.

Note that other browsers ship similar protections, which means that a similar issue also occurs on Chrome in Incognito Mode (see issue #162).

One option to fix this breakage is to have your embedded code call the Storage Access API, which is an API the browser provides to allow an embedded iframe to request access to its unpartitioned cookies and site data. If the storage access request is approved by the user, then your iframe will have access to the same cross-site state that it has today. Full documentation for the Storage Access API is available here: https://developer.mozilla.org/en-US/docs/Web/API/Storage_Access_API.

We’re happy to answer any questions you might have!

Edit: Here is some more info on how State Partitioning works: https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Privacy/State_Partitioning

[fvsch]

@Trikolon Thanks for the heads up!

The issue seems to happen in Firefox 86 with “Strict” ETP (browser.contentblocking.category=strict) in a normal window, but not in a Private Window (with the same settings). I can reproduce that in Firefox 88 (Nightly 2021-02-23) as well.
From the top of your mind, any idea why it would work in a Private Window?

[Trikolon]

In private browsing mode Firefox disables service workers. From some quick debugging it looks like the code checks for service worker support. If I disable service workers in the normal window, the site also works there.

[JannesMeyer]

As a Firefox user and new StackBlitz user I also had this problem today.

I do have strict tracking protection enabled in Firefox, but there was no visual feedback that this is why it's not working. The preview pane stayed blank and there were error messages in the console about storage access.

Interestingly, it still does not work with tracking protection disabled for stackblitz.com: (maybe because it would need other domains like stackblitz.io to be whitelisted as well?)

So I decided to try it in Edge and it worked fine for the duration of my use, but it wasn't ideal.

[fvsch]

A bit of history for this bug:

• Mozilla added a shim for stackblitz.com that disabled service workers in Firefox there, solving the issue with some of our starter projects but also breaking another type of project which has a strict requirement on service workers.
• In recent updates to our codebase we've fixed some unnecessary or uncorrectly handled storage access code, which fixed a series of issues in Chrome and Brave for iframed projects, and in Firefox for projects opened in a Private Window.
• It looks like those updates may enable us to request Mozilla to remove this specific shim. In my (manual) tests disabling the shim in about:compat, it doesn't seem to lead to any breakage, and fixes our project type which relies on service workers.

[fvsch]

The shim in Firefox was removed in late 2022.