[Desktop] Can't sign in with firebase website with shields up

[ericelliott]

Description

We use Firebase for sign in with GitHub on EricElliottJS.com. I'm unable to sign in with shields up in Brave. It works great with shields down.

Steps to Reproduce

1. Go to EricElliottJS.com and click "sign in" in the upper right hand corner.
2. Make sure you have shields up.
3. Click "Sign In with GitHub"

Actual result:

Sign in fails and an error object is logged to the console:

{
  code: "auth/web-storage-unsupported",
  message: "This browser is not supported or 3rd party cookies and data may be disabled."
}

Expected result:

Delegated authentication is a common way to improve security and user privacy by reducing the available attack surface for nefarious collectors of usernames and passwords. I hope we can figure out how to enable commonly used authentication methods and still protect user privacy.

Reproduces how often:

Easily reproduced.

Brave version (brave://version info)

0.65.120 Chromium: 75.0.3770.90 (Official Build) (64-bit)

Revision | a6dcaf7e3ec6f70a194cc25e8149475c6590e025-refs/branch-heads/3770@{#1003}
OS | Mac OS X

Version/Channel Information:

Don't know. Don't have time to check.

• Can you reproduce this issue with the current release?
• Can you reproduce this issue with the beta channel?
• Can you reproduce this issue with the dev channel?
• Can you reproduce this issue with the nightly channel?

Other Additional Information:

• Does the issue resolve itself when disabling Brave Shields?
  Yes.

• Does the issue resolve itself when disabling Brave Rewards?
  Don't know.

• Is the issue reproducible on the latest version of Chrome?
  No.

Miscellaneous Information:

P.S. Using Brave as my default browser. Looking good. I have high hopes for the future of Brave and the BAT ecosystem.

[ryanbr]

Seems to have fixed itself

[rebron]

Closed, fixed by above commit.

[ryanbr]

Just a followup @ericelliott enabling all cookies helps.

[btlechowski]

The issue is still reproducible with default shields settings.

Note: Allowing all cookies fixes the issue.

Tested on

Brave	0.67.110 Chromium: 75.0.3770.100 (Official Build) beta(64-bit)
Revision	cd0b15c8b6a4e70c44e27f35c37a4029bad3e3b0-refs/branch-heads/3770@{#1033}
OS	Ubuntu 18.04 LTS

[kjozwiak]

Reproduced on macOS 10.14.5 x64 using the following build:

Brave	0.67.117 Chromium: 76.0.3809.62 (Official Build) (64-bit)
Revision	7b77856b3aa34d72f246d12340fc1ded8b2c0e83-refs/branch-heads/3809@{#798}
OS	Mac OS X

[rebron]

@ryanbr Can you give this another look? Looks like an issue with something more than firebaseapp

[jcubic]

Not sure if this is the same but I've got error "The popup has been closed by the user before finalizing the operation." on https://terminal.jcubic.pl#chat when I try to login with GitHub using Firebase, I don't see anything in console.

[ryanbr]

Can you test in Brave-beta @jcubic ?

[ryanbr]

Not sure what causes it, but I could login via /login github in Brave-beta

[jcubic]

Tested on Brave beta, got the same error. But this time the popup was closed, in original brave (on Fedora) the popup remained open but without any visible stuff.

[ryanbr]

Okay, Just allow all cookies in sheilds on https://terminal.jcubic.pl/#chat

Related to blocking of cookies on coveralls.io.

[jcubic]

coveralls.io is just code coverage report, it's not related. The issue it with GitHub and Firebase. Only those, maybe some other domains from Firebase. Allowing 3rd party cookies is working, but it's not related to coveralls.io. Google use lot of domains in their infrastructure.

Is it possible to enable 3rd party cookies for single domain? I've only seen one dropdown where you can enable or disable all or only 3rd party.

[jcubic]

For reference, maybe something will be able to rewrite Firebase login with this: SO: Use Google Firebase Authentication without 3rd Party Cookies I will try when I have time.

[indreklasn]

Any updates on the issue? I started getting this issue today when trying to login with Google auth with firebase. Works on Chrome.

[jcubic]

@indreklasn I think you need to enable 3rd party cookies for that page. The only solution I can think of is to have one global allow 3rd party cookie place where you can enable cookies from Google and/or Firebase. This may request to investigate what base domain firebase use that need 3rd party cookies, visit that domain and then enable 3rd party cookies so it will enable to use on all firebase websites. Maybe some extension (if brave allow extensions) that will enable Firebase login on any new website, without any other 3rd party cookie.

[indreklasn]

@jcubic I have already enabled cookies and disabled shields. :/

This answer fixed the issue for me: https://stackoverflow.com/a/51277982/5073961

[ericelliott]

I'm seeing this now even with shields down. Signing in with Chrome works great.

Just installed and tried it with Brave Version 0.70.121 Chromium: 78.0.3904.70 (Official Build) (64-bit)

• Works with shields down.
• Does not work with shields up.

[AoDev]

Facing the same issue here. I just want to link this issue from firebase-js-sdk repo.

[aormsby]

No idea if this helps, but here's a specific error message I recently got showing that seemingly all requests from 'googleapis.com' are blocked when shields are up. The site in question does use Firebase for authentication.

{"error":
    {"code":403,"message":"Requests from referer https://www.googleapis.com/ are blocked.","errors": 
       [{"message":"Requests from referer https://www.googleapis.com/ are 
            blocked.","domain":"global","reason":"forbidden"}],
    "status":"PERMISSION_DENIED"}}

I've recently been unable to sign in using google sign-in everywhere I've tried, and the browser even kicks me out of things I'm already signed into sometimes. :sad:

[bsclifton]

@aormsby do you have Allow Google logins enabled? It's enabled by default, but you can check in brave://settings/socialBlocking

[aormsby]

Nope. I don't even see the option. Hopefully I'm not missing some important detail here.

[bsclifton]

ah ok - that feature is only on 1.3 and newer (which is on our Beta channel)

[alexlouden]

No idea if this helps, but here's a specific error message I recently got showing that seemingly all requests from 'googleapis.com' are blocked when shields are up. The site in question does use Firebase for authentication.

I just ran into this today, discovered that Brave changes the referer header on the request to googleapis.com (instead of myapp.com), so the referer restriction on the API key fails. See https://console.developers.google.com/apis/credentials under "Website restrictions". I'm just going to catch this error and show a message to the user explaining what's happening, unless anyone has any other ideas?

[gkgrepo]

I was getting a 403 error message as well as follows
..

I had to disable "blocking cross-site cookies" to allow all cookies to get this to work..

[dginovker]

No longer works, here's a project you can test on as well to get the web-page's source code: https://github.com/armand1m/react-firebase-authentication-medium

[fmarier]

We've just made a change to how we modify the referrer on cross-origin POST requests (brave/brave-core#5613). This might address the underlying issue here.

Would anybody be able to test again using Brave Nightly?

[jperasmus]

Only works for me if I change the default "Only block cross-site cookies" to "Allow cookies" in the brave://settings/shields settings. Obviously not ideal.

[fmarier]

Thanks for the testing. It looks like aside from the referrer problems (now fixed), there is also a problem due to third-party cookies: #10367

[pes10k]

closed with brave/brave-core#5952

[GeetaSarvadnya]

Verification passed on

Brave | 1.12.104 Chromium: 84.0.4147.89 (Official Build) dev (64-bit)
-- | --
Revision | 19abfe7bcba9318a0b2a6bc6634a67fc834aa592-refs/branch-heads/4147@{#852}
OS | Windows 10 OS Version 1903 (Build 18362.959)

Reproduced issue in 1.11.x

Qi {code: "auth/web-storage-unsupported", message: "This browser is not supported or 3rd party cookies and data may be disabled."}

• Verified STR from the description able to "Sign In with GitHub" with default shield settings and there is no 3rd party cookies and data may be disabled message displayed in the console