Crio.do does not work on Brave

[mandar-brave]

User reported that crio.do (a Firebase website ) does not let them authenticate using a G-Auth.
Chrome done.

Seems like a ton of 3P cookies all over the place via Firebase.

cc @pes10k - please move it to the appropriate repo/project.

[pes10k]

The issue here is that the site tries to do auth through 3p cookies on https://crio-prod.firebaseapp.com/__/auth/iframe

Some options:

• add 3p cookie exception for firebaseapp.com
• storage access API for 3p storage
• dual key storage

Adding to agenda for privacy confab on Tuesday

[ryanbr]

Related to this? #9852

[pes10k]

@ryanbr yea, i expect so. The way firebase does their own, 3p iframe version of SSO is… bad…

[pes10k]

@ryanbr can you add a 3p cookie exception for *.firebaseapp.com in brave-core then? That'll allow us to at least close these two issues, until we have a better option. Feel free to tag me for review

[ryanbr]

Since I had a existing fix for sony.com, I adjusted that PR to include firebase:

brave/brave-core#5857

[jumde]

Just a couple of suggestions:

1. Gate this behind a Google Login toggle in brave://settings/socialBlocking
2. There is an issue in chromium, cookies are not deleted if an exception is added if all-browser history is cleared. There are couple of issues for accounts.google.com exception.

[pes10k]

For 1 at least, i think that'd be an odd mismatch though, since the first hop of the data is to firebase and not google

For 2, do you know if folks are sorting this out correclty upstream?

[pes10k]

closed with brave/brave-core#5952

[rahulsuresh-git]

Hey,
This is Rahul from Crio.Do. Thanks for bringing this up!
We have been facing this issue from Day 1. Again, as @pes10k said, #9852 was a known issue and we urge users to allow "All cookies" while using our platform but it is not the kind of experience we are trying to provide.

I hope this issue gets patched in coming releases, as I suppose firebase and brave have not got along well from a long time now.

Best,
Rahul

[pes10k]

@icy-meteor , yep! Its currently fixed in nightly and will make its way to stable in the 1.12 release (the 1.11 release comes out next Wednesday, so it'll be in beta starting July 14, 2020, and in stable August 4, 2020).

The way the fix will work is that if a user has "enable gmail auth" enabled in shields (the default setting) then that'll also enable cookies against firebase. So, in the default configuration, folks will be able to log into your site w/o any changes.

Relevant fix is here: brave/brave-core#5952

Hope that helps!

[rahulsuresh-git]

Thanks for the update, @pes10k!

[GeetaSarvadnya]

Verification passed on

Brave | 1.12.102 Chromium: 84.0.4147.89 (Official Build) dev (64-bit)
-- | --
Revision | 19abfe7bcba9318a0b2a6bc6634a67fc834aa592-refs/branch-heads/4147@{#852}
OS | Windows 10 OS Version 1903 (Build 18362.959)

• Verified the issue description,
• Ensured that user can log in to crio.do using G- auth with default shield settings