Ghostery blocks braintree javascript SDK from making requests.

[rg-3]

Please read the CONTRIBUTING guide before submitting an issue.

Description

Ghostery blocks requests made to braintree through its client-side javascript SDK.
This prevents a user from completing the checkout flow with Ghostery enabled.

Expected Behavior

I expected that Ghostery would not block a request made to Braintree.

Actual Behavior

Ghostery blocked a request to braintree.

Steps to Reproduce

1. Go to https://www.privateinternetaccess.com
2. Open chrome developer console
3. Click "SIGN UP NOW".
4. observe the paypal button remain in a loading state forever, and
   the following JS error in the console:

Failed to load https://api.braintreegateway.com/merchants/hgkc8vphzdyxjzsx/client_api/v1/configuration?tokenizationKey=production_wfvvry6v_hgkc8vphzdyxjzsx&_meta%5BmerchantAppId%5D=www.privateinternetaccess.com&_meta%5Bplatform%5D=web&_meta%5BsdkVersion%5D=3.21.0&_meta%5Bsource%5D=client&_meta%5Bintegration%5D=custom&_meta%5BintegrationType%5D=custom&_meta%5BsessionId%5D=42b1e22c-bd28-450f-9371-94c29433235e&braintreeLibraryVersion=braintree%2Fweb%2F3.21.0&configVersion=3: Response for preflight is invalid (redirect)
button.js.erb:61 Error creating client: BraintreeError: Cannot contact the gateway at this time.

Versions

• Browser: Version 67.0.3396.99 (Official Build) (64-bit)
• OS: MacOS

[philipp-classen]

Can you still reproduce? For me, the paypal button opens without errors.

Ghostery 8.2.3 (with all blocking rules enabled)
Chrome 68.0.3440.106
OS: Linux

[rg-3]

@philipp-classen i can no longer reproduce. any clues what might have changed?

[philipp-classen]

@R-obert Your error message mentioned Response for preflight is invalid (redirect). That indicates it was a CORS problem.

We had a bug on that accidentally stripped origin headers from requests, which are needed for the CORS protocol. That bug was fixed in the last release. Now we will only modify requests from the extension itself, as it was originally intended.

The fix itself came in the updated browser-core dependence.

[Cinamonas]

I incorrectly reported it to Braintree: braintree/braintree-web#383

But this is still an issue that I’m experiencing and can be reproduced here: https://developers.braintreepayments.com/guides/drop-in/overview/javascript/v3#demo

For whatever reason, Ghostery intercepts the request and replaces braintree-web with ghostery:

[christophertino]

Look like it's being removed by Anti-Tracking.

@sammacbeth could you take a look?

[sammacbeth]

Looks like another false positive. I've whitelisted this one and am working on improving the detection.

[rg-3]

@sammacbeth @christophertino this bug is back, in its original form:

Failed to load https://api.sandbox.braintreegateway.com/merchants/gnmt5b5pn9mcnyw2/client_api/v1/configuration?tokenizationKey=sandbox_cqwnq4cc_gnmt5b5pn9mcnyw2&_meta%5BmerchantAppId%5D=staging-4-77b8e3a311bcb6ec5e96.privateinternetaccess.com&_meta%5Bplatform%5D=web&_meta%5BsdkVersion%5D=3.21.0&_meta%5Bsource%5D=client&_meta%5Bintegration%5D=custom&_meta%5BintegrationType%5D=custom&_meta%5BsessionId%5D=49c3f159-eb36-44db-8f4f-43542c7829c2&braintreeLibraryVersion=braintree%2Fweb%2F3.21.0&configVersion=3: Response for preflight is invalid (redirect)
button.js.erb:84 Error creating client: BraintreeError: Cannot contact the gateway at this time.

[tcz]

This is still happening.
Ghostery for Chrome version 8.2.4

URL: https://api.braintreegateway.com/merchants/....

Returns 307 from Ghostery.
Non-Authoritative-Reason: Delegate