Free as in Freedom: Codeberg.org. Create your repos!

#51 Logins broken from Ungoogled Chromium

Open
opened 1 week ago by libBletchley · 14 comments

Ungoogled Chromium users cannot login into Codeberg. My knee-jerk suspicion is that codeberg is doing something with cookies and google and that browser is (rightly) coded to not talk to Google. Codeberg users should not be required to interact with Google.

Ungoogled Chromium users cannot login into Codeberg. My knee-jerk suspicion is that codeberg is doing something with cookies and google and that browser is (rightly) coded to not talk to Google. Codeberg users should not be required to interact with Google.
ashimokawa commented 1 week ago
Owner

@libBletchley

Codeberg users are NOT required to interact with google, that’s nonsense. Codeberg does use a session cookie to recognize logged in users (the alternative would be to have a session id in every URL, and that does not make sense). Session cookies are not evil. Codeberg should work, just not when disallowing javascript or disallowing all cookies.

@libBletchley Codeberg users are NOT required to interact with google, that's nonsense. Codeberg does use a session cookie to recognize logged in users (the alternative would be to have a session id in every URL, and that does not make sense). Session cookies are not evil. Codeberg should work, just not when disallowing javascript or disallowing all cookies.
libBletchley commented 1 week ago
Poster

Why was this ticket closed? Ungoogled Chromium logins still fail. Login creds are accepted and then a logged-out landing page is presented.

Why was this ticket closed? Ungoogled Chromium logins still fail. Login creds are accepted and then a logged-out landing page is presented.
ashimokawa commented 1 week ago
Owner

@libBletchley

I just downloaded and installed ungoogled chromium with a fresh profile, no settings altered, logged into codeberg. worked.

@libBletchley I just downloaded and installed ungoogled chromium with a fresh profile, no settings altered, logged into codeberg. worked.
hw commented 1 week ago
Owner

Just a guess: you possibly must not disable cookies and javascript? Both are needed for basic operation (probably for 99+% of all other sites that maintain a user state, too?).

In addition to Javascript that handles menus etc, the gitea software implementing the user-facing frontend of Codeberg.org is only using session cookies, which are commonly understood as essential to maintain state and detect authentication, in the words of Article 5(3) of the ePrivacy Directive:

consent is not required for technical storage or access of the following cookies:
- Cookies used for the sole purpose of carrying out the transmission of a communication
- Cookies that are strictly necessary in order for the provider of an information society service explicitly required by the user to provide that service

Examples of cookies that generally do NOT require consent:
- User input cookies, for the duration of a session
- Authentication cookies, for the duration of a session
- User centric security cookies, used to detect authentication abuses and linked to the functionality explicitly requested by the user, for a limited persistent duration
- Multimedia content player session cookies, such as flash player cookies, for the duration of a session
- Load balancing session cookies, for the duration of session.
- User interface customisation cookies, for a browser session or a few hours, unless additional information in a prominent location is provided (e.g. “uses cookies” written next to the customisation feature

[...]

In order to verify yourself, you can simply enable the network traffic logger of your browser to check that no requests to the likes of Google or any other 3rdparty services are initiated, and also dump the session cookie content in the browser console.

Tools like uBlock-origins in default-deny mode blocking and reporting all traffic to 3rdparty-networks should also help to verify that Codeberg.org is working independently and free of any 3rdparty networks.

Please let us know if you have any other questions, and feel free to reopen the issue if needed.

Just a guess: you possibly must not disable cookies and javascript? Both are needed for basic operation (probably for 99+% of all other sites that maintain a user state, too?). In addition to Javascript that handles menus etc, the gitea software implementing the user-facing frontend of Codeberg.org is only using session cookies, which are commonly understood as essential to maintain state and detect authentication, in the words of Article 5(3) of the ePrivacy Directive: ``` consent is not required for technical storage or access of the following cookies: - Cookies used for the sole purpose of carrying out the transmission of a communication - Cookies that are strictly necessary in order for the provider of an information society service explicitly required by the user to provide that service Examples of cookies that generally do NOT require consent: - User input cookies, for the duration of a session - Authentication cookies, for the duration of a session - User centric security cookies, used to detect authentication abuses and linked to the functionality explicitly requested by the user, for a limited persistent duration - Multimedia content player session cookies, such as flash player cookies, for the duration of a session - Load balancing session cookies, for the duration of session. - User interface customisation cookies, for a browser session or a few hours, unless additional information in a prominent location is provided (e.g. “uses cookies” written next to the customisation feature [...] ``` In order to verify yourself, you can simply enable the network traffic logger of your browser to check that no requests to the likes of Google or any other 3rdparty services are initiated, and also dump the session cookie content in the browser console. Tools like uBlock-origins in default-deny mode blocking and reporting all traffic to 3rdparty-networks should also help to verify that Codeberg.org is working independently and free of any 3rdparty networks. Please let us know if you have any other questions, and feel free to reopen the issue if needed.
ashimokawa commented 5 days ago
Owner

Can anyone else test ungoogled chromium? For me it unfortunately just works, so I do not know what to do to reproduce.

@mckaygerhard

Instead of disapproving my posts, how about commenting and explain what you dislike?

Can anyone else test ungoogled chromium? For me it *unfortunately* just works, so I do not know what to do to reproduce. @mckaygerhard Instead of disapproving my posts, how about commenting and explain what you dislike?

i’m still making tests.. with other browsers..

but the disklike was due you close inmediatelly the issue event waith for more info..

i'm still making tests.. with other browsers.. **but the disklike was due you close inmediatelly the issue event waith for more info..**
ashimokawa commented 5 days ago
Owner

@mckaygerhard I was on mobile at hit the wrong button. It is okay to say that you dislike the fact I closed this, but disliking posts after the issue is reopened, does not make sense ;)

I really tried hard to reproduce the issue but my guess, but it works here with ungoogled chromium. I wish it would not work so I could be in the same boat.

My wild guess is that users who use ungoogled chromium also have some settings that prevent logins (disallowing javascript or cookies for codeberg)

Rest assured that we do not talk to google, if you use uMatrix you will see that there are only connections to Codeberg (unless some project on codeberg embeds external images in their readme.md and you browse that of course). uMatrix can be used to prevent that also.

@mckaygerhard I was on mobile at hit the wrong button. It is okay to say that you dislike the fact I closed this, but disliking posts after the issue is reopened, does not make sense ;) I really tried hard to reproduce the issue but my guess, but it works here with ungoogled chromium. I wish it would not work so I could be in the same boat. My wild guess is that users who use ungoogled chromium also have some settings that prevent logins (disallowing javascript or cookies for codeberg) Rest assured that we do not talk to google, if you use uMatrix you will see that there are only connections to Codeberg (unless some project on codeberg embeds external images in their readme.md and you browse that of course). uMatrix can be used to prevent that also.

i recheck and well works perfectly with palemoon and firefox, older and newer versions.. but still must check with google 27 and google 43 … yes older! … due olders works and does not are memory hungry! also works with chromium but only newer versions that for manyority of us makes no sense for a variety of great reasons that can we dicuss separatelly

i recheck and well works perfectly with palemoon and firefox, older and newer versions.. but still must check with google 27 and google 43 ... yes older! ... due olders works and does not are memory hungry! also works with chromium but only newer versions that for manyority of us makes no sense for a variety of great reasons that can we dicuss separatelly
libBletchley commented 5 days ago
Poster

@ashimokawa

Since you could not reproduce the problem with stock Ungoogled Chromium (“UC”), I’ll give more info about my configuration. I did not put much effort into hardening UC version 62.0.3202.94. Javascript and cookies are enabled by default (but selective due to uMatrix). These are the changes in my configuration:

  • I changed the network proxy to use the Tor network by launching with this commandline: ionice -c 2 -n 6 chromium --proxy-server='socks5://127.0.0.1:9050' --host-resolver-rules='MAP * ~NOTFOUND , EXCLUDE 127.0.0.1'
  • Installed these extensions:
    • Whitebuster (colorizes white backgrounds)
    • uMatrix - which shows that codeberg.org asks for a 3rd party cookie at google.com (bizarre)
    • HTTPS Everywhere
    • User Agent Switcher
    • Save as MHT
    • Auto Overlay Remover
    • Cloudbleed Indicator
    • Gnome Shell Integration
    • TooMany Tabs for Chrome

It’s reasonable that codeberg.org would need a cookie, but unreasonable that a google.com cookie would be needed. uMatrix defaults to accepting 1st party cookies and rejecting 3rd party cookies. Note as well that no website has given me a login problem apart from codeberg.org, so codeberg is apparently doing something irregular with the session cookies.

@ashimokawa Since you could not reproduce the problem with stock Ungoogled Chromium ("UC"), I'll give more info about my configuration. I did not put much effort into hardening UC version 62.0.3202.94. Javascript and cookies are enabled by default (but selective due to uMatrix). These are the changes in my configuration: * I changed the network proxy to use the Tor network by launching with this commandline: `ionice -c 2 -n 6 chromium --proxy-server='socks5://127.0.0.1:9050' --host-resolver-rules='MAP * ~NOTFOUND , EXCLUDE 127.0.0.1'` * Installed these extensions: * Whitebuster (colorizes white backgrounds) * uMatrix - which shows that codeberg.org asks for a 3rd party cookie at google.com (bizarre) * HTTPS Everywhere * User Agent Switcher * Save as MHT * Auto Overlay Remover * Cloudbleed Indicator * Gnome Shell Integration * TooMany Tabs for Chrome It's reasonable that codeberg.org would need a cookie, but unreasonable that a google.com cookie would be needed. uMatrix defaults to accepting 1st party cookies and rejecting 3rd party cookies. Note as well that no website has given me a login problem apart from codeberg.org, so codeberg is apparently doing something irregular with the session cookies.
ashimokawa commented 5 days ago
Owner

@libBletchley I am also a uMatrix user and I do not accept 3rd party cookies at all, also I do not see anything else in uMatrix than codeberg.org.

We do not want google.com cookies here,really bizarre.

@libBletchley I am also a uMatrix user and I do not accept 3rd party cookies at all, also I do not see anything else in uMatrix than codeberg.org. We do not want google.com cookies here,really bizarre.
hw commented 5 days ago
Owner

@libBletchey

[…] I’ll give more info about my configuration. I did not put much effort into hardening […]

Any cookie outside the codeberg.org namespace would be quite unexpected, we would be very curious where this might be coming from.

In order to narrow this down, could you please test plain UC in default config and then step by step enable your changes, and report what exactly causes the problem?

@libBletchey > [...] I’ll give more info about my configuration. I did not put much effort into hardening [...] Any cookie outside the codeberg.org namespace would be quite unexpected, we would be very curious where this might be coming from. In order to narrow this down, could you please test plain UC in default config and then step by step enable your changes, and report what exactly causes the problem?
Ghost commented 4 days ago

No problem here(I’m “Tor Browser” user). Can’t find any google cookies.

    Whitebuster (colorizes white backgrounds)
    uMatrix - which shows that codeberg.org asks for a 3rd party cookie at google.com (bizarre)
    HTTPS Everywhere
    User Agent Switcher
    Save as MHT
    Auto Overlay Remover
    Cloudbleed Indicator
    Gnome Shell Integration
    TooMany Tabs for Chrome

Wow you have too many add-ons!

Do “50%/50%” test.

0. Enable umatrix.

1. Disable these:
Whitebuster
HTTPS Everywhere
User Agent Switcher
Save as MHT

2. Close browser.

3. Open https://codeberg.org/Codeberg/Community/issues/51

4. Can you find google cookies? If no,

5. Disable these
Auto Overlay Remover
Cloudbleed Indicator
Gnome Shell Integration
TooMany Tabs for Chrome

And enable them
Whitebuster
HTTPS Everywhere
User Agent Switcher
Save as MHT

6. Close browser.

7. Open codeberg. Can you find google cookies?

8. Continue 50%/50% test to find bad add-on.
No problem here(I'm "Tor Browser" user). Can't find any google cookies. ``` Whitebuster (colorizes white backgrounds) uMatrix - which shows that codeberg.org asks for a 3rd party cookie at google.com (bizarre) HTTPS Everywhere User Agent Switcher Save as MHT Auto Overlay Remover Cloudbleed Indicator Gnome Shell Integration TooMany Tabs for Chrome ``` Wow you have too many add-ons! Do "50%/50%" test. ``` 0. Enable umatrix. 1. Disable these: Whitebuster HTTPS Everywhere User Agent Switcher Save as MHT 2. Close browser. 3. Open https://codeberg.org/Codeberg/Community/issues/51 4. Can you find google cookies? If no, 5. Disable these Auto Overlay Remover Cloudbleed Indicator Gnome Shell Integration TooMany Tabs for Chrome And enable them Whitebuster HTTPS Everywhere User Agent Switcher Save as MHT 6. Close browser. 7. Open codeberg. Can you find google cookies? 8. Continue 50%/50% test to find bad add-on. ```
libBletchley commented 4 days ago
Poster

First without making any changes, I noticed that uMatrix no longer shows a “1” in the cookie column on the google.com row. I didn’t make any changes on my end so I’m not sure why that changed. The google.com row still appears but there’s nothing on it. Whatever the reason, it seems unrelated. That is, I give my login creds and it still simply renders a logged out page (as if I never got a session cookie).

I also disabled all user-installed extensions including uMatrix. It made no difference. I still cannot login using UC.

First without making any changes, I noticed that uMatrix no longer shows a "`1`" in the cookie column on the `google.com` row. I didn't make any changes on my end so I'm not sure why that changed. The `google.com` row still appears but there's nothing on it. Whatever the reason, it seems unrelated. That is, I give my login creds and it still simply renders a logged out page (as if I never got a session cookie). I also disabled all user-installed extensions including uMatrix. It made no difference. I still cannot login using UC.
Ghost commented 4 days ago
1. Close the browser.
2. Open Ungoogled chrome. Don't open any webpage.
3. Press [F12] key. It will open console.
4. Click Network tab.
5. Open https://codeberg.org/Codeberg/Community/issues/51
6. You should find www.google.com request(at least in your environment).
Screenshot it.

My guess is your browser is not ungoogled because it is making request to dns.google.com.

Turn them OFF.

chrome://settings/

Privacy and security

Use a web service to help resolve navigation errors
Use a prediction service to help complete searches and URLs typed in the address bar
Use a prediction service to load pages more quickly
Automatically report details of possible security incidents to Google
Protect you and your device from dangerous sites
``` 1. Close the browser. 2. Open Ungoogled chrome. Don't open any webpage. 3. Press [F12] key. It will open console. 4. Click Network tab. 5. Open https://codeberg.org/Codeberg/Community/issues/51 6. You should find www.google.com request(at least in your environment). Screenshot it. ``` My guess is your browser is not ungoogled because it is making request to `dns.google.com`. Turn them OFF. ``` chrome://settings/ Privacy and security Use a web service to help resolve navigation errors Use a prediction service to help complete searches and URLs typed in the address bar Use a prediction service to load pages more quickly Automatically report details of possible security incidents to Google Protect you and your device from dangerous sites ```
Sign in to join this conversation.
No Milestone
No Assignees
5 Participants
Due Date

No due date set.

Dependencies

This issue currently doesn't have any dependencies.

Loading…
Cancel
Save
There is no content yet.