Firefox 96.01 blocks access to popmoney on my credit union's website.
Firefox 96.01 seems to be blocking access to popmoney through my credit union's website. The error message states that I must allow third-party cookies, but Firefox 96 doesn't have an option to specifically enable/disable third-party cookies. I can do this easily on Microsoft Edge, so I have to fall back on Edge in order to use popmoney.
Copy of error message:
"We're sorry for this error. In order to use this service, your internet browser must accept third-party cookies. Please refer to your browser's online help for enabling cookies in your system. Please try again after you enable the cookies."
Vahaolana nofidina
As I mentioned in my other reply:
Firefox 96 made three changes related to cookies that affect when they will be served to third party servers. Most likely the issue with the site you're using is #1 on the following list, and it's pretty quick to change a setting to test that.
(1) If the server does not specify the SameSite setting for its cookies, Firefox changed from treating it as SameSite=None (allow serving as a third party cookie) to SameSite=Lax (partially restricts serving as a third party cookie).
Users have reported two different servers with this issue so far:
- iCloud: https://support.mozilla.org/questions/1364242
- Canvas/Kaltura
(2) If the cookie was set on an HTTPS page, it is not automatically passed to HTTP pages on the same server. In other words, SameSite consider the protocol (scheme) as well as the host name. This is a problem for older sites that use HTTP for most pages but do the login over HTTPS. Example: https://www.reddit.com/r/firefox/comments/s3iych/south_korea_cant_sign_in_to_some_websites_after/
Note: a hotfix was released Friday to revert change #2.
(3) If the server specifies that third party cookies are okay by setting SameSite=None, this is only honored for HTTPS pages, not HTTP pages. I don't know whether this is causing problems on any sites.
How to test whether this is issue #1:
(A) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button accepting the risk.
More info on about:config: Configuration Editor for Firefox. The moderators would like us to remind you that changes made through this back door aren't fully supported and aren't guaranteed to continue working in the future.
(B) In the search box in the page, type or paste laxByDefault and pause while the list is filtered
(C) Double-click the network.cookie.sameSite.laxByDefault preference to switch the value from true to false
I don't know whether that takes effect immediately or whether you need to quit Firefox and start it up again.
Hopefully we will get a better understanding of how to set exceptions in the future so you can benefit from this change while using other sites.
Hamaky an'ity valiny ity @ sehatra 👍 2All Replies (13)
As for clicking on the shield and disabling enhanced tracking protection, I have tried this and it did not work.
What do you have set here? see screeshot
Mine is set to Standard, though I tried setting it to Custom (cross-site tracking cookies). I did not set the third-party cookies option because that's exactly what I don't want to do. I reverted to Standard.
Let me add that this problem only occurred a a couple of days ago. The only thing "new" is the latest update of Firefox 96, that worked previously for both credit union popmoney accounts. I have found Microsoft Edge to be unaffected because it's set by default to allow third-party cookies.
Have you tried in Firefox in Safe Mode? It could be an add-on blocking something. What credit union site are you trying to reach? Can you provide steps to replicate the issue?
The only add-on is Facebook Container, now turned off, and this problem I have now, only appeared suddenly, I believe, on Friday. Prior to that, no problems. I have two credit union sites, and with both, the only problem is when I try to access popmoney. Everything else seems nominal. I can go to the credit union's app and can easily access popmoney. So whatever the problem, it looks like there must have been a recent update of Firefox (96.0.01?) that blocked third-party cookies by default (while MS Edge allows them by default). Have not used safe mode on Firefox. I have been a Firefox fan ever since the earliest versions, but over time its user interface has become more difficult and complicated. There is not a simple on-off button for third-party cookies. The error message requests that I allow third-party cookies, but I go to Settings and there is no evidence that I am not allowing them.
I have no problem reaching either credit union's site. It's just when I try to access popmoney through Bill Pay, when access gets blocked.
Novain'i John Stewart t@
Vahaolana Nofidina
As I mentioned in my other reply:
Firefox 96 made three changes related to cookies that affect when they will be served to third party servers. Most likely the issue with the site you're using is #1 on the following list, and it's pretty quick to change a setting to test that.
(1) If the server does not specify the SameSite setting for its cookies, Firefox changed from treating it as SameSite=None (allow serving as a third party cookie) to SameSite=Lax (partially restricts serving as a third party cookie).
Users have reported two different servers with this issue so far:
- iCloud: https://support.mozilla.org/questions/1364242
- Canvas/Kaltura
(2) If the cookie was set on an HTTPS page, it is not automatically passed to HTTP pages on the same server. In other words, SameSite consider the protocol (scheme) as well as the host name. This is a problem for older sites that use HTTP for most pages but do the login over HTTPS. Example: https://www.reddit.com/r/firefox/comments/s3iych/south_korea_cant_sign_in_to_some_websites_after/
Note: a hotfix was released Friday to revert change #2.
(3) If the server specifies that third party cookies are okay by setting SameSite=None, this is only honored for HTTPS pages, not HTTP pages. I don't know whether this is causing problems on any sites.
How to test whether this is issue #1:
(A) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button accepting the risk.
More info on about:config: Configuration Editor for Firefox. The moderators would like us to remind you that changes made through this back door aren't fully supported and aren't guaranteed to continue working in the future.
(B) In the search box in the page, type or paste laxByDefault and pause while the list is filtered
(C) Double-click the network.cookie.sameSite.laxByDefault preference to switch the value from true to false
I don't know whether that takes effect immediately or whether you need to quit Firefox and start it up again.
Hopefully we will get a better understanding of how to set exceptions in the future so you can benefit from this change while using other sites.
Also, to get an idea of what cookies is being blocked, you should clear your cookies in Edge and then go to your bank site to see what 3rd party cookies are being used.
Jscher2000:
An enthusiastic Thumbs Up from me! Problem quickly solved!
Novain'i John Stewart t@
Thank you for reporting back. If you have an email thread or support ticket with your credit union, or don't mind starting one, can you send them a link to this thread? For their reference:
- https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Releases/96#http
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
- https://web.dev/samesite-cookies-explained/
I notice three links above. Which particular thread should be sent?
You can send a link to this question thread:
as a novice in all of this, is there a reference on how to insert the code? I also have a popmoney account that does not like my attempts to use it.
Follow jscher2000 posted solution.
Then follow instructions listed under:
How to test whether this is issue #1
First click on the + sign above browser window to add a new tab. Copy and paste 'about:config in the browser window (address bar). Hit enter. Next copy and paste laxByDefault and select the option recommended. This is easier that it looks, and I am not an expert in this kind of thing either.
Novain'i John Stewart t@