My add-on's requests are blocked because they "came from a tracker"

shroudedcode · December 24, 2019, 12:54pm

I’m the developer of the Refined Prime Video WebExtension which is available for Chrome and Firefox. A recent Firefox update seems to have broken one of its features. It’s a popup that allows users to quickly continue watching series on Amazon Prime Video (see screenshot).

To fetch the list of series from Prime Video, the popup makes a request to an internal Prime Video endpoint at /gp/video/api/storefront. Users can select an Amazon region in the settings which determines the domain being used (for example amazon.de or primevideo.com).

Today I noticed that three of the supported domains (amazon.de, amazon.co.uk, and amazon.co.jp) are no longer working in Firefox because my add-on’s requests to them are flagged as “from a tracker” and, as a result, don’t contain cookies (which are required to return user-specific content). This is the warning message I got in the debug console:

Request to access cookie or storage on “https://www.amazon.de/gp/video/api/storefront” was blocked because it came from a tracker and content blocking is enabled.

I don’t understand why Firefox identifies my add-on as a tracker or why amazon.com and primevideo.com are not affected by this. Can anybody help me with this?

freaktechnik · December 25, 2019, 12:13pm

You are making requests to these domains from a different origin than the target origin. While amazon makes the requests from their own origin.

If you explicitly list the domains as host permissions, you will not be affected by tracking protection:

shroudedcode · December 25, 2019, 1:40pm

You are making requests to these domains from a different origin than the target origin.

I’m aware of that and I’ve always included these domains as host permissions:

"permissions": [
  "storage",
  "tabs",
  "https://*.primevideo.com/*",
  "https://*.amazon.com/*",
  "https://*.amazon.co.uk/*",
  "https://*.amazon.de/*",
  "https://*.amazon.co.jp/*"
],

This also used to work and still does for some of the domains (I’m not getting this error for primevideo.com and amazon.com).

freaktechnik · December 27, 2019, 10:42pm

bypass tracking protection if the host is a full domain without wildcards

So what you’d need to have is "https://www.amazone.de" to bypass TP for the example you gave above.

shroudedcode · December 27, 2019, 10:42pm

I had to add a trailing slash to the URL (https://www.amazon.de/), but now it’s working. Thanks for the help, Martin!