Embedded user timeline - Login and tweet not working in Firefox


#1

Hi all,
I have integrated the User widget timeline in our website but unfortunately I’m experiencing issues when logging in and tweeting.
The issue is reproducible only in Firefox and from different computers. With Chrome and IE all works fine.
I didn’t check mobile user agents.

Steps to reproduce:


**Further details:** After clicking on the login and tweet button 2 http calls are being executed:

Request:

POST /intent/sessions HTTP/1.1
Host: twitter.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: *https://*twitter.com/intent/tweet?screen_name=twitterapi&original_referer=https%3A%2F%2Fdev.twitter.com%2Fweb%2Fembedded-timelines&profile_id=6253282&query=null&related=null&tw_p=embeddedtimeline&tw_w=243046062967885824
Cookie: guest_id=v1%3A142140759256415765; _twitter_sess=BAh7CjoJdXNlcmwrB4PH%252FbA6B2lkIiU5NDhhZDdmOGRiOWI4ZmIwYTNiM2Ez%250AMjVhMjUzYmQyNDoPY3JlYXRlZF9hdGwrCO2hfvJKAToMY3NyZl9pZCIlYTAw%250ANmY4ZGU0ZmM5NDVmYTM1OTgyMzVlNDA1ZTVjOWMiCmZsYXNoSUM6J0FjdGlv%250AbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhhc2h7AAY6CkB1c2VkewA%253D–e8ef6b543810022936b6e5c162657ecb2036a4cb; _ga=GA1.2.24197336.1421407594; __utma=43838368.24197336.1421407594.1421407632.1421417572.2; __utmc=43838368; __utmz=43838368.1421417572.2.2.utmcsr=dev.twitter.com|utmccn=(referral)|utmcmd=referral|utmcct=/web/embedded-timelines; __utmv=43838368.lang%3A%20de; remember_checked_on=0; lang=de; has_js=1; eu_cn=1; _gat=1; dnt=1; _gat_a=1; _gat_b=1; pid=“v3:1421417521153269719889535”; __utmb=43838368.3.10.1421417572; __utmt=1
Connection: keep-alive

Response:

HTTP/1.1 302 Found
Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
Content-Encoding: gzip
Content-Length: 213
content-security-policy: default-src ‘none’; connect-src ‘self’; font-src *https://*abs.twimg.com data:; frame-src ‘self’ twitter:; frame-ancestors ‘none’; img-src *https://*abs.twimg.com *https://*pbs.twimg.com data:; media-src ‘none’; object-src ‘none’; script-src *https://*abs.twimg.com *https://*abs-0.twimg.com; style-src *https://*abs.twimg.com *https://*abs-0.twimg.com; report-uri *https://*twitter.com/i/csp_report?a=NVQWGYLXFVWG6Z3JNY%3D%3D%3D%3D%3D%3D&ro=false;
Content-Type: text/html;charset=utf-8
Date: Fri, 16 Jan 2015 11:27:30 UTC
Expires: Tue, 31 Mar 1981 05:00:00 GMT
Last-Modified: Fri, 16 Jan 2015 11:27:30 GMT
Location: *https://*twitter.com/intent/tweet/update?screen_name=twitterapi&session[username_or_email]=myemail&related=null&status=asdfdasdf&tw_p=embeddedtimeline
ml: A
Pragma: no-cache
Server: tsa_b
Set-Cookie: _twitter_sess=BAh7CiIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoPY3JlYXRlZF9hdGwrCO2hfvJKAToMY3NyZl9p%250AZCIlYTAwNmY4ZGU0ZmM5NDVmYTM1OTgyMzVlNDA1ZTVjOWM6B2lkIiU5NDhh%250AZDdmOGRiOWI4ZmIwYTNiM2EzMjVhMjUzYmQyNDoJdXNlcmwrB4PH%252FbA%253D–c2545f3b2c91c1c60b714067c625e3ee5f8050fa; Path=/; Domain=.twitter.com; Secure; HTTPOnly
remember_checked_on=0; Expires=Mon, 13 Jan 2025 11:27:30 GMT; Path=/; Domain=.twitter.com
twid=“u=2969421699”; Path=/; Domain=.twitter.com; Secure
auth_token=81a2f8f7f2980378bd685e9b781990d248ec4f01; Path=/; Domain=.twitter.com; Secure; HTTPOnly
status: 302 Found
Strict-Transport-Security: max-age=631138519
x-connection-hash: b623e018ade80ba94ce40e7044c79bd1
x-content-type-options: nosniff
X-Frame-Options: SAMEORIGIN
x-response-time: 166
x-transaction: 75f27345bccc78ca
x-twitter-response-tags: BouncerCompliant
x-ua-compatible: IE=edge,chrome=1
X-XSS-Protection: 1; mode=block
X-Firefox-Spdy: 3.1


Request:
GET /intent/tweet/update?screen_name=twitterapi&session%5Busername_or_email%5D=myemail&original_referer=https%3A%2F%2Fdev.twitter.com%2Fweb%2Fembedded-timelines&related=null&status=adfadsf&tw_p=embeddedtimeline HTTP/1.1
Host: twitter.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: *https://*twitter.com/intent/tweet?screen_name=twitterapi&original_referer=https%3A%2F%2Fdev.twitter.com%2Fweb%2Fembedded-timelines&profile_id=6253282&query=null&related=null&tw_p=embeddedtimeline&tw_w=243046062967885824
Cookie: guest_id=v1%3A142140759256415765; _twitter_sess=BAh7CjoJdXNlcmwrB4PH%252FbA6B2lkIiU5NDhhZDdmOGRiOWI4ZmIwYTNiM2Ez%250AMjVhMjUzYmQyNDoPY3JlYXRlZF9hdGwrCO2hfvJKAToMY3NyZl9pZCIlYTAw%250ANmY4ZGU0ZmM5NDVmYTM1OTgyMzVlNDA1ZTVjOWMiCmZsYXNoSUM6J0FjdGlv%250AbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhhc2h7AAY6CkB1c2VkewA%253D–e8ef6b543810022936b6e5c162657ecb2036a4cb; _ga=GA1.2.24197336.1421407594; __utma=43838368.24197336.1421407594.1421407632.1421417572.2; __utmc=43838368; __utmz=43838368.1421417572.2.2.utmcsr=dev.twitter.com|utmccn=(referral)|utmcmd=referral|utmcct=/web/embedded-timelines; __utmv=43838368.lang%3A%20de; remember_checked_on=0; lang=de; has_js=1; eu_cn=1; _gat=1; _gat_a=1; _gat_b=1; pid=“v3:1421417521153269719889535”; __utmb=43838368.3.10.1421417572; __utmt=1; twid=“u=2969421699”; auth_token=81a2f8f7f2980378bd685e9b781990d248ec4f01
Connection: keep-alive

Response:
HTTP/1.1 405 Method Not Allowed
Allow: POST
Cache-Control: no-cache
Content-Length: 0
content-security-policy: default-src https:; connect-src https:; font-src https: data:; frame-src https: twitter:; frame-ancestors https:; img-src https: data:; media-src https:; object-src https:; script-src ‘unsafe-inline’ ‘unsafe-eval’ https:; style-src ‘unsafe-inline’ https:; report-uri *https://*twitter.com/i/csp_report?a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false;
Date: Fri, 16 Jan 2015 14:13:53 UTC
Server: tsa_b
status: 405 Method Not Allowed
Strict-Transport-Security: max-age=631138519
x-connection-hash: f26f39a2cfda324b608ffc33a6e8cbde
x-content-type-options: nosniff
X-Frame-Options: SAMEORIGIN
x-response-time: 13
x-transaction: c60889f73420df24
X-XSS-Protection: 1; mode=block
X-Firefox-Spdy: 3.1

The same steps executed in Chrome (or by forcing the Chrome User-Agent in Firefox to be like “
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari”) work fine instead.

In the other browsers the correct flow I see is:


Request:
POST /intent/sessions HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95

Response:
HTTP/1.1 307 Temporary Redirect
Location: *https://*twitter.com/intent/tweet/update


Request:
POST /intent/tweet/update HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36

Payload:
related=null&screen_name=twitterapi&original_referer=https%3A%2F%2Fdev.twitter.com%2Fweb%2Fembedded-timelines&tw_p=embeddedtimeline&repost_after_login=%2Fintent%2Ftweet%2Fupdate&authenticity_token=token&status=aszdgf&session%5Busername_or_email%5D=myemail&session%5Bpassword%5D=xxxxx


Response:
HTTP/1.1 302 Found
Location: /intent/tweet/complete?screen_name=twitterapi&latest_status_id=556056248970661888&original_referer=https%3A%2F%2Fdev.twitter.com%2Fweb%2Fembedded-timelines&related=null&tw_p=embeddedtimeline


Then I see the
GET *https://*twitter.com/intent/tweet/complete?screen_name=twitterapi&latest_status_id=556056248970661888&original_referer=https%3A%2F%2Fdev.twitter.com%2Fweb%2Fembedded-timelines&related=null&tw_p=embeddedtimeline

which correctly renders the complete screen

Could someone of you guys find some time to have a deeper look at it?

Thank you!
Marco


#2

I was able to reproduce the issue, thanks for the thorough report. We’ll take a deeper look and hopefully have a fix out ASAP.


#3

Thanks Jake :wink:


#4

Dear Jack,

Is I correctly understand that you already fixed this issue?

Thanks.


#5

Yep, this should be fixed.


#6

Indeed. I checked yesterday and it was working fine :smile:
Thanks Jake


#7