Embedded user timeline - Login and tweet not working in Firefox

carisi_m · 2015-01-16T15:11:59.220Z

Hi all,
I have integrated the User widget timeline in our website but unfortunately I’m experiencing issues when logging in and tweeting.
The issue is reproducible only in Firefox and from different computers. With Chrome and IE all works fine.
I didn’t check mobile user agents.

Steps to reproduce:

Make sure you’re not logged in on Twitter
Go to https://dev.twitter.com/web/embedded-timelines#user from Firefox
Click on “Tweet to @twitterapi”
type a tweet - insert the login credentials and click on the login and tweet button
A blank page appears. The url of the popup is:
“https://twitter.com/intent/tweet/update?screen_name=twitterapi&session[username_or_email]=myemail&original_referer=https%3A%2F%2Fdev.twitter.com%2Fweb%2Fembedded-timelines&related=null&status=adfadsf&tw_p=embeddedtimeline” (where myemail is my twitter username)

**Further details:** After clicking on the login and tweet button 2 http calls are being executed:

Request:

POST /intent/sessions HTTP/1.1
Host: twitter.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://twitter.com/intent/tweet?screen_name=twitterapi&original_referer=https%3A%2F%2Fdev.twitter.com%2Fweb%2Fembedded-timelines&profile_id=6253282&query=null&related=null&tw_p=embeddedtimeline&tw_w=243046062967885824
Cookie: guest_id=v1%3A142140759256415765; _twitter_sess=BAh7CjoJdXNlcmwrB4PH%252FbA6B2lkIiU5NDhhZDdmOGRiOWI4ZmIwYTNiM2Ez%250AMjVhMjUzYmQyNDoPY3JlYXRlZF9hdGwrCO2hfvJKAToMY3NyZl9pZCIlYTAw%250ANmY4ZGU0ZmM5NDVmYTM1OTgyMzVlNDA1ZTVjOWMiCmZsYXNoSUM6J0FjdGlv%250AbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhhc2h7AAY6CkB1c2VkewA%253D–e8ef6b543810022936b6e5c162657ecb2036a4cb; _ga=GA1.2.24197336.1421407594; utma=43838368.24197336.1421407594.1421407632.1421417572.2; utmc=43838368; utmz=43838368.1421417572.2.2.utmcsr=dev.twitter.com|utmccn=(referral)|utmcmd=referral|utmcct=/web/embedded-timelines; utmv=43838368.lang%3A%20de; remember_checked_on=0; lang=de; has_js=1; eu_cn=1; _gat=1; dnt=1; _gat_a=1; _gat_b=1; pid=“v3:1421417521153269719889535”; utmb=43838368.3.10.1421417572; utmt=1
Connection: keep-alive

Response:

HTTP/1.1 302 Found
Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
Content-Encoding: gzip
Content-Length: 213
content-security-policy: default-src ‘none’; connect-src ‘self’; font-src https://abs.twimg.com data:; frame-src ‘self’ twitter:; frame-ancestors ‘none’; img-src https://abs.twimg.com https://pbs.twimg.com data:; media-src ‘none’; object-src ‘none’; script-src https://abs.twimg.com https://abs-0.twimg.com; style-src https://abs.twimg.com https://abs-0.twimg.com; report-uri https://twitter.com/i/csp_report?a=NVQWGYLXFVWG6Z3JNY%3D%3D%3D%3D%3D%3D&ro=false;
Content-Type: text/html;charset=utf-8
Date: Fri, 16 Jan 2015 11:27:30 UTC
Expires: Tue, 31 Mar 1981 05:00:00 GMT
Last-Modified: Fri, 16 Jan 2015 11:27:30 GMT
Location: https://twitter.com/intent/tweet/update?screen_name=twitterapi&session[username_or_email]=myemail&related=null&status=asdfdasdf&tw_p=embeddedtimeline
ml: A
Pragma: no-cache
Server: tsa_b
Set-Cookie: _twitter_sess=BAh7CiIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoPY3JlYXRlZF9hdGwrCO2hfvJKAToMY3NyZl9p%250AZCIlYTAwNmY4ZGU0ZmM5NDVmYTM1OTgyMzVlNDA1ZTVjOWM6B2lkIiU5NDhh%250AZDdmOGRiOWI4ZmIwYTNiM2EzMjVhMjUzYmQyNDoJdXNlcmwrB4PH%252FbA%253D–c2545f3b2c91c1c60b714067c625e3ee5f8050fa; Path=/; Domain=.twitter.com; Secure; HTTPOnly
remember_checked_on=0; Expires=Mon, 13 Jan 2025 11:27:30 GMT; Path=/; Domain=.twitter.com
twid=“u=2969421699”; Path=/; Domain=.twitter.com; Secure
auth_token=81a2f8f7f2980378bd685e9b781990d248ec4f01; Path=/; Domain=.twitter.com; Secure; HTTPOnly
status: 302 Found
Strict-Transport-Security: max-age=631138519
x-connection-hash: b623e018ade80ba94ce40e7044c79bd1
x-content-type-options: nosniff
X-Frame-Options: SAMEORIGIN
x-response-time: 166
x-transaction: 75f27345bccc78ca
x-twitter-response-tags: BouncerCompliant
x-ua-compatible: IE=edge,chrome=1
X-XSS-Protection: 1; mode=block
X-Firefox-Spdy: 3.1

Request:
GET /intent/tweet/update?screen_name=twitterapi&session%5Busername_or_email%5D=myemail&original_referer=https%3A%2F%2Fdev.twitter.com%2Fweb%2Fembedded-timelines&related=null&status=adfadsf&tw_p=embeddedtimeline HTTP/1.1
Host: twitter.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://twitter.com/intent/tweet?screen_name=twitterapi&original_referer=https%3A%2F%2Fdev.twitter.com%2Fweb%2Fembedded-timelines&profile_id=6253282&query=null&related=null&tw_p=embeddedtimeline&tw_w=243046062967885824
Cookie: guest_id=v1%3A142140759256415765; _twitter_sess=BAh7CjoJdXNlcmwrB4PH%252FbA6B2lkIiU5NDhhZDdmOGRiOWI4ZmIwYTNiM2Ez%250AMjVhMjUzYmQyNDoPY3JlYXRlZF9hdGwrCO2hfvJKAToMY3NyZl9pZCIlYTAw%250ANmY4ZGU0ZmM5NDVmYTM1OTgyMzVlNDA1ZTVjOWMiCmZsYXNoSUM6J0FjdGlv%250AbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhhc2h7AAY6CkB1c2VkewA%253D–e8ef6b543810022936b6e5c162657ecb2036a4cb; _ga=GA1.2.24197336.1421407594; utma=43838368.24197336.1421407594.1421407632.1421417572.2; utmc=43838368; utmz=43838368.1421417572.2.2.utmcsr=dev.twitter.com|utmccn=(referral)|utmcmd=referral|utmcct=/web/embedded-timelines; utmv=43838368.lang%3A%20de; remember_checked_on=0; lang=de; has_js=1; eu_cn=1; _gat=1; _gat_a=1; _gat_b=1; pid=“v3:1421417521153269719889535”; utmb=43838368.3.10.1421417572; utmt=1; twid=“u=2969421699”; auth_token=81a2f8f7f2980378bd685e9b781990d248ec4f01
Connection: keep-alive

Response:
HTTP/1.1 405 Method Not Allowed
Allow: POST
Cache-Control: no-cache
Content-Length: 0
content-security-policy: default-src https:; connect-src https:; font-src https: data:; frame-src https: twitter:; frame-ancestors https:; img-src https: data:; media-src https:; object-src https:; script-src ‘unsafe-inline’ ‘unsafe-eval’ https:; style-src ‘unsafe-inline’ https:; report-uri https://twitter.com/i/csp_report?a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false;
Date: Fri, 16 Jan 2015 14:13:53 UTC
Server: tsa_b
status: 405 Method Not Allowed
Strict-Transport-Security: max-age=631138519
x-connection-hash: f26f39a2cfda324b608ffc33a6e8cbde
x-content-type-options: nosniff
X-Frame-Options: SAMEORIGIN
x-response-time: 13
x-transaction: c60889f73420df24
X-XSS-Protection: 1; mode=block
X-Firefox-Spdy: 3.1

The same steps executed in Chrome (or by forcing the Chrome User-Agent in Firefox to be like “
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari”) work fine instead.

In the other browsers the correct flow I see is:

Request:
POST /intent/sessions HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95

Response:
HTTP/1.1 307 Temporary Redirect
Location: *https://*twitter.com/intent/tweet/update

Request:
POST /intent/tweet/update HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36

Payload:
related=null&screen_name=twitterapi&original_referer=https%3A%2F%2Fdev.twitter.com%2Fweb%2Fembedded-timelines&tw_p=embeddedtimeline&repost_after_login=%2Fintent%2Ftweet%2Fupdate&authenticity_token=token&status=aszdgf&session%5Busername_or_email%5D=myemail&session%5Bpassword%5D=xxxxx

Response:
HTTP/1.1 302 Found
Location: /intent/tweet/complete?screen_name=twitterapi&latest_status_id=556056248970661888&original_referer=https%3A%2F%2Fdev.twitter.com%2Fweb%2Fembedded-timelines&related=null&tw_p=embeddedtimeline

Then I see the
GET *https://*twitter.com/intent/tweet/complete?screen_name=twitterapi&latest_status_id=556056248970661888&original_referer=https%3A%2F%2Fdev.twitter.com%2Fweb%2Fembedded-timelines&related=null&tw_p=embeddedtimeline

which correctly renders the complete screen

Could someone of you guys find some time to have a deeper look at it?

Thank you!
Marco

JakeHarding · 2015-01-18T05:51:17.693Z

I was able to reproduce the issue, thanks for the thorough report. We’ll take a deeper look and hopefully have a fix out ASAP.

carisi_m · 2015-01-19T09:48:14.634Z

Thanks Jake

09098998 · 2015-02-05T13:31:34.112Z

Dear Jack,

Is I correctly understand that you already fixed this issue?

Thanks.

JakeHarding · 2015-02-05T19:39:34.933Z

Yep, this should be fixed.

carisi_m · 2015-02-06T09:14:24.316Z

Indeed. I checked yesterday and it was working fine
Thanks Jake

niall · 2015-02-06T16:38:59.287Z