itch.io

TL;DR: I think the token in the origin-trial header from itch.io expired at the end of last year. But I think this only affects release Firefox versions not development Firefox versions (due to a different default/fallback value).

[Current comment status: Work in Progress–currently being updated (unless 2+ hours has elapsed in which case I’m probably lost down a rabbit hole, never to return. :D )]

Additional Debugging Info request

In addition to the version/configuration debug info already mentioned in my previous comment, any or all of the following may also be useful, if anyone feels inclined to provide it:

• What is the exact error message in visible in the area where the game is meant to be visible?
• What is the most recent error message in the browser console?
• What is the content of any “traceback”/“backtrace” associated with the most recent error message?
• Are there any other errors visible in the console?

If you’re comfortable with entering text into the browser console:

• What is the output of window.crossOriginIsolated when entered into the browser console?

If you’re comfortable with viewing the about:config information, what are the values of:

• dom.origin-trials.coep-credentialless.state
• dom.origin-trials.enabled
• Are there any other dom.origin-trials config items other than test-key/test-trial?
• browser.tabs.remote.coep.credentialless [Edit: Added.]

If you’re comfortable viewing HTTP request/response headers:

• What are the values of the following response headers for this page (i.e. https://rancidbacon.itch.io/abe-ation):
  • Cross-Origin-Embedder-Policy
  • Cross-Origin-Opener-Policy
  • Content-Security-Policy
  • Is there a origin-trial header?
  • Are there any cookies sent/received? (Please don’t provide the value of any cookies.)

Thanks for any of this additional information anyone provides. :)

Related links/issues/information

[NOTE: Any questions in this section are rhetorical/aimed at me, not expecting anyone else to answer them. :) ]

• Post from leafo (itch.io admin/dev/owner) that states itch.io is now part of the Firefox “origin trial” for Cross-Origin-Embedder-Policy: credentialless: https://itch.io/t/2025776/experimental-sharedarraybuffer-support#post-7294977 (a.k.a. https://itch.io/post/7294977).

  (Note: The thread is linked via a link from the Godot/Cross-Origin-Isolation/SharedArrayBuffer itch.io blog post by “Aunt Stef” linked by Cyborg in their comment above.)

• Very small amount of documentation about Mozilla/Firefox’s “Origin Trial” implementation: https://wiki.mozilla.org/Origin_Trials

• I haven’t seen it stated specifically anywhere but I think the implication is that Firefox “Origin Trials” are enabled for release/stable Firefox versions? (i.e. not just development/nightly/beta/etc releases.)

  I haven’t verified this is actually a correct assumption and I haven’t tested a release/stable version during development.

• Bugzilla #1778492 link for “Add an origin trial for COEP: Credentialless”: https://bugzilla.mozilla.org/show_bug.cgi?id=1778492

• The status status-firefox104 on this comment seems to suggest the Origin Trial does exist in Firefox stable release v104 (onward?): https://bugzilla.mozilla.org/show_bug.cgi?id=1778492#c11

• This comment on an issue entitled “Request for position: COEP: credentialless #539” also seems to confirm that the related Origin Trial is enabled for “Firefox 104”: https://github.com/mozilla/standards-positions/issues/539#issuecomment-1224320026

• Code linked from Bugzilla #1778492: https://hg.mozilla.org/releases/mozilla-beta/rev/020a34d50aa9

• But does this line mean it’s not actually enabled in non-nightly builds: https://hg.mozilla.org/releases/mozilla-beta/rev/020a34d50aa9#l22.10? (Or is this preference ignored elsewhere in the code?)

• This later commit that removes a different origin trial seems to change the OriginTrial enum value for CoepCredentialless from 3 to 2: https://hg.mozilla.org/releases/mozilla-beta/rev/5f190f08ccd8d79050da827a7addf82c1dcd04f1#l4.13

  Is this change of the actual enum value intentional/legitimate/valid/sound? (Especially in a file with ffi in its path!?)

  Is the associated numeric value for the constant stored/used somewhere in such a way that an earlier browser version stores the value as 3 but then a later version expects the value to be 2 or some other unintended behaviour variant?

  e.g. what about uses of OriginTrial::CoepCredentialless such as: https://hg.mozilla.org/releases/mozilla-beta/rev/020a34d50aa9#l14.12 & https://hg.mozilla.org/releases/mozilla-beta/rev/020a34d50aa9#l16.22?

• Oooooh…

  Well, changing the enum value still seems inadvisable but…

  While investigating whether the (base64 decoded) token in the header contains the raw numeric value of the “feature” (it appears it doesn’t–the token seems to contain the string value of the feature), I noticed the presence of the expiry field, and…

• The current (as of ~2024-April-10) token in the origin-trial header for itch.io seems to contain an expiry value of…

  • "expiry":1704063600

  Which equates to…

  • 2023-12-31T23+00:00 (UTC)

  i.e. It seems the itch.io token has expired!?

  So… I guess perhaps Firefox stable release versions & development versions handle expired tokens in a different manner?

• Initially I checked this via interactive Python session but a hacky CLI approach (assuming you have the dependencies) is:

  1. curl --silent --head https://rancidbacon.itch.io/abe-ation | grep -e 'origin-trial' | grep --only-matching -e '[^ :]*$' | base64 --decode --ignore-garbage | xxd -c 32
  2. Then copy+paste the expiry value into this: date --iso-8601=hours --utc --date='@1704063600'

• And, indeed, it appears that the “expiry” value is checked before the “feature” value: https://hg.mozilla.org/releases/mozilla-beta/annotate/5f190f08ccd8d79050da827a7addf82c1dcd04f1/dom/origin-trials/ffi/lib.rs#l111

• Relevant code that calls:

  • origin_trials_parse_and_validate_token: https://sourcegraph.com/github.com/mozilla/gecko-dev@1d3639a9d7fb0429757651a5fd1720a6b69a0484/-/blob/dom/origin-trials/OriginTrials.cpp?L187-192

  • Then the result from UpdateFromToken is checked here: https://sourcegraph.com/github.com/mozilla/gecko-dev@1d3639a9d7fb0429757651a5fd1720a6b69a0484/-/blob/dom/base/Document.cpp?L6855-6856 and/or here: https://sourcegraph.com/github.com/mozilla/gecko-dev@1d3639a9d7fb0429757651a5fd1720a6b69a0484/-/blob/netwerk/protocol/http/HttpBaseChannel.cpp?L6193-6195

  Which I’m currently guessing is where the default/fallback value differs between development & release versions. (Unconfirmed.)

[TODO: Add other notes here?]