I have a signed and self-distributed extension (web extension format) which uses launchWebAuthFlow to grab an OAuth token. When the OAuth provider redirects back to the redirect URL (https://<id>.extensions.allizom.org as returned by getRedirectURL()) in DE 58.0b4, I receive a 403 Forbidden error. However in normal FF Quantum 57.0 the request completes successfully.
Any idea why the extensions.allizom.org request is failing in DE?
Edit to add: the SSL cert check for the allizom.org redirect URL fails as well in DE:
e8dd248662ffce379a122e1416e16a0266347994.extensions.allizom.org uses an invalid security certificate.
The certificate is only valid for the following names:
*.allizom.org, allizom.org
Error code: SSL_ERROR_BAD_CERT_DOMAIN
Again, in normal FF there are no SSL errors on the redirect URL.
It turns out regular FF wasn’t succeeding, but it was silently failing. The webAuthFlow popup would close (as opposed to dev where it remained open but showed the error) but the oauth flow didn’t actually succeed.
Looking in the extension debug console in non-dev FF, I see two errors: one is the same SSL cert error I posted above, and the second is: The resource at “https://www.reddit.com/api/v1/access_token” was blocked because tracking protection is enabled.
For some reason tracking protection blocks access to reddit’s oauth endpoint. After disabling tracking protection in non-dev, the oauth flow completes successfully.
However in DE, even with tracking protection disabled, the oauth flow does not succeed and I continue to get the 403 Forbidden error (after adding an exception for the SSL cert issue). There are no logs in the extension console regarding this failure - it doesn’t mention tracking protection as non-dev does.