Privacy Essentials plugin in Chrome blocks login to Zendesk-backed site with custom domain

[malcolm-walker-vertigis]

Description

When attempting to sign in to a Zendesk Guide site that uses a custom domain, the sign-in process redirects from the custom domain to a zendesk.com domain and then back to the custom domain. DuckDuckGo Privacy Essentials is removing some part of the authentication token which results in a Forbidden / Invalid Authenticity Token error.

Steps to Reproduce

1. Attempt to create an account on a site that uses Zendesk with a non-zendesk domain, e.g. https://support.vertigis.com/
2. This configuration requires a CNAME DNS record
3. Set the password for your new account and sign in

Expected behavior:

Sign-in succeeds

Actual behavior:

Sign-in is not successful, the user is presented with an error stating Invalid Authenticity Token

Versions

• Extension: 2022.01.24
• Browser: Chrome
• OS: Windows and Linux

Additional Information

Issue is repeatable. Disabling the DuckDuckGo extension immediately resolves the issue. Only appears on sites that use a custom domain, users can successfully sign in to Zendesk sites that use the zendesk.com domain.

[sammacbeth]

This is due to 3rd party cookie blocking. Despite using the CNAMEd community.vertigis.com as the site domain, login calls to Zendesk still go directly to vertigis.zendesk.com which is seen as a 3rd-party by our code. This looks like an issue with how Zendesk have implemented their custom domain functionality, requiring 3rd party cookies for it to work correctly. On browsers with 3rd party cookie restrictions it looks like they use the Storage Access API to get around the restrictions.

I'll open an issue internally to see if we can get around this issue, or at least mitigate cases like this.