wp-calypso Admin User on Simple Sites Unable to Like Comments in Safari & Firefox

Context and steps to reproduce

Part of ARC-59

It seems on simple sites, Admin users are no longer able to like comments on their posts when using Safari and Firefox.

Steps to reproduce:

Log in to WordPress.com on Safari as an admin user on simple sites
Open a post with a comment from a user, and try to like it
A login prompt would show up very briefly (for only seconds) before closing again
Nothing happened.

A quick video showing my replication of the problem on Safari: https://github.com/user-attachments/assets/22c38654-ef79-4b46-b9cb-6b7158fa172a

On Firefox: https://github.com/user-attachments/assets/b1dbb228-8f10-4366-9ab4-ac4df32f2ddf

Site owner impact

Between 20% and 60% of the total website/platform users

Severity

Major

What other impact(s) does this issue have?

No revenue impact

If a workaround is available, please outline it here.

User can use another browser (Chrome)

Platform

Simple

Jan 27 '25 04:01 inigagah

📌 REPRODUCTION RESULTS

Tested on Simple – Replicated
Tested on Atomic – Could Not Replicate

📌 FINDINGS/SCREENSHOTS/VIDEO On Simple sites, it is not working even if the privacy protections are turned off (Safari: "Prevent cross-site tracking", Firefox: "Enhanced tracking protection").

While on Atomic sites work, it might not work correctly depending on the privacy options.

📌 ACTIONS

Triaged

👋🏻 @Automattic/loop is this something you could take a look at? Thank you!

Jan 27 '25 10:01 jartes

9329438-zd-a8c

Jan 28 '25 02:01 inigagah

Support References

This comment is automatically generated. Please do not edit it.

[ ] 9329438-zen
[ ] 9387481-zen

Jan 28 '25 02:01 github-actions[bot]

Just checking again on if this is still occurring.

In this gif, from safari. This is the post on which I added a comment as user 1 and as user 2 who was the admin of the sit, I able to like user 1's comment from Safari.

Jan 28 '25 06:01 spsiddarthan

Still happening on my end, here's a quick gif from Safari:

Jan 28 '25 10:01 inigagah

@davemart-in, should we add this to our board?

Jan 29 '25 13:01 spsiddarthan

This is very likely third party cookie related.

cc'ing @jsnajdr who I believe has spent some time digging into this in the past. Jarda any thoughts on this one?

Jan 29 '25 13:01 davemart-in

My guess is they have this check box checked?

Jan 29 '25 13:01 davemart-in

Hey @inigagah Not being able to like a comment in Safari was because "Prevent cross-site tracking" was enabled like what @davemart-in shared in the screenshot above.

When I unchecked "Prevent cross-site tracking" in Safari Privacy settings, I was able to like a comment. I sent a follow-up email to the user to share this info.

I will also close this report as it's not a bug, but rather a browser-specific setting, but feel free to open up the report if needed!

Feb 04 '25 01:02 kspilarski

Let's reopen because this is a scenario that we should have covered. It's a bug if it doesn't work.

The user is logged into wordpress.com. Now they open a Simple site with a custom domain (hyperclub.my.id) and click Like. A popup window on wordpress.com opens. That popup should be authenticated, i.e., it should know who the user is. It should generate a RLT token and send it back (window.postMessage) to the window that opened the popup. That window should then use the RLT token to do an authenticated "like" action (REST request).

Maybe Safari is preventing cookie access for popups opened by a cross-site window? Let's test that.

Feb 04 '25 09:02 jsnajdr

I can reproduce this. On the hyperclub.my.id site and also for example on veselin.blog 🙂 Using Safari. Liking a post works well, that's a proof that we can make it work even with blocked 3rd party cookies. But liking a comment doesn't work. It opens the "remote login" popup and closes it quickly again, but no like happens. I get the following errors in console:

[Warning] cross-domain cookies are not supported (connect, line 114)
[Error] Unable to post message to https://wordpress.com. Recipient has origin https://veselin.blog. (connect:16)
[Error] Unable to post message to https://wordpress.com. Recipient has origin https://veselin.blog. (connect:20)

Feb 04 '25 15:02 jsnajdr

For comment likes we are using a very ancient implementation with no iframes or REST API or 3rd party cookie support. It requires the liking user to be a member of the site, to be locally logged in into the custom domain, and the like/unlike requests are sent to /wp-admin/admin-ajax.php?action=like_comment. This is running on Simple sites and it lives in wpcom in

wp-content/mu-plugins/comment-likes

We should completely remove this.

For post likes we're using "Jetpack Likes" implementation in

wp-content/mu-plugins/likes/jetpack-likes.php

This implementation uses iframes, REST API and RLT tokens and is capable of working in environment without 3rd party cookies. It also has support for comment likes, but comment likes have been disabled there for 12 years, and when I enable them, they don't work. I expect they'll need some minor fixing.

Atomic sites use the Likes that ship in the Jetpack plugin, modules/likes.php and modules/comment-likes.php. I wonder if we could use this implementation also on Simple sites. The mu-plugins/likes/jetpack-likes.php looks like a very old out-of-sync copy of the Jetpack module to me.

Feb 05 '25 10:02 jsnajdr

I have a case here 9387481-zd-a8c The user experiences it on Safari, Chrome, and Firefox. I verified I can reproduce it on Firefox. It is a simple site, and I asked them to try and uncheck the "prevent cross-site tracking" option in Safari.

Feb 07 '25 21:02 CodeAllNightNDay

@jsnajdr is considering addressing this one and as a prerequisite has been working on unifying the comment and post likes in WPCOM and Jetpack.

Apr 02 '25 07:04 tyxla