Walmart.com problem..

f-117 · Post by **f-117** » 2025-10-29, 14:23

When I try to access Walmart.com I keep getting this error message...

Walmart error.jpg

This is happening in Basilisk as well. It's been doing this for a number of months.

I tried it in safe mode and with a new profile. No change.

I checked the error console and It shows LOTS or errors. Too many to list here.

Is anyone else having the same problem with Walmart.com?

Scott

Post by **Moonchild** » 2025-10-29, 15:27

the error should read:
"Sorry
We don't allow you to use anything besides Chrome-like browsers"

Gemmaugr · Post by **Gemmaugr** » 2025-10-29, 15:42

Funny thing.. Using eMatrix, it automatically blocks "walmartimages.com" and seems to work fine (only showing, a lot of, content security policy errors).

If I allow "walmartimages.com" it also loads a lot of google third party scripts, shows the error page, and in the console it says that it requires Performance Observer to be turned on (This one seems to come up a lot lately! steam, discourse, x/twitter, proton.me, etc).

tellu-white · Post by **tellu-white** » 2025-10-29, 16:25

f-117 wrote: ↑
2025-10-29, 14:23
When I try to access Walmart.com I keep getting this error message...

It seems to be a problem related to JavaScript code. I managed to load the page with the following filter for the "Intercept & Modify HTTP Response 4.3" add-on:

Code: Select all

[[`/walmartimages.com/`, `/.*ads.*\.js/`, [`/.*/`, ``]]]

This filter removes the content of JavaScript files with URLs of the following type:

walmartimages.com ... ads ... .js

Screenshots:

01.jpg

02.jpg

03.jpg

tellu-white · Post by **tellu-white** » 2025-10-29, 18:44

Gemmaugr wrote: ↑
2025-10-29, 15:42
... in the console it says that it requires Performance Observer to be turned on (This one seems to come up a lot lately! steam, discourse, x/twitter, proton.me, etc).

Indeed, "PerformanceObserver" is the culprit. I used the filter below for the "Intercept & Modify HTTP Response 4.3" add-on (after deleting the old filter - the one from the previous post) and thus I removed only the "PerformanceObserver" string from the code returned by the JavaScript file:

https://i5.walmartimages.com/dfw/63fd9f59-51c2/7c7befe8-0760-4088-8bdc-a422d642a86f/v2/en-US/_next/static/chunks/pages/_app-4f7f095b72bda5f2.js

Filter:

Code: Select all

[[`/walmartimages.com/`, `/.*_app.*\.js/`, [`/PerformanceObserver/g`, ``]]]

The page https://www.walmart.com/ loaded without any problems. However, "Sign In" does not work: the list of options does not open after clicking on "Sign In / Account" (as it does in Firefox).

Screenshots:

04.jpg

05.jpg

f-117 · Post by **f-117** » 2025-10-29, 19:25

I added the filter in "Modify HTTP Response 1.3.8", no change.

[[`/walmartimages.com/`, `/.*_app.*\.js/`, [`/PerformanceObserver/g`, ``]]]

Scott

tellu-white · Post by **tellu-white** » 2025-10-29, 20:59

f-117 wrote: ↑
2025-10-29, 19:25
I added the filter in "Modify HTTP Response 1.3.8", no change.

[[`/walmartimages.com/`, `/.*_app.*\.js/`, [`/PerformanceObserver/g`, ``]]]

Scott

The filter I posted is for my add-on "Intercept & Modify HTTP Response 4.3" (as I wrote in my post) and not for the add-on "Modify HTTP Response 1.3.8" (programmed by JustOff). There are structural differences between the two types of filters - see here:

https://forum.palemoon.org/viewtopic.php?f=70&t=31829#p257247

The link to download my add-on ("Intercept & Modify HTTP Response 4.3") can be found here:

https://forum.palemoon.org/viewtopic.php?f=70&t=31829&start=20#p258461

In order to use my add-on, you must uninstall the "Modify HTTP Response 1.3.8" add-on.

My add-on also has the function to check the correctness of the syntax of the added filter, unlike JustOff's add-on, which allowed you to add a filter with a syntax that it cannot recognize.

Screenshots:

06.jpg

This is how the filter looks (in chunks), if you want to enter it manually in JustOff's add-on, "Modify HTTP Response 1.3.8":

07.jpg

08.jpg

tellu-white · Post by **tellu-white** » 2025-10-29, 23:08

When I tested the filter again, it no longer worked (correctly) with the new layout of the page. It seems that the filter must be set for all loaded JavaScript pages. This way, the links on the "walmart.com" pages work fine, but the buttons don't.

Filter:

Code: Select all

[`/walmartimages.com/`, `/.*\.js/`, [`/.*/`, ``]]

Screenshots:

09.jpg

10.jpg

11.jpg

12.jpg

13.jpg

This workaround is not the ideal solution. As Moonchild said, "walmart.com" should display the following message on their page: "Sorry, we don't allow you to use anything besides Chrome-like browsers".

f-117 · Post by **f-117** » 2025-10-29, 23:46

Ok, NOW I got it.

I disabled "Modify HTTP Response 1.3.8" and loaded "Intercept & Modify HTTP Response 4.3".
Your screen shots helped to show me what I was doing wrong. Please double check my filter syntax...

Is it OK to have both filters, like this:

Filter Walmart.jpg

Also, does "HTTP Observer Enabled" need to be checked like in your screenshot? (What does it do?)

Scott

Post by **Moonchild** » 2025-10-30, 00:16

Gemmaugr wrote: ↑
2025-10-29, 15:42
If I allow "walmartimages.com" it also loads a lot of google third party scripts, shows the error page, and in the console it says that it requires Performance Observer to be turned on (This one seems to come up a lot lately! steam, discourse, x/twitter, proton.me, etc).

Unfortunately this is becoming more of a problem and I may have to flip the default despite it being a potential privacy issue with how this is being widely used to get pretty detailed telemetry from website visitors. I'll give it some thought.

Post by **jobbautista9** » 2025-10-30, 02:37

An alternative to removing PerformanceObserver in the HTTP response and enabling PerformanceObserver for all sites is to include a polyfill instead. The search would be <head> and the replace would be

Code: Select all

<head><script src="https://unpkg.com/@fastly/performance-observer-polyfill@2.0.0/polyfill/index.js"></script>

However you might have to deal with Content Security Policy blocking scripts that aren't from its own, so you'd need an add-on like moz-rewrite to override the CSP response header on a per-site basis.

Moonchild wrote: ↑
2025-10-30, 00:16
Unfortunately this is becoming more of a problem and I may have to flip the default despite it being a potential privacy issue with how this is being widely used to get pretty detailed telemetry from website visitors. I'll give it some thought.

Would it be possible to have some sort of default exposed PerformanceObserver which just polls the Performance timeline like Fastly's polyfill above does? We could also probably get away with not supporting newer entry types for getEntries() like paint. That way websites requiring it would be satisfied with less-accurate metrics while web developers who actually develop their web sites with Pale Moon in mind and need accurate results can toggle on the native PerformanceObserver themselves. Or is the polyfill as accurate as a native implementation's timing anyway (Spectre has after all forced browsers to drop high-resolution timing)? At that point maybe we could just give out random fake data?

Post by **Moonchild** » 2025-10-30, 10:04

jobbautista9 wrote: ↑
2025-10-30, 02:37
websites requiring it would be satisfied with less-accurate metrics while web developers who actually develop their web sites with Pale Moon in mind and need accurate results can toggle on the native PerformanceObserver themselves. Or is the polyfill as accurate as a native implementation's timing anyway

The problem is that it's "accurate enough for profiling". It doesn't have to be as accurate when you're not factually debugging your site's performance and need high resolution. I don't think it really matters whether the implementation is native or polyfilled (at least not in any significant way); the mere fact that the API is accessible and exposed and being used for tracking is the problem. Javascript will be fast enough in its compiled state to give reasonably approximate values.

Injecting a polyfill as indicated will run into content security issues that protect by design against script injection. So it may or may not work, depending.

Gemmaugr · Post by **Gemmaugr** » 2025-10-30, 10:42

Moonchild wrote: ↑
2025-10-30, 00:16

Gemmaugr wrote: ↑
2025-10-29, 15:42
If I allow "walmartimages.com" it also loads a lot of google third party scripts, shows the error page, and in the console it says that it requires Performance Observer to be turned on (This one seems to come up a lot lately! steam, discourse, x/twitter, proton.me, etc).
Unfortunately this is becoming more of a problem and I may have to flip the default despite it being a potential privacy issue with how this is being widely used to get pretty detailed telemetry from website visitors. I'll give it some thought.

I'm surprised there isn't more outrage in privacy circles and within privacy browsers about this really. I wonder how they solve it.
Being privacy-minded myself, I can always turn it off again, but if it's a site framework that's using it, it's only going to affect more and more sites (and fallback is a forgotten term sadly).
Maybe someone can find out which framework(s) implements it in this way and put pressure through privacy groups or calling it out. It shouldn't be integral to the site working, when it's only collecting telemetry.
I know that some of the sites with this issue is using React (which recommends using Next.js with it, and Next.js is using Node.js, which runs on chromium's V8 javascript engine..), because of the "minified react#418" type of console errors.

Post by **vannilla** » 2025-10-30, 11:07

Gemmaugr wrote: ↑
2025-10-30, 10:42
I'm surprised there isn't more outrage in privacy circles and within privacy browsers about this really.

The question is: do they know about it?
PerformanceObserver is defined as a "debugging utility" officially and are largely invisible. You wouldn't know they are enabled in production code unless you scan megabytes of minified code or, in case of UXP, have them disabled and undefined by default leading to their exposure through error messages.
I have no reach personally to get in touch with anyone, but if someone has any contacts it's worth a shot asking around.
If these groups say: "we know but it is fine", then yeah it's probably time for some "tinfoil-hattery"; otherwise I hope they actually start something.

Gemmaugr · Post by **Gemmaugr** » 2025-10-30, 20:43

vannilla wrote: ↑
2025-10-30, 11:07

Gemmaugr wrote: ↑
2025-10-30, 10:42
I'm surprised there isn't more outrage in privacy circles and within privacy browsers about this really.
The question is: do they know about it?
PerformanceObserver is defined as a "debugging utility" officially and are largely invisible. You wouldn't know they are enabled in production code unless you scan megabytes of minified code or, in case of UXP, have them disabled and undefined by default leading to their exposure through error messages.
I have no reach personally to get in touch with anyone, but if someone has any contacts it's worth a shot asking around.
If these groups say: "we know but it is fine", then yeah it's probably time for some "tinfoil-hattery"; otherwise I hope they actually start something.

I did some searching on a few privacy places (trying to search with a search engine is fruitless with the common names, which seems to be a theme within googles anti-privacy API's incidentally..), and it doesn't seem like they're aware of it.

I would post some questions myself, but I don't think I know nearly enough to lay it out (only the general gist of things). What exactly it does, how that relates specifically to being bad for privacy, how they can find its Flag or what they're called in FF or chromium.

https://developer.mozilla.org/en-US/doc ... /entryType Does show some entry types and what they do, but it also says you can make custom ones.

Off-topic:
That MDN site also looks highly broken in its layout on Pale Moon, with lots of console errors (only blocking telemetry).

tellu-white · Post by **tellu-white** » 2025-10-30, 22:51

f-117 wrote: ↑
2025-10-29, 23:46
Ok, NOW I got it.

I disabled "Modify HTTP Response 1.3.8" and loaded "Intercept & Modify HTTP Response 4.3".
Your screen shots helped to show me what I was doing wrong. Please double check my filter syntax...

Is it OK to have both filters, like this: ...

Also, does "HTTP Observer Enabled" need to be checked like in your screenshot? (What does it do?)

Scott

I 've done some more testing and noticed other issues besides the buttons not working:

1. In Firefox, additional content loads when scrolling down the page. In Pale Moon, nothing loads even when I remove only "PerformanceObserver." However, it seems that some of this additional content can be accessed from "All Departments" - the page opened with the link at the "footer" of the page.

Due to the fact that Javascript does not work where it is needed, in the new filter (see below) I removed all Javascript tags, in addition to removing the entire content of all Javascript files that are under the domain "walmartimages.com".

2. Another problem: not all images are loading. To solve this, I used the add-on Restore "src" attribute of "img" TAGs 2.1 (I'll post the link for version 2.1 below).

Note: my initial intention was to understand which elements in the code of pages belonging to the "walmart.com" domain are not compatible with Pale Moon. I did not intend to find a workaround, but the tested solution can be used, with the limitations I already mentioned.

Filter:

Code: Select all

[[`/walmartimages.com/`, `/.*\.js.*/`, [`/.*/`, ``]], [`/walmart.com/`, `/.*/`, [`/<script[\S\s]*?<\/script>/g`, ``], [`/(<footer[\S\s]*?)<div.*?[^\n].*?footer-wrapper.*?[^\n].*?>[\S\s]*?<\/div>[\S\s]*?<\/div>([\S\s]*?<\/footer>)/`, `$1$2`]]]

Screenshots:

01.jpg

02.jpg

03.jpg

04.jpg

05.jpg

06.jpg

07.jpg

08.jpg

***

Restore "src" attribute of "img" TAGs 2.1

https://forum.palemoon.org/viewtopic.php?f=71&t=29050#p266914

Post by **vannilla** » 2025-10-30, 22:55

Gemmaugr wrote: ↑
2025-10-30, 20:43
I would post some questions myself, but I don't think I know nearly enough to lay it out (only the general gist of things). What exactly it does, how that relates specifically to being bad for privacy, how they can find its Flag or what they're called in FF or chromium.

The extracted data can be used, besides monitoring the site's performance, to create a profile of the user and fingerprint it. Because it depends on timings on the side of the website it's not trivial to poison this tracking unless you program the whole browser to "skew" the timings at random, but that would also result in a terrible user experience.
Moonchild et al. can likely give further details if someone is actually going to notify privacy groups, this is the "bird's eye" general picture.

Gemmaugr · Post by **Gemmaugr** » 2025-10-31, 00:49

vannilla wrote: ↑
2025-10-30, 22:55

Gemmaugr wrote: ↑
2025-10-30, 20:43
I would post some questions myself, but I don't think I know nearly enough to lay it out (only the general gist of things). What exactly it does, how that relates specifically to being bad for privacy, how they can find its Flag or what they're called in FF or chromium.
The extracted data can be used, besides monitoring the site's performance, to create a profile of the user and fingerprint it. Because it depends on timings on the side of the website it's not trivial to poison this tracking unless you program the whole browser to "skew" the timings at random, but that would also result in a terrible user experience.
Moonchild et al. can likely give further details if someone is actually going to notify privacy groups, this is the "bird's eye" general picture.

Indeed, although I've also read that;

"The last performance entry id is deliberately initialized to a random value, and is incremented by another small value every time a new PerformanceEntry is queued. User agents may choose to use a consistent increment for all users, or may pick a different increment for each global object, or may choose a new random increment for each PerformanceEntry. However, in order to prevent cross-origin leaks, and ensure that this does not enable fingerprinting, user agents must not just pick a unique random integer, and use it as a consistent increment for all PerformanceEntry objects across all global objects."

From https://www.w3.org/TR/performance-timeline/#privacy

Post by **Moonchild** » 2025-10-31, 06:58

Gemmaugr wrote: ↑
2025-10-31, 00:49
Indeed, although I've also read that;

{snip}

I'm sorry but randomizing the ID is not really preventing behaviour-based profiling, especially when combined with location data or IP or other markers for a browser/user fingerprint. The remarks made about ID seem to be more about pacifying the casual reader than addressing any real privacy issue when it comes to fingerprinting. All this does is make casual tracking more difficult, but tracking software is a lot more sophisticated than just relying on a client-supplied (and client-spoofable) ID.
It does highlight very clearly that the W3 was painfully aware of the abuse of this development API we're seeing in the wild because it's enable by default in major browsers.

Bottom line remains that websites should not use this API as an integral part of their website's operation. But unfortunately more and more do, likely due to market pressure/advertiser demand/money changing hands. So while I don't like it, it does look like for web compat reasons I'll have to enable it by default -- it will remain a clear option for the user to disable in preferences, of course.

Garland · Post by **Garland** » 2025-10-31, 16:32

I use Pale Moon for my normal surfing browser. I find that Pale Moon doesn't work for making credit card purchases on the majority of vendor sites, so I am resigned to using Firefox for those. But since I am giving so much personal info to them anyway, I don't care if PerformanceObserver is enabled in Firefox.

I would like to continue to disable PerformanceObserver in Pale Moon, but have a white list of sites where PerformanceObserver is enabled. Is an add-on the best way to achieve this? Anyone know of an add-on that can do this?

@Moonchild - Could you add a PerformanceObserver enable button, hidden by default, that we can access by customizing the toolbar?

Pale Moon forum

Walmart.com problem..

Walmart.com problem..

Re: Walmart.com problem..

Re: Walmart.com problem..

Re: Walmart.com problem..

Re: Walmart.com problem..

Re: Walmart.com problem..

Re: Walmart.com problem..

Re: Walmart.com problem..

Re: Walmart.com problem..

Re: Walmart.com problem..

Re: Walmart.com problem..

Re: Walmart.com problem..

Re: Walmart.com problem..

Re: Walmart.com problem..

Re: Walmart.com problem..

Re: Walmart.com problem..

Re: Walmart.com problem..

Re: Walmart.com problem..

Re: Walmart.com problem..

Re: Walmart.com problem..