Feedburner feeds are blocked in Thunderbird

302 views
Skip to first unread message

Christophe Coevoet

unread,
Sep 17, 2022, 5:34:40 AM9/17/22
to FeedBurner Help Group
Since a few days, feeds registered in Thunderbird that are hosted on feedburner are not retrieved properly anymore. When looking at the thunderbird devtools, I see that a 403 response is returned.
Reproducing the same request with curl, I also got a 403 response. I then managed to get the actual content when removing the "Sec-Fetch-Site: cross-site" header that is part of the Thunderbird request.
It would be great to unblock such requests so that feedburner feeds work in Thunderbird.

Brian Walker

unread,
Sep 17, 2022, 1:20:46 PM9/17/22
to FeedBurner Help Group
Hi Christophe,

Thanks for the feedback we will look into this. 

Marcel Stör

unread,
Jan 3, 2023, 10:25:43 AM1/3/23
to FeedBurner Help Group
Has there been an update since then that I missed? I am still seeing this error. Here's a sample exchange:

GET https://feeds.feedburner.com/uncrate HTTP/2.0

user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.6.1
accept: application/atom+xml,application/rss+xml;q=0.9,application/rdf+xml;q=0.8,application/xml;q=0.7,text/xml;q=0.7,*/*;q=0.1
accept-language: en-US,en;q=0.8,de-CH;q=0.5,de;q=0.3
accept-encoding: gzip, deflate, br
if-modified-since: Wed, 16 Nov 2022 20:57:57 GMT
dnt: 1
sec-fetch-dest: empty
sec-fetch-mode: no-cors
sec-fetch-site: cross-site
pragma: no-cache
cache-control: no-cache
te: trailers

The response is 403 with an HTML body (omitted here).

content-type: text/html; charset=utf-8
cache-control: no-cache, no-store, max-age=0, must-revalidate
pragma: no-cache
expires: Mon, 01 Jan 1990 00:00:00 GMT
date: Tue, 03 Jan 2023 15:18:50 GMT
vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site
content-security-policy: require-trusted-types-for 'script';report-uri /_/RaichuFeedServer/cspreport
content-security-policy: script-src 'nonce-RbmCvrjipzKesdJ5WB9AgA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri
/_/RaichuFeedServer/cspreport;worker-src 'self'
content-security-policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.gstatic.com
https://www.google-analytics.com;report-uri /_/RaichuFeedServer/cspreport/allowlist
cross-origin-opener-policy: same-origin; report-to="RaichuFeedServer"
permissions-policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-platform=*,
ch-ua-platform-version=*
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64,
Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
report-to: {"group":"RaichuFeedServer","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/RaichuFeedServer/external"}
]}
content-encoding: gzip
server: ESF
x-xss-protection: 0
x-content-type-options: nosniff
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443";
ma=2592000,quic=":443"; ma=2592000; v="46,43"

Mark van Dijk

unread,
Mar 7, 2023, 9:09:19 AM3/7/23
to FeedBurner Help Group
I'm seeing the same issues in our custom component that tries to load the RSS feeds from FeedBurner.
It appears to be the sec-fetch-site: cross-site header that is causing this 403 to be raised. Removing this header 'fixes' this? 
Previously this wasn't an issue. Is this something that was recently updated?

Mark

Reply all
Reply to author
Forward
0 new messages