Feedburner feeds are blocked in Thunderbird

[Christophe Coevoet]

Since a few days, feeds registered in Thunderbird that are hosted on feedburner are not retrieved properly anymore. When looking at the thunderbird devtools, I see that a 403 response is returned.

Reproducing the same request with curl, I also got a 403 response. I then managed to get the actual content when removing the "Sec-Fetch-Site: cross-site" header that is part of the Thunderbird request.

It would be great to unblock such requests so that feedburner feeds work in Thunderbird.

[Brian Walker]

Hi Christophe,

Thanks for the feedback we will look into this. 

[Marcel Stör]

Has there been an update since then that I missed? I am still seeing this error. Here's a sample exchange:

GET https://feeds.feedburner.com/uncrate HTTP/2.0

user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.6.1
accept: application/atom+xml,application/rss+xml;q=0.9,application/rdf+xml;q=0.8,application/xml;q=0.7,text/xml;q=0.7,*/*;q=0.1
accept-language: en-US,en;q=0.8,de-CH;q=0.5,de;q=0.3
accept-encoding: gzip, deflate, br
if-modified-since: Wed, 16 Nov 2022 20:57:57 GMT
dnt: 1
sec-fetch-dest: empty
sec-fetch-mode: no-cors
sec-fetch-site: cross-site
pragma: no-cache
cache-control: no-cache

te: trailers

The response is 403 with an HTML body (omitted here).

content-type: text/html; charset=utf-8
cache-control: no-cache, no-store, max-age=0, must-revalidate
pragma: no-cache
expires: Mon, 01 Jan 1990 00:00:00 GMT
date: Tue, 03 Jan 2023 15:18:50 GMT
vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site
content-security-policy: require-trusted-types-for 'script';report-uri /_/RaichuFeedServer/cspreport
content-security-policy: script-src 'nonce-RbmCvrjipzKesdJ5WB9AgA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri
/_/RaichuFeedServer/cspreport;worker-src 'self'
content-security-policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.gstatic.com
https://www.google-analytics.com;report-uri /_/RaichuFeedServer/cspreport/allowlist
cross-origin-opener-policy: same-origin; report-to="RaichuFeedServer"
permissions-policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-platform=*,
ch-ua-platform-version=*
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64,
Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
report-to: {"group":"RaichuFeedServer","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/RaichuFeedServer/external"}
]}
content-encoding: gzip
server: ESF
x-xss-protection: 0
x-content-type-options: nosniff
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443";
ma=2592000,quic=":443"; ma=2592000; v="46,43"

[Mark van Dijk]

I'm seeing the same issues in our custom component that tries to load the RSS feeds from FeedBurner.

It appears to be the sec-fetch-site: cross-site header that is causing this 403 to be raised. Removing this header 'fixes' this? 

Previously this wasn't an issue. Is this something that was recently updated?

Mark