[Openid-specs-ab] Google blog: Charting a course towards a more privacy-first web

Achim Schlosser achim.schlosser at enid.eu
Fri Mar 5 08:22:17 UTC 2021


Hi everyone,


I would suggest to catch up on this in the next special topic call. The Google Team also seems to have finished another round of internal evaluation and pushed a lot up updates both in terms of issues an pull requests into the repo.

Given the announcement I expect them to release WebID parallel to the other APIs (FloC, Fledge) parallel to disabling third party cookies access and not maybe some time after

Happy to volunteer to go through the changes. Tim shall we put this on the agenda?


Best

Achim

From: Openid-specs-ab <openid-specs-ab-bounces at lists.openid.net> on behalf of George Fletcher via Openid-specs-ab <openid-specs-ab at lists.openid.net>
Organisation: AOL LLC
Reply to: Artifact Binding/Connect Working Group <openid-specs-ab at lists.openid.net>
Date: Thursday, 4. March 2021 at 16:32
To: Artifact Binding/Connect Working Group <openid-specs-ab at lists.openid.net>
Cc: George Fletcher <gffletch at aol.com>
Subject: Re: [Openid-specs-ab] Google blog: Charting a course towards a more privacy-first web

Potentially... any identity flows performed in iframes that rely on setting/reading cookies with samesite=none attribute will stop working. This might affect logout more than login depending on how each is implemented. This could also affect full page redirect flows with the form_post response type if the browsers stop supporting the "temporary solution" they provided for cookies less than 2mins old. It's unclear at this time as very little is described in that blog post about exactly what the browser will do :)

Note that FireFox recently also enabled a model that creates separate cookie jars per eTLD+1. They are trying to not break identity flows that cross domains but it's unclear how well the heuristics work for identifying identity flows. The key heuristic they call out is using a pop-up browser window which I don't see a lot of these days.

I'd highly recommend setting up end-to-end testing that you can push through any browser or nightly build. Determining exactly what will (or won't) work from published blogs is difficult :)
On 3/4/21 4:15 AM, Nat Sakimura via Openid-specs-ab wrote:
Would this impact us?


https://blog.google/products/ads-commerce/a-more-privacy-first-web/



_______________________________________________

Openid-specs-ab mailing list

Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>

http://lists.openid.net/mailman/listinfo/openid-specs-ab


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20210305/dcd81416/attachment.html>


More information about the Openid-specs-ab mailing list