[Openid-specs-ab] Agenda - OIDF Browser Interactions Special Topic Call - 2021-03-24 19:05 UTC

Sam Goto goto at google.com
Wed Mar 24 18:18:52 UTC 2021


On Wed, Mar 24, 2021 at 9:40 AM Brian Campbell <bcampbell at pingidentity.com>
wrote:

> Thanks Sam!
>
> On Wed, Mar 24, 2021 at 10:14 AM Sam Goto <goto at google.com> wrote:
>
>>
>>
>> On Wed, Mar 24, 2021 at 8:49 AM Brian Campbell via Openid-specs-ab <
>> openid-specs-ab at lists.openid.net> wrote:
>>
>>> I've got a little something for Open Discussion, if time and
>>> circumstance permit. Does anyone have a good understanding of how CORS will
>>> be impacted by the impending death of 3rd party cookies? Seems that by very
>>> definition cookies are 3rd party in the context of CORS and the same kinds
>>> of privacy/tracking concerns are applicable, which suggests that cookies
>>> will just stop being sent and/or accepted with CORS requests/responses. But
>>> I find myself second guessing that assumption and feeling rather uncertain
>>> about my grasp of the mechanics of all this stuff (and life in general, if
>>> I'm being honest). Anyway, I'm hopeful that someone on the call with better
>>> or more authoritative knowledge could explain the impacts for the benefit
>>> of all.
>>>
>>
>> I'll ask around more concretely about CORS (genuinely don't know what the
>> answer is to this question), but here are the guiding principles (and, as
>> such, don't quite go over sequencing in detail) that is behind the
>> constraints that are being placed:
>>
>>
I'm still asking around about the details here so that I can say things
with more confidence (and ideally just point to something that has already
been posted), but my early investigation makes me believe that indeed CORS
XmlHttpRequests are going to be impacted by 3rd party cookies. Here is my
understanding so far (that I'm trying to gather from the SameSite cookies
blog post
<https://blog.chromium.org/2019/10/developers-get-ready-for-new.html> and
the privacy sandbox deep dive
<https://web.dev/digging-into-the-privacy-sandbox/> and the building a more
private web
<https://blog.chromium.org/2020/01/building-more-private-web-path-towards.html>
):

-  Cookies are already, right now, not sent on CORS XmlHttpRequests, unless
you specify SameSite=None
-  When third party cookies go away, they'll go away too in CORS
XmlHttpRequests (in that, IIUC, even if you specify SameSite=None, they
won't be sent)
- IIUC, it is already the case in Safari that CORS isn't sent with third
party cookies (informal investigation
<https://stackoverflow.com/questions/28238896/apple-safari-still-not-setting-3rd-party-domain-cors-cookies>
)

This is my own personation investigation, so take this with a grain of
salt: I'm probably incorrect here and will follow up with a more precise /
confident answer.

But, if this interpretation is correct, the two questions that may be worth
asking are:

- What concretely does OpenID use in specs with CORS and XmlHttpRequests?
- How does it degrade when it is running in a browser that already doesn't
support it?


https://github.com/michaelkleber/privacy-model
>>
>>
>>>
>>>
>>>
>>> On Tue, Mar 23, 2021 at 9:27 AM Tim Cappalli via Openid-specs-ab <
>>> openid-specs-ab at lists.openid.net> wrote:
>>>
>>>> Hi all,
>>>>
>>>>
>>>>
>>>> Here's the agenda for tomorrow.
>>>>
>>>> * Intros, reintros, agenda bash
>>>> * Review known use case list
>>>> <https://docs.google.com/document/d/1z9Plb3ntW8s_dg9SSjd6Z7_88I4KhVjaGYYSoEYC40Y>
>>>> and request for contributions
>>>> * Review submitted use cases
>>>> * Topics for next call
>>>> * Open Discussion
>>>>
>>>>
>>>> Meeting Link: https://global.gotomeeting.com/join/379258645 | Time
>>>> <https://www.timeanddate.com/worldclock/converter.html?iso=20210113T190500&p1=22&p2=248&p3=236&p4=438&p5=776&p6=16&p7=1440&p8=43&p9=24&p10=220&p11=234>
>>>>
>>>>
>>>>
>>>> Meeting Agenda / Notes Page: openid / connect / wiki / Browser
>>>> Interactions Special Topics Call - 20210324 — Bitbucket
>>>> <https://bitbucket.org/openid/connect/wiki/Browser%20Interactions%20Special%20Topics%20Call%20-%2020210324>
>>>>
>>>>
>>>> Meeting Landing Page: openid / connect / wiki / Browser Interactions
>>>> Special Topics Call — Bitbucket
>>>> <https://bitbucket.org/openid/connect/wiki/Browser%20Interactions%20Special%20Topics%20Call>
>>>>
>>>>
>>>>
>>>>
>>>> tim
>>>>
>>>> _______________________________________________
>>>> Openid-specs-ab mailing list
>>>> Openid-specs-ab at lists.openid.net
>>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>>>
>>>
>>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>>> privileged material for the sole use of the intended recipient(s). Any
>>> review, use, distribution or disclosure by others is strictly prohibited.
>>> If you have received this communication in error, please notify the sender
>>> immediately by e-mail and delete the message and any file attachments from
>>> your computer. Thank you.*
>>> _______________________________________________
>>> Openid-specs-ab mailing list
>>> Openid-specs-ab at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>>
>>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20210324/908e8aff/attachment.html>


More information about the Openid-specs-ab mailing list