[Openid-specs-ab] Agenda - OIDF Browser Interactions Special Topic Call - 2021-03-24 19:05 UTC

Wed Mar 24 20:01:02 UTC 2021

On Wed, Mar 24, 2021 at 12:19 PM Sam Goto <goto at google.com> wrote:

>
>
> On Wed, Mar 24, 2021 at 9:40 AM Brian Campbell <bcampbell at pingidentity.com>
> wrote:
>
>> Thanks Sam!
>>
>> On Wed, Mar 24, 2021 at 10:14 AM Sam Goto <goto at google.com> wrote:
>>
>>>
>>>
>>> On Wed, Mar 24, 2021 at 8:49 AM Brian Campbell via Openid-specs-ab <
>>> openid-specs-ab at lists.openid.net> wrote:
>>>
>>>> I've got a little something for Open Discussion, if time and
>>>> circumstance permit. Does anyone have a good understanding of how CORS will
>>>> be impacted by the impending death of 3rd party cookies? Seems that by very
>>>> definition cookies are 3rd party in the context of CORS and the same kinds
>>>> of privacy/tracking concerns are applicable, which suggests that cookies
>>>> will just stop being sent and/or accepted with CORS requests/responses. But
>>>> I find myself second guessing that assumption and feeling rather uncertain
>>>> about my grasp of the mechanics of all this stuff (and life in general, if
>>>> I'm being honest). Anyway, I'm hopeful that someone on the call with better
>>>> or more authoritative knowledge could explain the impacts for the benefit
>>>> of all.
>>>>
>>>
>>> I'll ask around more concretely about CORS (genuinely don't know what
>>> the answer is to this question), but here are the guiding principles (and,
>>> as such, don't quite go over sequencing in detail) that is behind the
>>> constraints that are being placed:
>>>
>>>
> I'm still asking around about the details here so that I can say things
> with more confidence (and ideally just point to something that has already
> been posted), but my early investigation makes me believe that indeed CORS
> XmlHttpRequests are going to be impacted by 3rd party cookies. Here is my
> understanding so far (that I'm trying to gather from the SameSite cookies
> blog post
> <https://blog.chromium.org/2019/10/developers-get-ready-for-new.html> and
> the privacy sandbox deep dive
> <https://web.dev/digging-into-the-privacy-sandbox/> and the building a
> more private web
> <https://blog.chromium.org/2020/01/building-more-private-web-path-towards.html>
> ):
>
> -  Cookies are already, right now, not sent on CORS XmlHttpRequests,
> unless you specify SameSite=None
> -  When third party cookies go away, they'll go away too in CORS
> XmlHttpRequests (in that, IIUC, even if you specify SameSite=None, they
> won't be sent)
> - IIUC, it is already the case in Safari that CORS isn't sent with third
> party cookies (informal investigation
> <https://stackoverflow.com/questions/28238896/apple-safari-still-not-setting-3rd-party-domain-cors-cookies>
> )
>
> This is my own personation investigation, so take this with a grain of
> salt: I'm probably incorrect here and will follow up with a more precise /
> confident answer.
>
> But, if this interpretation is correct, the two questions that may be
> worth asking are:
>
> - What concretely does OpenID use in specs with CORS and XmlHttpRequests?
>

As I mentioned on the call, there's not a concrete usage in the specs
themselves. But there are some API driven login flows that seem to be
becoming popular, which might make use of cookies vai CORS (depending on
how they are deployed). Here are some docs on one such API
https://docs.pingidentity.com/bundle/pingfederate-101/page/elz1592262150859.html

> - How does it degrade when it is running in a browser that already doesn't
> support it?
>

I don't know the exact failure mode and would probably lump it into the
"just doesn't work" category. The first "Note" in the docs I linked above
hints at this and basically suggests making things 1st party to work, "To
avoid issues with third-party cookies in some browsers, give the
authentication application the same parent domain as the PingFederate base
URL."

>
>
> https://github.com/michaelkleber/privacy-model
>>>
>>>
>>>>
>>>>
>>>>
>>>> On Tue, Mar 23, 2021 at 9:27 AM Tim Cappalli via Openid-specs-ab <
>>>> openid-specs-ab at lists.openid.net> wrote:
>>>>
>>>>> Hi all,
>>>>>
>>>>>
>>>>>
>>>>> Here's the agenda for tomorrow.
>>>>>
>>>>> * Intros, reintros, agenda bash
>>>>> * Review known use case list
>>>>> <https://docs.google.com/document/d/1z9Plb3ntW8s_dg9SSjd6Z7_88I4KhVjaGYYSoEYC40Y>
>>>>> and request for contributions
>>>>> * Review submitted use cases
>>>>> * Topics for next call
>>>>> * Open Discussion
>>>>>
>>>>>
>>>>> Meeting Link: https://global.gotomeeting.com/join/379258645 | Time
>>>>> <https://www.timeanddate.com/worldclock/converter.html?iso=20210113T190500&p1=22&p2=248&p3=236&p4=438&p5=776&p6=16&p7=1440&p8=43&p9=24&p10=220&p11=234>
>>>>>
>>>>>
>>>>>
>>>>> Meeting Agenda / Notes Page: openid / connect / wiki / Browser
>>>>> Interactions Special Topics Call - 20210324 — Bitbucket
>>>>> <https://bitbucket.org/openid/connect/wiki/Browser%20Interactions%20Special%20Topics%20Call%20-%2020210324>
>>>>>
>>>>>
>>>>> Meeting Landing Page: openid / connect / wiki / Browser Interactions
>>>>> Special Topics Call — Bitbucket
>>>>> <https://bitbucket.org/openid/connect/wiki/Browser%20Interactions%20Special%20Topics%20Call>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> tim
>>>>>
>>>>> _______________________________________________
>>>>> Openid-specs-ab mailing list
>>>>> Openid-specs-ab at lists.openid.net
>>>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>>>>
>>>>
>>>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>>>> privileged material for the sole use of the intended recipient(s). Any
>>>> review, use, distribution or disclosure by others is strictly prohibited.
>>>> If you have received this communication in error, please notify the sender
>>>> immediately by e-mail and delete the message and any file attachments from
>>>> your computer. Thank you.*
>>>> _______________________________________________
>>>> Openid-specs-ab mailing list
>>>> Openid-specs-ab at lists.openid.net
>>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>>>
>>>
>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>> privileged material for the sole use of the intended recipient(s). Any
>> review, use, distribution or disclosure by others is strictly prohibited.
>> If you have received this communication in error, please notify the sender
>> immediately by e-mail and delete the message and any file attachments from
>> your computer. Thank you.*
>
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20210324/95cd0245/attachment.html>