[Openid-specs-ab] Planned Chrome and WebKit changes potentially impacting OpenID Connect deployments

Davide Vaghetti davide.vaghetti at garr.it
Thu Aug 22 08:18:47 UTC 2019


Hi Hans, all,

refeds list archives are public, though you need to confirm you're not a
bot, which is annoying. Anyway, this is the link to the initial message
on the same-site policy that started the thread:

https://lists.refeds.org/sympa/arc/refeds/2019-06/msg00005.html

Also you can find a very useful analysis and testing report on how the
same-site on the Shibboleth wiki:

https://wiki.shibboleth.net/confluence/display/DEV/IdP+SameSite+Testing

Cheers,
Davide


On 21/08/19 22:46, Hans Zandbelt via Openid-specs-ab wrote:
> For the record:
> the same-site cookie issue was raised on the refeds mailing list that
> unfortunately does not have a public archive; the impact seemed not very
> severe from what I remember.
> 
> Also, on the ITP issue there's a doc that Vittorio requested input for
> earlier:
> https://docs.google.com/document/d/1Rs--DFzZj_SfQjtz8oH9DlLII0ra3viMEHrK7sKsaiU/edit?usp=sharing
> and:
> https://github.com/whatwg/html/issues/3338#issuecomment-434117847
> 
> Hans.
> 
> On Wed, Aug 21, 2019 at 8:36 PM Mike Jones via Openid-specs-ab
> <openid-specs-ab at lists.openid.net
> <mailto:openid-specs-ab at lists.openid.net>> wrote:
> 
>     I wanted to bring two planned browser changes to the working group’s
>     attention for your discussion and feedback.  I believe that both of
>     these could affect OpenID Connect (and other federated identity)
>     deployments.____
> 
>     __ __
> 
>      1. Chrome plans to treat cookies as SameSite=Lax by default if no
>         SameSite attribute is specified. This is described at
>         https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/AknSSyQTGYs/SSB1rTEkBgAJ. 
>         As it says there, developers would be able to opt-into the
>         status quo of unrestricted use by explicitly asserting
>         SameSite=None.____
> 
>     __ __
> 
>      2. WebKit/Safari plans to change cookie handling to prevent
>         tracking.  As described at
>         https://webkit.org/tracking-prevention-policy/#unintended-impact, this
>         is expected to affect “Federated login using a third-party login
>         provider”.____
> 
>     __ __
> 
>     Some questions:____
> 
>       * Are people tracking these developments and their expected
>         impacts?____
>       * Might code changes be needed to keep things working, and if so,
>         what are they?____
>       * Should we be communicating with the Chrome and WebKit developers
>         about the needs of federated identity in advance of these
>         proposed changes?____
> 
>     __ __
> 
>                                                            -- Mike____
> 
>     __ __
> 
>     _______________________________________________
>     Openid-specs-ab mailing list
>     Openid-specs-ab at lists.openid.net
>     <mailto:Openid-specs-ab at lists.openid.net>
>     http://lists.openid.net/mailman/listinfo/openid-specs-ab
> 
> 
> 
> -- 
> hans.zandbelt at zmartzone.eu <mailto:hans.zandbelt at zmartzone.eu>
> ZmartZone IAM - www.zmartzone.eu <http://www.zmartzone.eu>
> 
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
> 

-- 
Davide Vaghetti
Consortium GARR
Tel: +390502213158
Mobile: +393357779542
Skype: daserzw

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4136 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20190822/6971cca8/attachment.p7s>


More information about the Openid-specs-ab mailing list