[Openid-specs-ab] Front-channel logout broken by SameSite behavior
gffletch at aol.com
Tue Apr 14 15:39:18 UTC 2020
Where did we land on the front-channel logout issue from one of our
recent calls? It appears the Brave browser has the SameSite behavior
enabled by default even if Chrome doesn't. Chains of full page redirects
will continue to work... but the UX for that is not very good and it's
also likely for the redirect chains to be broken by the user so not all
relying parties will get notified.
We discussed passing a value on the front-channel redirect URL though I
believe that could have some DoS implications depending on what the
value is that is passed.
Given that chrome has experimental UI (that can be enabled) to ask the
user if they want to block 3rd party cookies, I don't think relying on
flagging all cookies needed in iframes as SameSite=none is viable.
Back can work... but it adds a lot of complexity for relying parties as
they have to maintain state.
More information about the Openid-specs-ab