[Openid-specs-ab] Session management and third party cookies
Torsten Lodderstedt
torsten at lodderstedt.net
Sat Aug 18 15:45:46 UTC 2012
Am 16.08.2012 22:21, schrieb Nat Sakimura:
> Actually, Safari should not be a problem because the cookie is first
> created at the top level window when the user first logged in to the
> IdP. Safari allows the read of the cookie in iFrame, though it does
> not allow write. This is perfectly fine.
>
> The problem is in other browsers. Chrome after rel. 17, when the user
> sets no third party cookie / local storage option, it even blocks the
> reading of the cookie. The same behavior was reported on Firefox as
> well. Since they are not the default setting, not many people perhaps
> are affected, yet it is a valid concern.
Do you consider this a bug or is there a concept/philosophy behind?
regards,
Torsten.
>
> Nat
>
> On Fri, Aug 17, 2012 at 2:25 AM, Torsten Lodderstedt
> <torsten at lodderstedt.net <mailto:torsten at lodderstedt.net>> wrote:
>
> Hi all,
>
> according to one of our develpers, at least Safari is blocking
> such cookies only if they were not created as a result of some
> user interaction, e.g. a form post.
>
> regards,
> Torsten.
>
>
>
> Am 14.08.2012 14:37, schrieb John Bradley:
>
> So I take it that this is not about blocking what we would
> think of as a normal 3rd party cookie.
>
> The Browsers are also trying to block sneaky ways that people
> are using to get around 3rd party cookie blocking.
>
> We are getting caught in that basket because the IdP iframe is
> invoked from the RP iframe.
>
> Any Ideas?
>
> On 2012-08-14, at 7:22 AM, Nat Sakimura wrote:
>
> Latest Safari on iOS 5.1.1 and Mountain Lion.
>
> =nat via iPhone
>
> On Aug 14, 2012, at 9:11 PM, Chuck Mortimore
> <cmortimore at salesforce.com
> <mailto:cmortimore at salesforce.com>> wrote:
>
> Latest versions of Safari just got far more aggressive
> about this, so I'd report what version of Safari you
> were on.
>
> -cmort
>
> On Aug 13, 2012, at 6:36 PM, Nat Sakimura wrote:
>
> I did a little bit of checking on the
> relationships between the
> Session management spec and third party cookies.
>
> In short, it varies.
> In Safari and older Chrome, it works.
>
> In Chrome after v.17(?), if the user sets the
> block third party
> cookies option, it does not.
>
> I have not tested IE.
>
> Nat Sakimura
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> <mailto:Openid-specs-ab at lists.openid.net>
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> <mailto:Openid-specs-ab at lists.openid.net>
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> <mailto:Openid-specs-ab at lists.openid.net>
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
>
>
>
> --
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120818/cb7a262d/attachment.html>
More information about the Openid-specs-ab
mailing list