[Openid-specs-ab] Google blog: Charting a course towards a more privacy-first web
George Fletcher
gffletch at aol.com
Thu Mar 4 15:32:26 UTC 2021
Potentially... any identity flows performed in iframes that rely on
setting/reading cookies with samesite=none attribute will stop working.
This might affect logout more than login depending on how each is
implemented. This could also affect full page redirect flows with the
form_post response type if the browsers stop supporting the "temporary
solution" they provided for cookies less than 2mins old. It's unclear at
this time as very little is described in that blog post about exactly
what the browser will do :)
Note that FireFox recently also enabled a model that creates separate
cookie jars per eTLD+1. They are trying to not break identity flows that
cross domains but it's unclear how well the heuristics work for
identifying identity flows. The key heuristic they call out is using a
pop-up browser window which I don't see a lot of these days.
I'd highly recommend setting up end-to-end testing that you can push
through any browser or nightly build. Determining exactly what will (or
won't) work from published blogs is difficult :)
On 3/4/21 4:15 AM, Nat Sakimura via Openid-specs-ab wrote:
> Would this impact us?
>
>
> https://blog.google/products/ads-commerce/a-more-privacy-first-web/
> <https://blog.google/products/ads-commerce/a-more-privacy-first-web/>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20210304/083d4b31/attachment.html>
More information about the Openid-specs-ab
mailing list