<div dir="ltr">see below -  that change has been delayed till 80. Does anyone really think that Google Authentication will be disabled by Chrome?<div>What exactly is the problem that people actually see - other than the safari issues.</div><div><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div>Peace ..tom</div><div><br></div><div><div class="gmail-gE gmail-iv gmail-gt" style="padding:20px 0px 0px;font-size:0.875rem;font-family:Roboto,RobotoDraft,Helvetica,Arial,sans-serif"><br class="gmail-Apple-interchange-newline"><table cellpadding="0" class="gmail-cf gmail-gJ" style="border-collapse:collapse;margin-top:0px;width:auto;font-size:0.875rem;letter-spacing:0.2px;display:block"><tbody style="display:block"><tr class="gmail-acZ" style="height:auto;display:flex"><td class="gmail-gF gmail-gK" style="white-space:nowrap;padding:0px;vertical-align:top;width:811.662px;line-height:20px;display:block;max-height:20px"><table cellpadding="0" class="gmail-cf gmail-ix" style="border-collapse:collapse;table-layout:fixed;width:811.2px"><tbody><tr><td class="gmail-c2" style="display:flex"><h3 class="gmail-iw" style="overflow:hidden;font-size:0.75rem;font-weight:inherit;margin:inherit;text-overflow:ellipsis;letter-spacing:0.3px;color:rgb(95,99,104);line-height:20px"><span class="gmail-qu" tabindex="-1"><span name="Lily Chen" class="gmail-gD" style="color:rgb(32,33,36);font-size:0.875rem;font-weight:bold;display:inline;vertical-align:top;letter-spacing:0.2px;line-height:20px">Lily Chen</span> <span class="gmail-go" style="vertical-align:top;color:rgb(85,85,85)"><<a href="mailto:chlily@chromium.org">chlily@chromium.org</a>></span></span></h3></td></tr></tbody></table></td><td class="gmail-gH gmail-bAk" style="text-align:right;white-space:nowrap;vertical-align:top;display:block;max-height:20px"><div class="gmail-gK" style="padding:0px;display:flex"><span id="gmail-:24c" class="gmail-g3" title="Jun 25, 2019, 8:28 AM" alt="Jun 25, 2019, 8:28 AM" tabindex="-1" style="vertical-align:top;margin:0px;font-size:0.75rem;letter-spacing:0.3px;color:rgb(95,99,104);display:block;line-height:20px">Tue, Jun 25, 8:28 AM (9 days ago)</span><div class="gmail-zd gmail-bi4" title="Not starred" tabindex="0" style="display:inline-block;height:20px;margin-left:20px;outline:0px"><span class="gmail-T-KT" style="display:inline-flex;height:20px;text-align:center;width:20px;padding:0px;margin:0px;border:none;outline:none"></span></div></div></td><td class="gmail-gH" style="text-align:right;white-space:nowrap;vertical-align:top;display:flex"></td><td class="gmail-gH gmail-acX gmail-bAm" rowspan="2" style="text-align:right;white-space:nowrap;vertical-align:top;display:block;max-height:20px"><div class="gmail-T-I gmail-J-J5-Ji gmail-T-I-Js-IF gmail-aaq gmail-T-I-ax7 gmail-L3" tabindex="0" style="display:inline-flex;border-radius:2px 0px 0px 2px;font-size:0.875rem;text-align:center;margin:0px 0px 0px 20px;height:20px;line-height:18px;min-width:0px;outline:none;padding:0px;background:transparent;color:rgb(68,68,68);border:none"><img class="gmail-hB gmail-T-I-J3" src="https://mail.google.com/mail/u/0/images/cleardot.gif" alt="" style="background: url("https://www.gstatic.com/images/icons/material/system/1x/reply_black_20dp.png") 50% 50% / 20px no-repeat; height: 20px; margin: 0px; vertical-align: middle; width: 20px; opacity: 0.54; display: inline-block; padding: 0px; transition: opacity 0.15s cubic-bezier(0.4, 0, 0.2, 1) 0s;"></div><div id="gmail-:24n" class="gmail-T-I gmail-J-J5-Ji gmail-T-I-Js-Gs gmail-aap gmail-T-I-awG gmail-T-I-ax7 gmail-L3" tabindex="0" style="display:inline-flex;border-radius:0px 2px 2px 0px;font-size:0.875rem;text-align:center;margin:0px 0px 0px 20px;height:20px;line-height:18px;min-width:0px;outline:none;padding:0px;background:transparent;color:rgb(68,68,68);border:none"><img class="gmail-hA gmail-T-I-J3" src="https://mail.google.com/mail/u/0/images/cleardot.gif" alt="" style="background: url("https://www.gstatic.com/images/icons/material/system/1x/more_vert_black_20dp.png") 50% 50% / 20px no-repeat; height: 20px; width: 20px; margin: 0px; vertical-align: middle; opacity: 0.54; display: inline-block; padding: 0px; transition: opacity 0.15s cubic-bezier(0.4, 0, 0.2, 1) 0s;"></div></td></tr><tr class="gmail-acZ gmail-xD" style="height:auto;display:flex"><td colspan="3"><table cellpadding="0" class="gmail-cf gmail-adz" style="border-collapse:collapse;table-layout:fixed;white-space:nowrap;width:1121.6px"><tbody><tr><td class="gmail-ady" style="overflow:visible;text-overflow:ellipsis;display:flex;line-height:20px"><div class="gmail-iw gmail-ajw" style="overflow:hidden;max-width:92%;display:inline-block"><span class="gmail-hb" style="vertical-align:top;color:rgb(95,99,104);font-size:0.75rem;letter-spacing:0.3px;line-height:20px">to <span dir="ltr" name="Yoav" class="gmail-g2" style="vertical-align:top">Yoav</span>, <span dir="ltr" name="Rick" class="gmail-g2" style="vertical-align:top">Rick</span>, <span dir="ltr" name="Philip" class="gmail-g2" style="vertical-align:top">Philip</span>, <span dir="ltr" name="Lily" class="gmail-g2" style="vertical-align:top">Lily</span>, <span dir="ltr" name="Rowan" class="gmail-g2" style="vertical-align:top">Rowan</span>, <span dir="ltr" name="blink-dev" class="gmail-g2" style="vertical-align:top">blink-dev</span>, <span dir="ltr" name="morlovich" class="gmail-g2" style="vertical-align:top">morlovich</span>, <span dir="ltr" name="Mike" class="gmail-g2" style="vertical-align:top">Mike</span>, <span dir="ltr" name="Brandon" class="gmail-g2" style="vertical-align:top">Brandon</span></span></div><div id="gmail-:24m" class="gmail-ajy" tabindex="0" style="display:inline-flex;margin-left:4px;vertical-align:top;border:none;outline:none"><img class="gmail-ajz" src="https://mail.google.com/mail/u/0/images/cleardot.gif" alt="" style="background: url("https://www.gstatic.com/images/icons/material/system/1x/arrow_drop_down_black_20dp.png") 50% 50% / 20px no-repeat; cursor: pointer; padding: 0px; vertical-align: baseline; height: 20px; width: 20px; border: none; margin: 0px 0px 0px auto; right: 0px; top: 0px; display: flex; opacity: 0.54;"></div></td></tr></tbody></table></td></tr></tbody></table></div><div id="gmail-:248" style="font-family:Roboto,RobotoDraft,Helvetica,Arial,sans-serif;font-size:medium"><div class="gmail-qQVYZb"></div><div class="gmail-utdU2e"></div><div class="gmail-btm"></div></div><div class="gmail-" style="font-family:Roboto,RobotoDraft,Helvetica,Arial,sans-serif;font-size:medium"><div class="gmail-aHl" style=""></div><div id="gmail-:24l" tabindex="-1"></div><div id="gmail-:24a" class="gmail-ii gmail-gt" style="font-size:0.875rem;direction:ltr;margin:8px 0px 0px;padding:0px"><div id="gmail-:249" class="gmail-a3s gmail-aXjCH" style="overflow:hidden;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:small;line-height:1.5;font-family:Arial,Helvetica,sans-serif"><div dir="ltr">We are pushing back the target milestone to M80 due to interoperability concerns resulting from an <a href="https://bugs.webkit.org/show_bug.cgi?id=198181" target="_blank">issue affecting Safari on Mac/iOS and Chrome on iOS</a>: Cookies with an unrecognized SameSite value, including SameSite=None, are handled incorrectly and are treated as SameSite=Strict. We decided not to rename SameSite=None to a different attribute because the issue is fixed in iOS 13 and we think that delaying while the fix rolls out is a better approach than the longer adoption time for a new attribute.<div><br></div><div>The console messages informing developers of the changes have been implemented behind a default-disabled flag and currently do not state a specific milestone.<br></div></div><div><div class="gmail-adm" style="margin:5px 0px"><div id="gmail-q_1065" class="gmail-ajR gmail-h4" style="background-color:rgb(232,234,237);border:none;clear:both;line-height:6px;outline:none;width:24px;color:rgb(80,0,80);font-size:11px;border-radius:5.5px"><div class="gmail-ajT" style="background:url("https://www.gstatic.com/images/icons/material/system/1x/more_horiz_black_20dp.png") 50% 50%/20px no-repeat;height:11px;opacity:0.54;width:24px"></div></div></div></div>To view this discussion on the web visit <a href="https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAE24OxwEX46xH1oO35o6WwSVBF1NDma-Jb2RkjWmgGDFySfE%3Dg%40mail.gmail.com?utm_medium=email&utm_source=footer" target="_blank">https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAE24OxwEX46xH1oO35o6WwSVBF1NDma-Jb2RkjWmgGDFySfE%3Dg%40mail.gmail.com</a>.</div></div></div></div></div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Jul 3, 2019 at 8:40 PM Nat Sakimura via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">



<div>
<div name="messageBodySection">
<div dir="auto">Do we need a spec level change as errata or something? 
<div dir="auto">Perhaps we need to include SameSite=none as the requirement in the specs? </div>
</div>
</div>
<div name="messageSignatureSection"><br>
<div dir="auto">Nat Sakimura Chairman, OpenID Foundation <a href="https://nat.sakimura.org" target="_blank">https://nat.sakimura.org</a></div>
</div>
<div name="messageReplySection">2019年7月4日 5:10 +0900、Filip Skokan via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>>のメール:<br>
<blockquote type="cite" class="gmail-m_8011935782617211596spark_quote" style="margin:5px;padding-left:10px;border-left:thin solid rgb(26,188,156)">
<div dir="ltr">Hi Nick,
<div><br></div>
<div>I summarized the effects in this <a href="http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20190527/007341.html" target="_blank">thread</a>.</div>
<div><br clear="all">
<div>
<div dir="ltr" class="gmail-m_8011935782617211596gmail_signature">S pozdravem,<br>
<b>Filip Skokan</b></div>
</div>
<br></div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, 3 Jul 2019 at 19:56, Nick Roy via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>> wrote:<br></div>
<blockquote class="gmail_quote gmail-m_8011935782617211596spark_quote" style="margin:5px;padding-left:10px;border-left:thin solid rgb(230,126,34)">Sorry for the cross-post. Is anyone talking to Google about this issue? Any concerns about it affecting OpenID Connect?<br>
<br>
Thanks,<br>
<br>
Nick<br>
<br>
Forwarded message:<br>
<br>
> From: Pieter van der Meulen <<a href="mailto:pieter.vandermeulen@surfnet.nl" target="_blank">pieter.vandermeulen@surfnet.nl</a>><br>
> To: <a href="mailto:refeds@lists.refeds.org" target="_blank">refeds@lists.refeds.org</a><br>
> Subject: [refeds] New chrome SameSite policy for session cookies affecting the SAML HTTP-POST binding<br>
> Date: Wed, 26 Jun 2019 12:39:44 +0000<br>
><br>
> Hi all,<br>
><br>
> Chrome announced plans [1] to change how cookies work that for several common SP implementations will break SAML authentication using the SAML2int profile. The change in Chrome involves changing the default of the "SameSite" cookie attribute to "Lax" as explained in [2] and [3]. Because the "SameSite" cookie attribute is a recent addition, most web applications do not set this attribute and thus use the default. Changing the default to "Lax" means that Chrome will not send the cookies that it previously received when the HTTP Request is a cross-site HTTP POST. Such a cross-site HTTP POST is exactly what happens when an IdP uses the SAML HTTP-POST binding so send a SAML Response to a SP. This means that a SP that requires a (session) cookie when receiving the SAML Response on it'a ACS Location using the HTTP-POST binding will break.<br>
><br>
> A similar issue exists in OpenID Connect for RPs that use the form_post response mode and that require a (session) cookie. These are typically RPs using Microsoft OpenID Connect libraries. Other OpenID Connect implementations use HTTP GET exclusively, which is allowed cross-domain by "SameSite=Lax".<br>
><br>
> We have been discussing this internally at SURFnet and several people from the closed fog list contributed to the discussions. Because this could affect many SPs, and would require changes at those SPs, we concluded that this deserves wider attention, hence this post.<br>
><br>
> How to test whether a SP is affected?<br>
> 1. Download the Chrome 76 beta (<a href="https://www.google.com/chrome/beta/" rel="noreferrer" target="_blank">https://www.google.com/chrome/beta/</a>)<br>
> 2. Open "chrome://flags/" and set the experimental "SameSite by default cookies" flag to "Enabled".<br>
> 3. Login to the SP you want to test.<br>
> 4. (optional) share the results<br>
><br>
> The obvious fix is adding a "SameSite=None" attribute to the Set-cookie HTTP header in the HTTP Response. This reenables the old cookie behaviour in Chrome and should not affect other browsers. Unfortunately "SameSite=None" currently breaks Safari browsers [4], complicating rolling out this fix now.<br>
><br>
> You can add the SameSite attribute from the web application itself, or on the web server or load balancer:<br>
> - Apache 2: Header always edit Set-Cookie (.*) "$1; SameSite=None"<br>
> - Nginx: proxy_cookie_path ~(/*) "/$1; SameSite=None";<br>
> - HAProxy: rspirep ^(set-cookie:.*)  \1;\ SameSite=None<br>
><br>
> Another, more involved, fix is not relying on cookies for the SAML HTTP-POST binding by:<br>
> - setting the session ID in the ID element of the AuthnRequest, or<br>
> - setting the session ID in the RelayState parameter<br>
><br>
> An (incomplete) list of SP software that is affected:<br>
> - SimpleSAMLphp<br>
> - Shibboleth, depending on the configuration<br>
> - SATOSA [5]<br>
><br>
> Notes:<br>
> - If you use cookie based load balancing, your LB cookie is affected as well<br>
> - Setting the SameSite attribute is supported since PHP 7.3.0 [6]<br>
><br>
> Kind regards,<br>
><br>
> Pieter.<br>
><br>
><br>
> [1] <a href="https://blog.chromium.org/2019/05/improving-privacy-and-security-on-web.html" rel="noreferrer" target="_blank">https://blog.chromium.org/2019/05/improving-privacy-and-security-on-web.html</a><br>
> [2] <a href="https://web.dev/samesite-cookies-explained/" rel="noreferrer" target="_blank">https://web.dev/samesite-cookies-explained/</a><br>
> [3] <a href="https://tools.ietf.org/html/draft-west-cookie-incrementalism-00" rel="noreferrer" target="_blank">https://tools.ietf.org/html/draft-west-cookie-incrementalism-00</a><br>
> [4] <a href="https://bugs.webkit.org/show_bug.cgi?id=198181" rel="noreferrer" target="_blank">https://bugs.webkit.org/show_bug.cgi?id=198181</a><br>
> [5] <a href="https://github.com/IdentityPython/SATOSA/issues/245" rel="noreferrer" target="_blank">https://github.com/IdentityPython/SATOSA/issues/245</a><br>
> [6] <a href="https://www.php.net/manual/en/session.configuration.php" rel="noreferrer" target="_blank">https://www.php.net/manual/en/session.configuration.php</a><br>
><br>
> --<br>
> Pieter van der Meulen (<a href="mailto:Pieter.vanderMeulen@surfnet.nl" target="_blank">Pieter.vanderMeulen@surfnet.nl</a>)<br>
> SURFnet (Trust & Security) - <a href="http://www.surfnet.nl" rel="noreferrer" target="_blank">www.surfnet.nl</a><br>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br></blockquote>
</div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br></blockquote>
</div>
</div>

_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div>