<div dir="ltr"><div>For the record:</div><div>the same-site cookie issue was raised on the refeds mailing list that unfortunately does not have a public archive; the impact seemed not very severe from what I remember.<br></div><div><br></div><div>Also, on the ITP issue there's a doc that Vittorio requested input for earlier:</div><div><a href="https://docs.google.com/document/d/1Rs--DFzZj_SfQjtz8oH9DlLII0ra3viMEHrK7sKsaiU/edit?usp=sharing">https://docs.google.com/document/d/1Rs--DFzZj_SfQjtz8oH9DlLII0ra3viMEHrK7sKsaiU/edit?usp=sharing</a><br>and:<br><a href="https://github.com/whatwg/html/issues/3338#issuecomment-434117847">https://github.com/whatwg/html/issues/3338#issuecomment-434117847</a><br><br></div><div>Hans.</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Aug 21, 2019 at 8:36 PM Mike Jones via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">





<div lang="EN-US">
<div class="m_-1751293978979200110gmail-m_-4007239262557007797WordSection1">
<p class="MsoNormal">I wanted to bring two planned browser changes to the working group’s attention for your discussion and feedback.  I believe that both of these could affect OpenID Connect (and other federated identity) deployments.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<ol style="margin-top:0in" start="1" type="1">
<li class="m_-1751293978979200110gmail-m_-4007239262557007797MsoListParagraph" style="margin-left:0in">Chrome plans to treat cookies as SameSite=Lax by default if no SameSite attribute is specified. This is described at
<a href="https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/AknSSyQTGYs/SSB1rTEkBgAJ." target="_blank">
https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/AknSSyQTGYs/SSB1rTEkBgAJ.</a>  As it says there, developers would be able to opt-into the status quo of unrestricted use by explicitly asserting SameSite=None.<u></u><u></u></li></ol>
<p class="MsoNormal"><u></u> <u></u></p>
<ol style="margin-top:0in" start="2" type="1">
<li class="m_-1751293978979200110gmail-m_-4007239262557007797MsoListParagraph" style="margin-left:0in">WebKit/Safari plans to change cookie handling to prevent tracking.  As described at
<a href="https://webkit.org/tracking-prevention-policy/#unintended-impact" target="_blank">https://webkit.org/tracking-prevention-policy/#unintended-impact</a>, this is expected to affect “Federated login using a third-party login provider”.<u></u><u></u></li></ol>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Some questions:<u></u><u></u></p>
<ul style="margin-top:0in" type="disc">
<li class="m_-1751293978979200110gmail-m_-4007239262557007797MsoListParagraph" style="margin-left:0in">Are people tracking these developments and their expected impacts?<u></u><u></u></li><li class="m_-1751293978979200110gmail-m_-4007239262557007797MsoListParagraph" style="margin-left:0in">Might code changes be needed to keep things working, and if so, what are they?<u></u><u></u></li><li class="m_-1751293978979200110gmail-m_-4007239262557007797MsoListParagraph" style="margin-left:0in">Should we be communicating with the Chrome and WebKit developers about the needs of federated identity in advance of these proposed changes?<u></u><u></u></li></ul>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">                                                       -- Mike<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>

_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="m_-1751293978979200110gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div style="font-size:small"><a href="mailto:hans.zandbelt@zmartzone.eu" target="_blank">hans.zandbelt@zmartzone.eu</a></div><div style="font-size:small">ZmartZone IAM - <a href="http://www.zmartzone.eu" target="_blank">www.zmartzone.eu</a><br></div></div></div></div></div></div></div>