<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Mar 24, 2021 at 9:40 AM Brian Campbell <<a href="mailto:bcampbell@pingidentity.com">bcampbell@pingidentity.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Thanks Sam!<br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Mar 24, 2021 at 10:14 AM Sam Goto <<a href="mailto:goto@google.com" target="_blank">goto@google.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Mar 24, 2021 at 8:49 AM Brian Campbell via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>I've got a little something for Open Discussion, if time and circumstance permit. Does anyone have a good understanding of how CORS will be impacted by the impending death of 3rd party cookies? Seems that by very definition cookies are 3rd party in the context of CORS and the same kinds of privacy/tracking concerns are applicable, which suggests that cookies will just stop being sent and/or accepted with CORS requests/responses. But I find myself second guessing that assumption and feeling rather uncertain about my grasp of the mechanics of all this stuff (and life in general, if I'm being honest). Anyway, I'm hopeful that someone on the call with better or more authoritative knowledge could explain the impacts for the benefit of all.</div></div></blockquote><div><br></div><div>I'll ask around more concretely about CORS (genuinely don't know what the answer is to this question), but here are the guiding principles (and, as such, don't quite go over sequencing in detail) that is behind the constraints that are being placed:</div><div><br></div></div></div></blockquote></div></blockquote><div><br></div><div>I'm still asking around about the details here so that I can say things with more confidence (and ideally just point to something that has already been posted), but my early investigation makes me believe that indeed CORS XmlHttpRequests are going to be impacted by 3rd party cookies. Here is my understanding so far (that I'm trying to gather from the <a href="https://blog.chromium.org/2019/10/developers-get-ready-for-new.html">SameSite cookies blog post</a> and the <a href="https://web.dev/digging-into-the-privacy-sandbox/">privacy sandbox deep dive</a> and the <a href="https://blog.chromium.org/2020/01/building-more-private-web-path-towards.html">building a more private web</a>):</div><div><br></div><div>- Cookies are already, right now, not sent on CORS XmlHttpRequests, unless you specify SameSite=None </div><div>- When third party cookies go away, they'll go away too in CORS XmlHttpRequests (in that, IIUC, even if you specify SameSite=None, they won't be sent)</div><div>- IIUC, it is already the case in Safari that CORS isn't sent with third party cookies (<a href="https://stackoverflow.com/questions/28238896/apple-safari-still-not-setting-3rd-party-domain-cors-cookies">informal investigation</a>)</div><div><br></div><div>This is my own personation investigation, so take this with a grain of salt: I'm probably incorrect here and will follow up with a more precise / confident answer.</div><div><br></div><div>But, if this interpretation is correct, the two questions that may be worth asking are:</div><div><br></div><div>- What concretely does OpenID use in specs with CORS and XmlHttpRequests?</div><div>- How does it degrade when it is running in a browser that already doesn't support it?</div><div><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_quote"><div></div><div><a href="https://github.com/michaelkleber/privacy-model" target="_blank">https://github.com/michaelkleber/privacy-model</a><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div> <br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Mar 23, 2021 at 9:27 AM Tim Cappalli via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div style="font-family:Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<p style="margin:0in;color:rgb(32,31,30);font-family:Calibri,sans-serif;font-size:12pt;background:none 0% 0% repeat scroll white">
<span style="margin:0px;font-family:Arial,sans-serif;color:black">Hi all,</span></p>
<p style="margin:0in;color:rgb(32,31,30);font-family:Calibri,sans-serif;font-size:12pt;background:none 0% 0% repeat scroll white">
<span style="margin:0px;font-family:Arial,sans-serif;color:black"> </span></p>
<p style="margin:0in;color:rgb(32,31,30);font-family:Calibri,sans-serif;font-size:12pt;background:none 0% 0% repeat scroll white">
<span style="margin:0px;font-family:Arial,sans-serif;color:black">Here's the agenda for tomorrow.<br>
</span><span style="margin:0px;font-family:Arial,Helvetica,sans-serif;color:rgb(0,0,0)"><br>
</span></p>
<p style="margin:0in;color:rgb(32,31,30);font-family:Calibri,sans-serif;font-size:12pt;background:none 0% 0% repeat scroll white">
</p>
<div>* Intros, reintros, agenda bash
<div>* Review <a href="https://docs.google.com/document/d/1z9Plb3ntW8s_dg9SSjd6Z7_88I4KhVjaGYYSoEYC40Y" title="https://docs.google.com/document/d/1z9Plb3ntW8s_dg9SSjd6Z7_88I4KhVjaGYYSoEYC40Y" target="_blank">
known use case list</a> and request for contributions</div>
<div></div>
<div>* Review submitted use cases</div>
<div>* Topics for next call</div>
* Open Discussion<br>
</div>
<div style="margin:0px;font-size:15px;color:rgb(32,31,30);background-color:rgb(255,255,255)">
</div>
<p style="margin-top:0px;margin-bottom:0px;color:rgb(32,31,30);font-size:15px;background-color:rgb(255,255,255)">
</p>
<p style="margin:0in;color:rgb(32,31,30);font-family:Calibri,sans-serif;font-size:12pt;background:none 0% 0% repeat scroll white">
<span style="margin:0px;font-family:Arial,sans-serif;color:black">Meeting Link: <a href="https://global.gotomeeting.com/join/379258645" rel="noopener noreferrer" style="margin:0px;color:rgb(5,99,193);text-decoration:underline" target="_blank"><span style="margin:0px;padding:0in;border:1pt none windowtext">https://global.gotomeeting.com/join/379258645</span></a> | <a href="https://www.timeanddate.com/worldclock/converter.html?iso=20210113T190500&p1=22&p2=248&p3=236&p4=438&p5=776&p6=16&p7=1440&p8=43&p9=24&p10=220&p11=234" rel="noopener noreferrer" title="https://www.timeanddate.com/worldclock/converter.html?iso=20210113T190500&p1=22&p2=248&p3=236&p4=438&p5=776&p6=16&p7=1440&p8=43&p9=24&p10=220&p11=234" style="margin:0px;color:rgb(5,99,193);text-decoration:underline" target="_blank"><span style="margin:0px;padding:0in;border:1pt none windowtext">Time</span></a></span></p>
<p style="margin:0in;color:rgb(32,31,30);font-family:Calibri,sans-serif;font-size:12pt;background:none 0% 0% repeat scroll white">
<span style="margin:0px;font-family:Arial,sans-serif;color:black"> </span></p>
<p style="margin:0in;color:rgb(32,31,30);font-family:Calibri,sans-serif;font-size:12pt;background:none 0% 0% repeat scroll white">
<span style="margin:0px;font-family:Arial,sans-serif;color:black">Meeting Agenda / Notes Page: <a href="https://bitbucket.org/openid/connect/wiki/Browser%20Interactions%20Special%20Topics%20Call%20-%2020210324" id="gmail-m_7004172474700244270gmail-m_312699959657181371gmail-m_-3499944868853998633gmail-m_-1869271919700791368gmail-m_1641433147123875948gmail-m_2874940335059583423LPlnk673047" target="_blank">openid / connect / wiki / Browser
Interactions Special Topics Call - 20210324 — Bitbucket</a></span></p>
<p style="margin:0in;color:rgb(32,31,30);font-family:Calibri,sans-serif;font-size:12pt;background:none 0% 0% repeat scroll white">
<span style="margin:0px;font-family:Arial,sans-serif;color:black"><br>
</span></p>
<p style="margin:0in;color:rgb(32,31,30);font-family:Calibri,sans-serif;font-size:12pt;background:none 0% 0% repeat scroll white">
<span style="margin:0px;font-family:Arial,sans-serif;color:black">Meeting Landing Page: </span><span style="margin:0px;font-family:Arial,sans-serif;color:rgb(47,85,151)"><a href="https://bitbucket.org/openid/connect/wiki/Browser%20Interactions%20Special%20Topics%20Call" rel="noopener noreferrer" style="margin:0px;color:rgb(5,99,193);text-decoration:underline" target="_blank"><span style="margin:0px;padding:0in;border:1pt none windowtext;color:rgb(47,85,151)">openid
/ connect / wiki /<span style="margin:0px"> </span><span style="margin:0px">Browser</span><span style="margin:0px"> </span><span style="margin:0px">Interactions</span> <span style="margin:0px">Special</span> <span style="margin:0px">Topic</span>s
Call — Bitbucket</span></a></span><span style="margin:0px;font-family:Arial,sans-serif;color:black"></span></p>
<p style="margin:0in;color:rgb(32,31,30);font-family:Calibri,sans-serif;font-size:12pt;background:none 0% 0% repeat scroll white">
<span style="margin:0px;font-family:Arial,sans-serif;color:black"> </span></p>
<p style="margin:0in;color:rgb(32,31,30);font-family:Calibri,sans-serif;font-size:12pt;background:none 0% 0% repeat scroll white">
<span style="margin:0px;font-family:Arial,sans-serif;color:black"><br>
</span></p>
<p style="margin:0in;color:rgb(32,31,30);font-family:Calibri,sans-serif;font-size:12pt;background:none 0% 0% repeat scroll white">
<span style="margin:0px;font-family:Arial,sans-serif;color:black">tim</span></p>
</div>
<div>
<div style="font-family:Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
</div>
<div id="gmail-m_7004172474700244270gmail-m_312699959657181371gmail-m_-3499944868853998633gmail-m_-1869271919700791368gmail-m_1641433147123875948gmail-m_2874940335059583423Signature">
<div name="divtagdefaultwrapper">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<div style="font-weight:normal;text-align:start"></div>
</div>
</div>
</div>
</div>
</div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div>
<br>
<i style="margin:0px;padding:0px;border:0px none;outline:currentcolor none 0px;vertical-align:baseline;background:none 0% 0% repeat scroll rgb(255,255,255);font-family:proxima-nova-zendesk,system-ui,-apple-system,system-ui,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",Arial,sans-serif;color:rgb(85,85,85)"><span style="margin:0px;padding:0px;border:0px none;outline:currentcolor none 0px;vertical-align:baseline;background:none 0% 0% repeat scroll transparent;font-family:proxima-nova-zendesk,system-ui,-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",Arial,sans-serif;font-weight:600"><font size="2">CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.</font></span></i>_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div></div>
</blockquote></div>
<br>
<i style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:rgb(255,255,255);font-family:proxima-nova-zendesk,system-ui,-apple-system,system-ui,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",Arial,sans-serif;color:rgb(85,85,85)"><span style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:transparent;font-family:proxima-nova-zendesk,system-ui,-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",Arial,sans-serif;font-weight:600"><font size="2">CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.</font></span></i></blockquote></div></div>