<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Mar 24, 2021 at 12:19 PM Sam Goto <<a href="mailto:goto@google.com">goto@google.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Mar 24, 2021 at 9:40 AM Brian Campbell <<a href="mailto:bcampbell@pingidentity.com" target="_blank">bcampbell@pingidentity.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Thanks Sam!<br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Mar 24, 2021 at 10:14 AM Sam Goto <<a href="mailto:goto@google.com" target="_blank">goto@google.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Mar 24, 2021 at 8:49 AM Brian Campbell via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>I've got a little something for Open Discussion, if time and circumstance permit. Does anyone have a good understanding of how CORS will be impacted by the impending death of 3rd party cookies? Seems that by very definition cookies are 3rd party in the context of CORS and the same kinds of privacy/tracking concerns are applicable, which suggests that cookies will just stop being sent and/or accepted with CORS requests/responses. But I find myself second guessing that assumption and feeling rather uncertain about my grasp of the mechanics of all this stuff (and life in general, if I'm being honest). Anyway, I'm hopeful that someone on the call with better or more authoritative knowledge could explain the impacts for the benefit of all.</div></div></blockquote><div><br></div><div>I'll ask around more concretely about CORS (genuinely don't know what the answer is to this question), but here are the guiding principles (and, as such, don't quite go over sequencing in detail) that is behind the constraints that are being placed:</div><div><br></div></div></div></blockquote></div></blockquote><div><br></div><div>I'm still asking around about the details here so that I can say things with more confidence (and ideally just point to something that has already been posted), but my early investigation makes me believe that indeed CORS XmlHttpRequests are going to be impacted by 3rd party cookies. Here is my understanding so far (that I'm trying to gather from the <a href="https://blog.chromium.org/2019/10/developers-get-ready-for-new.html" target="_blank">SameSite cookies blog post</a> and the <a href="https://web.dev/digging-into-the-privacy-sandbox/" target="_blank">privacy sandbox deep dive</a> and the <a href="https://blog.chromium.org/2020/01/building-more-private-web-path-towards.html" target="_blank">building a more private web</a>):</div><div><br></div><div>- Cookies are already, right now, not sent on CORS XmlHttpRequests, unless you specify SameSite=None </div><div>- When third party cookies go away, they'll go away too in CORS XmlHttpRequests (in that, IIUC, even if you specify SameSite=None, they won't be sent)</div><div>- IIUC, it is already the case in Safari that CORS isn't sent with third party cookies (<a href="https://stackoverflow.com/questions/28238896/apple-safari-still-not-setting-3rd-party-domain-cors-cookies" target="_blank">informal investigation</a>)</div><div><br></div><div>This is my own personation investigation, so take this with a grain of salt: I'm probably incorrect here and will follow up with a more precise / confident answer.</div><div><br></div><div>But, if this interpretation is correct, the two questions that may be worth asking are:</div><div><br></div><div>- What concretely does OpenID use in specs with CORS and XmlHttpRequests?</div></div></div></blockquote><div><br></div><div>As I mentioned on the call, there's not a concrete usage in the specs themselves. But there are some API driven login flows that seem to be becoming popular, which might make use of cookies vai CORS (depending on how they are deployed). Here are some docs on one such API <a href="https://docs.pingidentity.com/bundle/pingfederate-101/page/elz1592262150859.html">https://docs.pingidentity.com/bundle/pingfederate-101/page/elz1592262150859.html</a> <br></div><div><br></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_quote"><div>- How does it degrade when it is running in a browser that already doesn't support it?</div></div></div></blockquote><div><br></div><div>I don't know the exact failure mode and would probably lump it into the "just doesn't work" category. The first "Note" in the docs I linked above hints at this and basically suggests making things 1st party to work, "To avoid issues with third-party cookies in some browsers, give the authentication
application the same parent domain as the PingFederate base URL." <br></div><div><br></div><div><br></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_quote"><div><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_quote"><div></div><div><a href="https://github.com/michaelkleber/privacy-model" target="_blank">https://github.com/michaelkleber/privacy-model</a><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div> <br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Mar 23, 2021 at 9:27 AM Tim Cappalli via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div style="font-family:Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<p style="margin:0in;color:rgb(32,31,30);font-family:Calibri,sans-serif;font-size:12pt;background:white none repeat scroll 0% 0%">
<span style="margin:0px;font-family:Arial,sans-serif;color:black">Hi all,</span></p>
<p style="margin:0in;color:rgb(32,31,30);font-family:Calibri,sans-serif;font-size:12pt;background:white none repeat scroll 0% 0%">
<span style="margin:0px;font-family:Arial,sans-serif;color:black"> </span></p>
<p style="margin:0in;color:rgb(32,31,30);font-family:Calibri,sans-serif;font-size:12pt;background:white none repeat scroll 0% 0%">
<span style="margin:0px;font-family:Arial,sans-serif;color:black">Here's the agenda for tomorrow.<br>
</span><span style="margin:0px;font-family:Arial,Helvetica,sans-serif;color:rgb(0,0,0)"><br>
</span></p>
<p style="margin:0in;color:rgb(32,31,30);font-family:Calibri,sans-serif;font-size:12pt;background:white none repeat scroll 0% 0%">
</p>
<div>* Intros, reintros, agenda bash
<div>* Review <a href="https://docs.google.com/document/d/1z9Plb3ntW8s_dg9SSjd6Z7_88I4KhVjaGYYSoEYC40Y" title="https://docs.google.com/document/d/1z9Plb3ntW8s_dg9SSjd6Z7_88I4KhVjaGYYSoEYC40Y" target="_blank">
known use case list</a> and request for contributions</div>
<div></div>
<div>* Review submitted use cases</div>
<div>* Topics for next call</div>
* Open Discussion<br>
</div>
<div style="margin:0px;font-size:15px;color:rgb(32,31,30);background-color:rgb(255,255,255)">
</div>
<p style="margin-top:0px;margin-bottom:0px;color:rgb(32,31,30);font-size:15px;background-color:rgb(255,255,255)">
</p>
<p style="margin:0in;color:rgb(32,31,30);font-family:Calibri,sans-serif;font-size:12pt;background:white none repeat scroll 0% 0%">
<span style="margin:0px;font-family:Arial,sans-serif;color:black">Meeting Link: <a href="https://global.gotomeeting.com/join/379258645" rel="noopener noreferrer" style="margin:0px;color:rgb(5,99,193);text-decoration:underline" target="_blank"><span style="margin:0px;padding:0in;border:1pt none windowtext">https://global.gotomeeting.com/join/379258645</span></a> | <a href="https://www.timeanddate.com/worldclock/converter.html?iso=20210113T190500&p1=22&p2=248&p3=236&p4=438&p5=776&p6=16&p7=1440&p8=43&p9=24&p10=220&p11=234" rel="noopener noreferrer" title="https://www.timeanddate.com/worldclock/converter.html?iso=20210113T190500&p1=22&p2=248&p3=236&p4=438&p5=776&p6=16&p7=1440&p8=43&p9=24&p10=220&p11=234" style="margin:0px;color:rgb(5,99,193);text-decoration:underline" target="_blank"><span style="margin:0px;padding:0in;border:1pt none windowtext">Time</span></a></span></p>
<p style="margin:0in;color:rgb(32,31,30);font-family:Calibri,sans-serif;font-size:12pt;background:white none repeat scroll 0% 0%">
<span style="margin:0px;font-family:Arial,sans-serif;color:black"> </span></p>
<p style="margin:0in;color:rgb(32,31,30);font-family:Calibri,sans-serif;font-size:12pt;background:white none repeat scroll 0% 0%">
<span style="margin:0px;font-family:Arial,sans-serif;color:black">Meeting Agenda / Notes Page: <a href="https://bitbucket.org/openid/connect/wiki/Browser%20Interactions%20Special%20Topics%20Call%20-%2020210324" id="gmail-m_-7129272374519623489gmail-m_7004172474700244270gmail-m_312699959657181371gmail-m_-3499944868853998633gmail-m_-1869271919700791368gmail-m_1641433147123875948gmail-m_2874940335059583423LPlnk673047" target="_blank">openid / connect / wiki / Browser
Interactions Special Topics Call - 20210324 — Bitbucket</a></span></p>
<p style="margin:0in;color:rgb(32,31,30);font-family:Calibri,sans-serif;font-size:12pt;background:white none repeat scroll 0% 0%">
<span style="margin:0px;font-family:Arial,sans-serif;color:black"><br>
</span></p>
<p style="margin:0in;color:rgb(32,31,30);font-family:Calibri,sans-serif;font-size:12pt;background:white none repeat scroll 0% 0%">
<span style="margin:0px;font-family:Arial,sans-serif;color:black">Meeting Landing Page: </span><span style="margin:0px;font-family:Arial,sans-serif;color:rgb(47,85,151)"><a href="https://bitbucket.org/openid/connect/wiki/Browser%20Interactions%20Special%20Topics%20Call" rel="noopener noreferrer" style="margin:0px;color:rgb(5,99,193);text-decoration:underline" target="_blank"><span style="margin:0px;padding:0in;border:1pt none windowtext;color:rgb(47,85,151)">openid
/ connect / wiki /<span style="margin:0px"> </span><span style="margin:0px">Browser</span><span style="margin:0px"> </span><span style="margin:0px">Interactions</span> <span style="margin:0px">Special</span> <span style="margin:0px">Topic</span>s
Call — Bitbucket</span></a></span><span style="margin:0px;font-family:Arial,sans-serif;color:black"></span></p>
<p style="margin:0in;color:rgb(32,31,30);font-family:Calibri,sans-serif;font-size:12pt;background:white none repeat scroll 0% 0%">
<span style="margin:0px;font-family:Arial,sans-serif;color:black"> </span></p>
<p style="margin:0in;color:rgb(32,31,30);font-family:Calibri,sans-serif;font-size:12pt;background:white none repeat scroll 0% 0%">
<span style="margin:0px;font-family:Arial,sans-serif;color:black"><br>
</span></p>
<p style="margin:0in;color:rgb(32,31,30);font-family:Calibri,sans-serif;font-size:12pt;background:white none repeat scroll 0% 0%">
<span style="margin:0px;font-family:Arial,sans-serif;color:black">tim</span></p>
</div>
<div>
<div style="font-family:Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
</div>
<div id="gmail-m_-7129272374519623489gmail-m_7004172474700244270gmail-m_312699959657181371gmail-m_-3499944868853998633gmail-m_-1869271919700791368gmail-m_1641433147123875948gmail-m_2874940335059583423Signature">
<div name="divtagdefaultwrapper">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<div style="font-weight:normal;text-align:start"></div>
</div>
</div>
</div>
</div>
</div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div>
<br>
<i style="margin:0px;padding:0px;border:0px none;outline:currentcolor none 0px;vertical-align:baseline;background:rgb(255,255,255) none repeat scroll 0% 0%;font-family:proxima-nova-zendesk,system-ui,-apple-system,system-ui,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",Arial,sans-serif;color:rgb(85,85,85)"><span style="margin:0px;padding:0px;border:0px none;outline:currentcolor none 0px;vertical-align:baseline;background:transparent none repeat scroll 0% 0%;font-family:proxima-nova-zendesk,system-ui,-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",Arial,sans-serif;font-weight:600"><font size="2">CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.</font></span></i>_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div></div>
</blockquote></div>
<br>
<i style="margin:0px;padding:0px;border:0px none;outline:currentcolor none 0px;vertical-align:baseline;background:rgb(255,255,255) none repeat scroll 0% 0%;font-family:proxima-nova-zendesk,system-ui,-apple-system,system-ui,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",Arial,sans-serif;color:rgb(85,85,85)"><span style="margin:0px;padding:0px;border:0px none;outline:currentcolor none 0px;vertical-align:baseline;background:transparent none repeat scroll 0% 0%;font-family:proxima-nova-zendesk,system-ui,-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",Arial,sans-serif;font-weight:600"><font size="2">CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.</font></span></i></blockquote></div></div>
</blockquote></div></div>
<br>
<i style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:rgb(255,255,255);font-family:proxima-nova-zendesk,system-ui,-apple-system,system-ui,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",Arial,sans-serif;color:rgb(85,85,85)"><span style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:transparent;font-family:proxima-nova-zendesk,system-ui,-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",Arial,sans-serif;font-weight:600"><font size="2">CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.</font></span></i>