Page MenuHomePhabricator
Create Task
Maniphest T257803

Chrome's "Block third-party cookies" option breaks CentralAuth edge login / autologin
Closed, InvalidPublic
Actions

Assigned To
None
Authored By
Tgr
Jul 13 2020, 10:47 AM
Tags
Referenced Files
F31938416: samesite-sandbox-no-block-3rdparty.png
Jul 17 2020, 1:20 PM
F31938418: samesite-sandbox-block-3rdparty.png
Jul 17 2020, 1:20 PM
F31935072: chrome-block-3rd-party-cookies.png
Jul 14 2020, 2:01 PM
F31933423: chrome block third parties.png
Jul 13 2020, 10:47 AM
Subscribers
Aklapper
BEANS-X2
matmarex
mdaniels5757
Samwalton9-WMF
Tgr
ThurnerRupert

Description

Steps to reproduce:

  • open Chrome in incognito mode
  • enable "Block third-party cookies" option
  • log in on en.wikipedia.org
  • visit other projects

(Alternatively, enable "Block third party cookies" in the browser settings.)

Results:

  • local login works
  • second-level domain login (e.g. de.wikipedia.org) works
  • edge login (e.g. en.wiktionary.org, being logged in immediately after arrival) does not work
  • autologin (being logged in a few seconds after arrival) does not work
  • autologin when visiting Special:Userlogin does not work

While this is currently an opt-in feature, a 2020 January Chrome blog post says "Once [privacy-preserving and open-standard mechanisms like the Privacy Sandbox] have addressed the needs of users, publishers, and advertisers, and we have developed the tools to mitigate workarounds, we plan to phase out support for third-party cookies in Chrome. Our intention is to do this within two years." so this is probably the sign of things to come for the default browsing experience as well.

chrome block third parties.png (740×1 px, 62 KB)
chrome-block-3rd-party-cookies.png (380×1 px, 58 KB)

Related Objects

Event Timeline

Tgr created this task.Jul 13 2020, 10:47 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 13 2020, 10:47 AM
Tgr renamed this task from Chrome's "Block third-party cookies" option breaks CentralAuth edge login to Chrome's "Block third-party cookies" option breaks CentralAuth edge login / autologin.Jul 13 2020, 10:48 AM
Tgr updated the task description. (Show Details)Jul 13 2020, 10:52 AM
Tgr updated the task description. (Show Details)Jul 14 2020, 2:01 PM
BEANS-X2 subscribed.Jul 14 2020, 2:22 PM
Tgr mentioned this in T253620: Logged out after switching between mobile and desktop site on the log-in page and later back again.Jul 14 2020, 4:03 PM
Aklapper added a comment.Jul 15 2020, 10:19 AM

See also slightly related T257803: Chrome's "Block third-party cookies" option breaks CentralAuth edge login / autologin

Tgr added a comment.Jul 15 2020, 11:00 AM
In T257803#6307822, @Aklapper wrote:

See also slightly related T257803: Chrome's "Block third-party cookies" option breaks CentralAuth edge login / autologin

That's this task :)

Aklapper added a comment.Jul 15 2020, 11:07 AM

Garr, sorry, meant T257853 (also authored by you). Thanks! :)

Tgr added a comment.Jul 17 2020, 1:20 PM

Data from https://samesite-sandbox.glitch.me/ (with Chrome 83):

"Block third-party cookies" disabled"Block third-party cookies" enabled
samesite-sandbox-no-block-3rdparty.png (921×1 px, 145 KB)
samesite-sandbox-block-3rdparty.png (872×1 px, 145 KB)

So (as expected) this restriction is different from the SameSite enforcement Chrome is rolling out, and cross-wiki cookies get blocked regardless of their SameSite settings.

mdaniels5757 subscribed.Jul 24 2020, 4:55 PM
Samwalton9-WMF subscribed.Dec 9 2020, 9:28 AM
matmarex mentioned this in T293529: wikipedia uses third-party-cookies - maybe it should not?.Oct 16 2021, 5:32 AM
Aklapper merged a task: T293529: wikipedia uses third-party-cookies - maybe it should not?.Oct 16 2021, 12:06 PM
Aklapper added subscribers: ThurnerRupert, matmarex.
ThurnerRupert merged a task: T293529: wikipedia uses third-party-cookies - maybe it should not?.Oct 16 2021, 12:18 PM
Tgr mentioned this in T326281: Attempt top-level central autologin when visiting the login page (to allow autologin when the browser blocks third-party cookies).Jan 5 2023, 12:48 AM
ThurnerRupert closed this task as Invalid.Feb 1 2023, 3:38 AM

maybe close this one, T326281 sounds nice enough.

Tgr added a comment.Feb 2 2023, 7:03 AM
In T257803#8576973, @ThurnerRupert wrote:

maybe close this one, T326281 sounds nice enough.

Out of the three broken features:

  • edge login (e.g. en.wiktionary.org, being logged in immediately after arrival) does not work
  • autologin (being logged in a few seconds after arrival) does not work
  • autologin when visiting Special:Userlogin does not work

it will only fix the last one. Then again, not sure there is anything else actionable here - the browser landscape changed to our detriment and we might not be able to do much about it.

Tgr mentioned this in T345249: Mitigate phase-out of third-party cookies in CentralAuth.Sep 11 2023, 12:08 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL