Page MenuHomePhabricator
Create Task
Maniphest T345249

Mitigate phase-out of third-party cookies in CentralAuth
Open, Needs TriagePublic
Actions

Description

tl;dr CentralAuth autologin (the ability to log in on one wiki and be also logged in everywhere else without having to enter credentials again on every site) has been significantly degraded to a non-trivial fraction of our users due to browsers' anti-tracking measures, and will probably be degraded for everyone by 2024 summer.

Problem description

See T345245: Mitigate phase-out of third-party cookies across MediaWiki in production for context and links to relevant documentation.

CentralAuth uses two session mechanism: cookies set on the shared domain of the wiki family (e.g. on wikipedia.org in the case of en.wikipedia.org) and cookies set on a designated central domain (login.wikimedia.org). The first mechanism is considered as a first-party cookie, and not affected. The second mechanism is considered as a third-party cookie, and is at risk of breaking.

There used to be three workflows using the central domain:

  • After login, the user is redirected to the central domain and back, to invisibly set a session cookie on the central domain.
  • After login, a set of images is included in the page, one for each shared domain other than the current one (e.g. if you log in on en.wikipedia.org, the landing page will embed an image from meta.wikimedia.org, en.wikisource.org, en.wiktionary.org etc.), and each one will go through a redirect cycle of several steps which establishes the user's identity by going to the central domain, then returns to the initial domain and sets session cookies there, essentially logging in the user on all those domains in the background. (This is referred to as "edge login".)
  • If you arrive to a wiki where you are not logged in (either because it's too insignificant to be included in edge login, such as outreach.wikimedia.org, or because edge login didn't work, expired etc), a similar redirect chain happens via a <script> tag; after a successful login it might reload the page, or suggest the user via a notice to reload, or just kind-of simulate a reload by replacing the user menu.
  • A fourth mechanism was added by T326281: Attempt top-level central autologin when visiting the login page (to allow autologin when the browser blocks third-party cookies): when you are not logged in and visit the login page, the same redirect chain is attempted at the top level.

The first and fourth flow are what browsers call "bounce tracking" or "redirect tracking"; it's mostly allowed today, although definitely within the sight of browser vendors. (It might cause issues in Safari, which does sometimes drastically reduce cookie lifetimes when it detects bounce tracking.) The other two are probably failing in Safari and Firefox, and will fail in Chrome (which is the majority of our traffic) starting mid-2024. (Although they have pushed back the deadline by multiple years already, so there is always the chance of that happening again.)

User impact

Users will have to log in once per "domain family" (wikipedia.org etc), instead of just once. For most users this will probably mean three separate logins: Wikipedia, Commons and Wikidata. (This can be sometimes mitigated by the centralauthtoken API, although it's cumbersome to use.) With a Wikimedia login with the "remember me" option checked lasting for a year, this is a small annoyance for most normal users. Temp users would be cut off from other projects entirely, though - autologin is the only login mechanism for them.

Mitigation options

  • Accept the UX degradation and don't do anything.
  • Accept the UX degradation and don't do anything in general, but improve the most problematic special cases.
    • Turn the centralauthtoken API into something more flexible (e.g. token reusable in multiple requests, less strict time limits).
    • Provide an explicit login mechanism for temp users, maybe something like Facebook's "tap the notification in another device where you are logged in" feature. (With third-party cookie restrictions, there would be no way to detect whether the user is logging in from same device, so this would also mean temp users could be logged in in multiple devices - not sure if that's a good thing or a bad thing.)
  • T335851: Investigate the Federated Credential Management browser API
  • T345589: Investigate the First-Party Sets / Related Website Sets browser API
  • Use popups instead of embedded resources, with requestStorageAccess() which on some browsers (Firefox, at least) have more lax heuristics.
  • Replace the current cross-domain authentication flows with something that involves user interaction with the central domain (i.e. users would have to click on the login link, and then maybe click through an interstitial, but wouldn't have to enter their credentials again). Possibly do all that in a popup. There are a number of unrelated reason why we might want to do this. We could use a more standard indentity provider protocol, such as OpenID Connect.

Related Objects
Search...

StatusSubtypeAssignedTask
 OpenNoneT345245 Mitigate phase-out of third-party cookies across MediaWiki in production
 OpenNoneT345249 Mitigate phase-out of third-party cookies in CentralAuth
 OpenTgrT345589 Investigate the First-Party Sets / Related Website Sets browser API
 OpenTgrT359926 Test cross-domain cookie access with the Storage Access API and Related Website Sets
 StalledDAlangi_WMFT335851 Investigate the Federated Credential Management browser API
 OpenArielGlennT359947 Test cross-domain authentication with Federated Credentials Management API
 ResolvedTgrT326281 Attempt top-level central autologin when visiting the login page (to allow autologin when the browser blocks third-party cookies)
 OpenNoneT348388 Use central login wiki for login (SUL3)
 OpenNoneT354482 Clean up login.wikimedia.org ahead of SUL3 login
 OpenNoneT354701 Migrate WebAuthn credentials to loginwiki
 OpenNoneT356614 Do not do central login after security reauthentication
 OpenmatmarexT362706 Display the login / signup page in a popup
 OpenDAlangi_WMFT362713 Implement the new login process which redirects to the central login wiki for showing the login/signup form
 OpenNoneT363411 Run cancreateaccount checks in the context of another wiki
 OpenDAlangi_WMFT363483 Split CentralAuth primary authentication provider into loginwiki and non-loginwiki version
 OpenNoneT362715 Move credentials change to central login wiki
 OpenNoneT363695 Create a Wikimedia login domain that can be served by any wiki
 OpenNoneT363699 Determine SUL 3 login handshake mechanism
 OpenNoneT363706 Register Wikimedia wikis as a Related Website Set
 ResolvedTgrT355621 Gather metrics about the impact of third-party cookie blocking on login
 DuplicatepmiazgaT359948 Test cross-domain cookie access with Storage Access API
 ResolvedTgrT359957 Enroll in Chrome third-party cookies deprecation trial
 OpenNoneT360104 Test cross-domain cookie access with OAuth-style popup + redirect workflow

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptAug 30 2023, 1:37 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Tgr added a comment.EditedAug 30 2023, 1:49 PM

There are a number of tasks which are essentially duplicates of this (report this UX degradation for some specific browser / browser setting):

There are also tasks which look similar (all login bugs look similar - you are not logged in) but have different root causes; figuring out which is the case can be tricky. Possible duplicates that would require investigation (although probably not worth the time):

kostajh subscribed.Aug 30 2023, 1:59 PM
Bmueller subscribed.Sep 1 2023, 4:10 PM
Tgr updated the task description. (Show Details)Sep 2 2023, 1:59 PM
Tgr added a comment.EditedSep 2 2023, 2:05 PM

Replace the current cross-domain authentication flows with something that involves user interaction with the central domain (i.e. users would have to click on the login link, and then maybe click through an interstitial, but wouldn't have to enter their credentials again). Possibly do all that in a popup. There are a number of unrelated reason why we might want to do this.

There are a number of unrelated issues with the current cross-domain login process that we could take the opportunity to fix, if we need to make significant changes to the code anyway because of third-party cookie deprecation:

We could probably solve most or all of these by replacing the current workflows with a single dedicated login domain which is always used for login, uses a more standard cross-domain communication process (e.g. OAuth) and is locked down to just a login / signup interface, instead of being a fullblown MediaWiki.

Paladox subscribed.Sep 2 2023, 3:10 PM
larissagaulia moved this task from Inbox, needs triage to Current Sprint on the MediaWiki-Platform-Team board.Sep 4 2023, 1:52 PM
Tgr added a subtask: T345589: Investigate the First-Party Sets / Related Website Sets browser API.Sep 4 2023, 6:08 PM
Tgr added a parent task: T345245: Mitigate phase-out of third-party cookies across MediaWiki in production.Sep 5 2023, 11:36 AM
Tgr added a subtask: T335851: Investigate the Federated Credential Management browser API.Sep 5 2023, 11:40 AM
Tgr updated the task description. (Show Details)
Tgr added a comment.EditedSep 9 2023, 9:57 PM
In T326281#9154372, @Tgr wrote:

Tested by logging in on en.wikipedia.org, then visiting www.mediawiki.org (without "Keep me logged in" option):

Instant (<script>) autologinSpecial:UserLogin (top-level) autologin
Chrome 116 / Win 11works
Chrome 116 / Win 11 & Ubuntu (incognito mode)failsworks
Brave 1.57.62 / Win 11failsworks
Firefox 117 / Win 11 & Ubuntufailsworks
Firefox 117 / Win 11 & Ubuntu (private mode)failsworks
Edge 116 / Win 11works
Edge 116 / Win 11 (InPrivate window)works
Edge 116 / Win 11 (with "Block third-party cookies" option)failsworks
Opera 102 / Win 11works
Opera 102 / Win 11 (private mode)failsworks
Epiphany 44.6 / Ubuntu (as an approximation of Safari 16.4)failsworks
Epiphany 44.6 / Ubuntu (private mode)failsworks
Tgr mentioned this in T344444: CentralAuth login not working on mediawiki.org.Sep 11 2023, 12:35 PM
DAlangi_WMF changed the status of subtask T335851: Investigate the Federated Credential Management browser API from Open to In Progress.Sep 28 2023, 4:21 PM
Tgr changed the status of subtask T335851: Investigate the Federated Credential Management browser API from In Progress to Stalled.Sep 29 2023, 8:16 AM
Tgr mentioned this in T347889: Investigate why CentralAuth edge login fails in browsers that do not block third-party cookies.Oct 2 2023, 4:53 PM
Tgr mentioned this in T47578: CentralAuth does not log you into other projects that you have never visited under certain browser cookie settings.Oct 6 2023, 10:23 PM
Tgr mentioned this in T253620: Logged out after switching between mobile and desktop site on the log-in page and later back again.Oct 7 2023, 6:29 PM
Tgr merged a task: T253620: Logged out after switching between mobile and desktop site on the log-in page and later back again.
Tgr added subscribers: JohanahoJ, mdaniels5757, Krinkle, RhinosF1.
Tgr added subscribers: tstarling, TheDJ.Oct 7 2023, 6:57 PM

Copying over some relevant comments from other tasks (most of which I am merging into this one):

In T255366#8098164, @Tgr wrote:

That said, what they call Network Partitioning is enabled for everyone, and might have performance implications - details are scarce, but it seems to suggest e.g. DNS cache and HTTP cache would be split by referrer domain.

(See also Chrome status, where network partitioning is in origin trial.)
cc @Krinkle - not sure how significant this is for the client-side performance of Wikimedia sites.

In T226797#6877367, @tstarling wrote:

I filed the upstream bug https://bugzilla.mozilla.org/show_bug.cgi?id=1696095

("Wikipedia SSO auto-login broken by state partitioning")

In T226797#8013020, @RhinosF1 wrote:

We've also had issues at Miraheze now ETP is rolled out. I opened https://bugzilla.mozilla.org/show_bug.cgi?id=1774861 last night for Miraheze.

("Unable to login on miraheze wikis (mediawiki 1.38) with ETP - Standard Enabled")

In T253620#9233062, @Tgr wrote:

[...] cross-domain SameSite handling is identical in Chrome with third-party cookie-blocking on or off (or at least it was as of 2020 July): T257803#6315123 [...] That means login problems affected by cookie blocking user preferences are not SameSite related.

(ref: T252236: Prepare CentralAuth (e.g. login.wikimedia.org) for requirement of SameSite=None cross-site cookies in Chrome)

In T226797#6878225, @TheDJ wrote:

Found this nice resource on storage access technical details, if anyone ever needs to work with that: https://github.com/rchild-okta/itp#storage-access

Tgr added a subtask: T326281: Attempt top-level central autologin when visiting the login page (to allow autologin when the browser blocks third-party cookies).Oct 7 2023, 6:58 PM
Tgr added subscribers: TonyBallioni, Legoktm.
In T226797#8013018, @Legoktm wrote:

Can we start sketching out what SUL3 would look like? In my head I currently have an idea that the login link will send you to login.wikimedia.org with ?uselang and original URL preserved, then you log in, including 2FA, it redirects you back to where you came from with an OAuth style handshake. Then on another wiki family, you have to click login, but once you hit login.wikimedia.org it immediately redirects you back and you're now logged in. I'm not sure if there's a way to transparently do the wiki logins without redirecting back and forth...

In T226797#8458653, @Tgr wrote:

The next step [after T326281] would be to disable local login entirely on every wiki that is not the central login wiki. We could either keep triggering the central autologin logic from SpecialUserLogin, or make CentralAuthPrimaryAuthenticationProvider return a REDIRECT reponse instead of trying to do password-based authentication (AuthManager already knows to automatically redirect instead of showing the login page if there is only one primary auth provider and it redirects), and manipulate the last leg of autologin so that it redirects back into the normal login process. Still seems fairly easy to do, but all clients which provide their own login UI (e.g. the WMF apps) would have to update their code, and loginwiki would have to be prepared to a user-facing wiki.

I think the end goal should be for loginwiki to be an OIDC provider (standards are nice, makes it easier to understand and test, makes it easier to replace CentralAuth with something else), which it sort of already is via the OAuth extension (T254063: OAuth extension should support OpenID Connect) but we'd probably want CentralAuth to hook into OAuth and suppress the authorization dialog. The login page would then just perform an OIDC handshake and CentralAuthSessionProvider would probably store the OIDC bearer token in a cookie, instead of the current set of cookies.

In T226797#6881167, @Legoktm wrote:

It would be good to incorporate T248339: Decide how to deal with WebAuthn login/registration flow on Wikimedia wikis in future in any SUL3 plans as well, as another auth problem caused by having multiple login domains.

In T226797#8496963, @TonyBallioni wrote:

Legoktm already told me on IRC the proposed solution here wouldn't start logging logins on loginwiki, but worth pointing out in case anyone thought there should be a CU impact: loginwiki was intentionally excluded from the implementation of tracking logins in the CU table when we made that change a few years ago because it would effectively create global CU. While this has been a steward wishlist item for a while, it doesn't have global consensus and is controversial/would probably need a global RfC to expand the steward mandate. For those unaware, loginwiki currently only tracks account creations in CU, and it was intentionally left that way when other wikis started to track logins.

Tgr mentioned this in T226797: CentralAuth login session and auto-login no longer work across wikis in Safari and Firefox.Oct 7 2023, 6:59 PM
Tgr merged a task: T226797: CentralAuth login session and auto-login no longer work across wikis in Safari and Firefox.
Tgr added subscribers: brion, Jdforrester-WMF, Soda and 41 others.
Tgr added a comment.Oct 7 2023, 7:03 PM

I belatedly realized that the current extent of browser limitations doesn't explain why edge login doesn't work in Chrome (and presumably Edge and Opera, although I haven't tested those) and so that might be an easy fix. Tracking that in T347889: Investigate why CentralAuth edge login fails in browsers that do not block third-party cookies.

Tgr updated the task description. (Show Details)Oct 7 2023, 7:05 PM
Mainframe98 subscribed.Oct 7 2023, 9:08 PM
Tgr mentioned this in T348388: Use central login wiki for login (SUL3).Oct 7 2023, 11:39 PM
Tgr added a subtask: T348388: Use central login wiki for login (SUL3).Oct 7 2023, 11:44 PM
Tgr added a comment.Oct 7 2023, 11:48 PM

Filed T348388: Use central login wiki for login (SUL3) for the likely next step of doing login at a single dedicated domain, which might or might not be necessary to mitigate third-party cookie blocking (in the unlikely case that the First-Party Sets spec gets adopted, we could probably keep the current system) but has so many security and usability benefits that it can be justified even if we assume CentralAuth in its current form keeps working indefinitely.

larissagaulia moved this task from Current Sprint to Within 2 Qs on the MediaWiki-Platform-Team board.Nov 27 2023, 12:42 PM
Tgr mentioned this in T296349: Session not created on VoteWiki when using desktop site with a mobile user agent.Nov 30 2023, 5:26 PM
Tgr added a comment.Dec 27 2023, 1:55 AM

Chrome will disable third-party cookie access for 1% of users starting January 4th, 2024, ie. Thursday next week. (They plan to ramp up to 100% in Q3 2024; hopefully we have migrated away from our current login system by then.) Given Chrome is something like 80% of our userbase, there will probably be some bugs filed about this. In the shorter term, we can't do much about it (and it has already been the situation for a while for Firefox and Safari users), just noting.

ArielGlenn subscribed.Jan 2 2024, 12:45 PM
Tgr added a comment.Jan 17 2024, 4:27 AM
In T345249#9154375, @Tgr wrote:
In T326281#9154372, @Tgr wrote:

Tested by logging in on en.wikipedia.org, then visiting www.mediawiki.org (without "Keep me logged in" option):

Instant (<script>) autologinSpecial:UserLogin (top-level) autologin
Chrome 116 / Win 11works
Chrome 116 / Win 11 & Ubuntu (incognito mode)failsworks
Brave 1.57.62 / Win 11failsworks
Firefox 117 / Win 11 & Ubuntufailsworks
Firefox 117 / Win 11 & Ubuntu (private mode)failsworks
Edge 116 / Win 11works
Edge 116 / Win 11 (InPrivate window)works
Edge 116 / Win 11 (with "Block third-party cookies" option)failsworks
Opera 102 / Win 11works
Opera 102 / Win 11 (private mode)failsworks
Epiphany 44.6 / Ubuntu (as an approximation of Safari 16.4)failsworks
Epiphany 44.6 / Ubuntu (private mode)failsworks

I re-tested this as a preparation for another task, and found that cookies are sent to *.wikimedia.org domains, regardless of whether third-party cookie blocking is enabled in the browser; so e.g. when logging in on en.wikipedia.org and visiting commons.wikimedia.org, I am logged in threre. Tested this on both Chrome and Firefox, both worked. Doesn't seem to happen on any other domains, not even wikipedia.org. It's also happening on *.wikimedia.beta.wmflabs.org, but not e.g. *.wiktionary.beta.wmflabs.org.

No idea what's going on. The potential explanations I can think of is that we are accidentally setting cookies on .wikimedia.org at some *.wikimedia.org wiki (doesn't seem to be happening), that I have somehow configured a local override and forgot about it (can't find any trace of that) or that these domains ended up on some exception list that both Chrome and Firefox are using (sounds plausible for wikimedia.org, but for wmflabs? ).

Tgr added a comment.Jan 17 2024, 4:31 AM

I guess the more likely explanation is that these browsers are using something looser than same-origin (same parent domain?) for third-party cookie blocking, so loginwiki and other wikimedia.org wikis are considered in the same security bucket.

ArielGlenn added a comment.Jan 17 2024, 11:42 AM

Verified for Firefox: I logged out, deleted all *wik*org cookies except for non SUL sites (phab, etherpad and so on), set Enhanced Tracking Protection to "custom" and chose "All cross-site cookies" (see image below). After login at en.wikipedia, after the end of the redirect/session creation chain for commons.wikimedia.org, I have session cookies for commons with session id, UserId, UserName stored locally. When I go to visit commons,wm.o, these cookies are sent to the web server and I am logged in as a result.
Firefox version: 121.0, linux.

Screenshot from 2024-01-17 13-32-27.png (659×873 px, 55 KB)

Tgr mentioned this in T355280: Try to connect to central session before temp user creation.Jan 18 2024, 3:59 AM
Tgr mentioned this in T355621: Gather metrics about the impact of third-party cookie blocking on login.Jan 29 2024, 8:42 AM
Tgr added a subtask: T355621: Gather metrics about the impact of third-party cookie blocking on login.
Tgr closed subtask T355621: Gather metrics about the impact of third-party cookie blocking on login as Resolved.Jan 30 2024, 11:34 PM
Universal_Omega subscribed.Feb 4 2024, 8:53 PM
AllUsernamesArePicked subscribed.Feb 17 2024, 10:34 AM
Johannnes89 subscribed.Feb 21 2024, 3:38 PM
Vermont subscribed.Feb 22 2024, 1:12 AM
A_smart_kitten subscribed.Feb 23 2024, 4:37 PM
Tgr merged a task: T256525: Stay logged in doesn’t work, global login doesn’t work on different projects.Mar 5 2024, 1:27 PM
Tgr added subscribers: Ferdi2005, Afnecors, Draceane and 4 others.
Tgr added a subtask: T359926: Test cross-domain cookie access with the Storage Access API and Related Website Sets.Mar 12 2024, 12:06 PM
Tgr added a subtask: T359947: Test cross-domain authentication with Federated Credentials Management API.Mar 12 2024, 2:56 PM
Tgr added a subtask: T359948: Test cross-domain cookie access with Storage Access API.Mar 12 2024, 3:03 PM
Tgr added a comment.Mar 12 2024, 5:18 PM

Next step is to test the relevant browser APIs:

spec investigationtestbrowserfunctionality
RWST345589T359926Chromecookie access, probably on par with current
FedCMT335851T359947Chrome, Edge, Opera (maybe Firefox soon?)browser-mediated identity checks
Storage AccessT359948all moderncookie access after user interaction

Also Chrome offers a deprecation trial to delay when they apply third-party cookie blocking, and we have no reason not to make use of that (we can opt out of it later if we want) so we'll apply: T359957: Enroll in Chrome third-party cookies deprecation trial

Novem_Linguae unsubscribed.Mar 12 2024, 9:50 PM
Krinkle added a comment.Mar 13 2024, 10:22 PM

@Tgr Do we need a test for the top-level redirect chain as well? (i.e. OAuth-like, but using our existing code for the most part)

It sounds most like T359948: Test cross-domain cookie access with Storage Access API but there it says:

Maybe also check if we can avoid permission popups by relying on heuristics-based cookie blocking exceptions. […] But given that those exceptions are temporary, this might not be worth the effort.

Have any of Google, Apple or Mozilla announced an intent to deprecate or break OAuth-like redirects? This approach seems to me the most sustainable long-term. It would rely on proven technology, require no special vendor permission, and would show a UX that is least novel/surprising compared to other websites. I.e. the idea that you ocasionally click "Log in" on an affiliated site and choose your identity on loginwiki and bounce back.

I worry about introducing permission prompts into the UX, in particular the wording they might use and how that reflects on Wikipedia, at a time that virtually no major consumer sites use any of these three approaches (afaik).

Tgr added a comment.Mar 13 2024, 11:33 PM
In T345249#9628846, @Krinkle wrote:

Have any of Google, Apple or Mozilla announced an intent to deprecate or break OAuth-like redirects?

I think for Google at least the intent is quite clear. (The other two in general communicate much less about this topic; Google has a whole website dedicated to its privacy plans.) Their recommended replacements for authentication are RWS, FedCM and using a single domain.

OAuth-like experiences using anything other than a top-level redirect fall under their heuristics based exceptions policy, which they very clearly present as a temporary option. Top-level redirects fall under their bounce tracking mitigations policy which is permanent (or at least I haven't seen it described as temporary so far).

Do we need a test for the top-level redirect chain as well?

You are right that this is another potentially viable option (besides RWS, FedCM, the Storage API, and - for a while - heuristics based exceptions). I'm not sure what exactly we should be testing, though. We know it works (to some extent) - we are already using it in production. Bounce tracking mitigations were only rolled out in October 2023 (and then only for users with third-party cookie blocking, which had to be enabled manually until recently), so maybe it's working less now and we didn't notice? I guess that's worth checking. But we can do that in production, I don't think a test site would have much point.

(An extra source of uncertainty is that there is overlap between the heuristics based exceptions and bounce tracking, so I don't think we have a reliable way to tell what will happen once those exceptions go away.)

at a time that virtually no major consumer sites use any of these three approaches

Google's "Sign in with Google" popup will transition to FedCM soon, that's used by lots of largish sites (Medium for example).

We could have a look at what other SSO services say publicly about how they will handle the Privacy Sandbox changes.

This approach [OAuth-like redirects] seems to me the most sustainable long-term.

I suppose that depends on your definition of sustainable.
RWS would probably give us more power than any other option, although only on certain browsers. FedCM would probably take the minimal amount of effort in the long term, but as you point out it's at the cost of some loss of control.

Tgr added a comment.Mar 13 2024, 11:36 PM

I don't think a test site would have much point.

On second thought, one thing we might want to test is how redirects behave within programmatically opened popups. Top-level redirects in the main browser window are hard to use because they disrupt client-side state. Opening a popup and doing the redirect there is much more versatile, but I'm not 100% sure that would still be considered "top-level".

I'll file a task about that.

Tgr added a comment.Mar 14 2024, 3:53 PM
In T345249#9628930, @Tgr wrote:

I'll file a task about that.

T360104: Test cross-domain cookie access with OAuth-style popup + redirect workflow

kostajh mentioned this in T334623: How do we log unsuccessful first edits for temporary users?.Mar 22 2024, 1:17 PM
Daimona subscribed.Mar 22 2024, 1:53 PM
Tchanders mentioned this in T360870: How should we represent actors that do something loggable but don't create a temp account?.Mar 25 2024, 9:44 AM
fnegri subscribed.Mar 26 2024, 9:43 AM
Tgr added a subtask: T359957: Enroll in Chrome third-party cookies deprecation trial.Mar 28 2024, 9:15 PM
Tgr added a comment.Mar 29 2024, 10:34 AM

With third-party cookie blocking enabled, after a central login, Chrome's Issues tab says this:

Chrome may soon delete state for intermediate websites in a recent navigation chain
In a recent navigation chain, one or more websites accessed some form of local storage without prior user interaction. If these websites don't get such an interaction soon, Chrome will delete their state.
1 potentially tracking website: wikimedia.org
Learn more: Bounce tracking mitigations

which suggests central login and top-level autologin wouldn't survive the rollout of cookie blocking, either. I haven't reviewed the linked spec in full, but I think the relevant part is #bounce-tracking-mitigations-timers which basically says if a domain has not received user interaction in the last 45 days and it does not receive user interaction within 1 hour of the bounce tracking (ie. doing the central login redirect chain), all cookies, cache and other stored data for login.wikimedia.org will get scrubbed. This is much more aggressive than e.g. the bounce tracking mitigations used by Firefox and would render central login (in its current form) entirely useless.

Rodejong subscribed.Mar 29 2024, 10:40 AM
PixDeVl subscribed.Mar 29 2024, 12:02 PM
Tgr mentioned this in T359957: Enroll in Chrome third-party cookies deprecation trial.Mon, Apr 1, 5:07 PM
Tgr closed subtask T359957: Enroll in Chrome third-party cookies deprecation trial as Resolved.Mon, Apr 1, 6:54 PM
Tgr mentioned this in T345245: Mitigate phase-out of third-party cookies across MediaWiki in production.Fri, Apr 5, 6:25 PM
Tgr added a subtask: T360104: Test cross-domain cookie access with OAuth-style popup + redirect workflow.Mon, Apr 15, 7:48 PM
Wargo unsubscribed.Sun, Apr 21, 1:46 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL