Page MenuHomePhabricator
Create Task
Maniphest T360104

Test cross-domain cookie access with OAuth-style popup + redirect workflow
Closed, DeclinedPublic
Actions

Description

Set up two websites on different registrable domains, and test what cross-domain cookie mechanics are enabled without using any modern web API, using similar workflows as third-party OAuth providers. This will be somewhat similar to what we are already doing in CentralAuth, the main question is whether doing redirects in a JS-opened popup, or maybe an iframe (as opposed to the original, top-level document) results in any browser restrictions, and whether those restrictions are lifted by user interaction.

The relevant documentation for popups / iframes: Chrome exemption heuristics, Firefox storage access heuristics / automatic storage access upon interaction, Webkit automatic storage access for popups
The relevant documentation for redirects: draft spec, Chrome bounce tracking mitigations, Firefox redirect tracking protection, Webkit bounce tracking protection and SameSite=Strict jail
Documentation on debugging: Safari ITP debug mode

This should be very similar to T359948: Test cross-domain cookie access with Storage Access API, except we'd access the cookies without requesting extra permission. We might want to reuse the same test code for checking both.

We should also check whether disabling exemption heuristics makes a difference (see docs for Chrome and Firefox), to make sure we aren't attributing something to Storage Access that's actually only possible due to temporary heuristics.

Related Objects
Search...

Event Timeline

Tgr created this task.Mar 14 2024, 12:19 PM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptMar 14 2024, 12:19 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Tgr mentioned this in T359948: Test cross-domain cookie access with Storage Access API.Mar 14 2024, 12:22 PM
Tgr updated the task description. (Show Details)Mar 14 2024, 12:28 PM
Tgr updated the task description. (Show Details)Mar 14 2024, 3:53 PM
Tgr mentioned this in T345249: Mitigate phase-out of third-party cookies in CentralAuth.
larissagaulia moved this task from Inbox, needs triage to Needs refinement on the MediaWiki-Platform-Team board.Apr 15 2024, 3:21 PM
Tgr added a parent task: T345249: Mitigate phase-out of third-party cookies in CentralAuth.Apr 15 2024, 7:48 PM
Tgr mentioned this in T359926: Test cross-domain cookie access with the Storage Access API and Related Website Sets.Apr 15 2024, 9:02 PM
Tgr edited parent tasks, added: T348388: SUL3: Use a dedicated domain for login and account creation; removed: T345249: Mitigate phase-out of third-party cookies in CentralAuth.May 14 2024, 10:09 AM
Tgr added a project: SUL3.May 14 2024, 12:59 PM
Tgr moved this task from Backlog to Ready on the SUL3 board.May 14 2024, 1:02 PM
Tgr added a subtask: T364867: Determine SUL3 cookie exchange mechanism.May 14 2024, 2:30 PM
Tgr removed a subtask: T364867: Determine SUL3 cookie exchange mechanism.May 16 2024, 4:45 PM
Tgr added a parent task: T364867: Determine SUL3 cookie exchange mechanism.
JTweed-WMF closed this task as Declined.Nov 13 2024, 1:14 PM
JTweed-WMF subscribed.

Closing as we chose a different approach.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits