if you disable all third-party cookies in your browser (like where Site A is never allowed to use cookies from Site B), have you noticed that it breaks anything?
-
if you disable all third-party cookies in your browser (like where Site A is never allowed to use cookies from Site B), have you noticed that it breaks anything? What breaks?
@b0rk Most things on my mobile carrier's website that involve payments, paying for stuff at a popular department store here in Mexico, and hCaptcha's shitty accessibility cookie solution.
I keep a separate profile in my browser for these.
-
@b0rk Most things on my mobile carrier's website that involve payments, paying for stuff at a popular department store here in Mexico, and hCaptcha's shitty accessibility cookie solution.
I keep a separate profile in my browser for these.
@b0rk Also possibly my primary bank, and booking a British Airways flight. But those could've just been broken in a more general way.
-
@Viss thanks, I really need to learn how why login with google needs third-party cookies exactly
-
-
@Viss thanks, I really need to learn how why login with google needs third-party cookies exactly
@b0rk well it'd be for things like if you go to like, i dunno, stackoverflow or somewhere else, and you get that popup that says 'login with google'. im not sure if facebook or twitter are still popular methods for this, but those would also fall into the same category. also any place using stuff like okta or nextcloud for auth are gonna suffer the same way
-
if you disable all third-party cookies in your browser (like where Site A is never allowed to use cookies from Site B), have you noticed that it breaks anything? What breaks?
@b0rk It used to break a whole lot of things, but these days everything except banks and sites not updated since 2003 works just fine.
I think this is mostly because of clever allowlisting from the browsers to make single sign-on work? I don't quite understand how SSO works tbh. -
@b0rk @Viss There are some flows that were a lot easier if you have access to 3rd party cookies (magically being logged in across domains, being one) that become harder to implement if you don't have them, though - which is why a lot of sites relied on them and may/may not have ever bothered to reimplement an SSO/SLO flow that doesn't need them.
-
@b0rk well it'd be for things like if you go to like, i dunno, stackoverflow or somewhere else, and you get that popup that says 'login with google'. im not sure if facebook or twitter are still popular methods for this, but those would also fall into the same category. also any place using stuff like okta or nextcloud for auth are gonna suffer the same way
@Viss i guess i don't understand why because I've implemented basic OAuth login before and I don't remember any cookies being involved. Definitely there's just something basic I'm missing though.
-
@Viss i guess i don't understand why because I've implemented basic OAuth login before and I don't remember any cookies being involved. Definitely there's just something basic I'm missing though.
-
-
@Viss i guess i don't understand why because I've implemented basic OAuth login before and I don't remember any cookies being involved. Definitely there's just something basic I'm missing though.
@b0rk im suspecting it's going to vary from vendor to vendor. auth is just the first thing that came to mind. in building orbital (my asm platform) we tried to use 0auth to do 2fa and there were big problems in firefox and chrome with respect to third party cookies. we ended up going entirely local for 2fa after they changed their pricing model so it stopped being an issue
-
-
@b0rk I've had 3rd party cookies disabled for years, and I use Vivaldi with full blocking turned on and very little breaks. Anything I come across which doesn't work properly I just don't use.
@hylomorphism
Also blocked 3rd party cookies for years. I also use privacy badger.
@b0rk -
@cthos @b0rk @Viss Yes, I block 3rd party cookies and I can still log in with Google to a third party site. This is probably not universally true for all SSO providers, but it does work with Google. @b0rk the main thing I've noticed which breaks (unclear if it's due to 3rd party cookies per se or some other setting I have) is embeds of tweets and Disqus.
-
if you disable all third-party cookies in your browser (like where Site A is never allowed to use cookies from Site B), have you noticed that it breaks anything? What breaks?
@b0rk very few pages break, I used the setting for a long while. I think webkit used to do it by default for some time, even? a good middle-ground is to do cookie-partitioning based on the first party. that's what Firefox does.
-
@b0rk well it'd be for things like if you go to like, i dunno, stackoverflow or somewhere else, and you get that popup that says 'login with google'. im not sure if facebook or twitter are still popular methods for this, but those would also fall into the same category. also any place using stuff like okta or nextcloud for auth are gonna suffer the same way
-
if you disable all third-party cookies in your browser (like where Site A is never allowed to use cookies from Site B), have you noticed that it breaks anything? What breaks?
@b0rk@social.jvns.ca The only thing I've seen break is MS Teams (for work, unfortunately).
-
@b0rk very few pages break, I used the setting for a long while. I think webkit used to do it by default for some time, even? a good middle-ground is to do cookie-partitioning based on the first party. that's what Firefox does.
@freddy thanks, I think I need to read more of your writing / talks on browser security too
