if you disable all third-party cookies in your browser (like where Site A is never allowed to use cookies from Site B), have you noticed that it breaks anything?
-
@Viss i guess i don't understand why because I've implemented basic OAuth login before and I don't remember any cookies being involved. Definitely there's just something basic I'm missing though.
-
-
@Viss i guess i don't understand why because I've implemented basic OAuth login before and I don't remember any cookies being involved. Definitely there's just something basic I'm missing though.
@b0rk im suspecting it's going to vary from vendor to vendor. auth is just the first thing that came to mind. in building orbital (my asm platform) we tried to use 0auth to do 2fa and there were big problems in firefox and chrome with respect to third party cookies. we ended up going entirely local for 2fa after they changed their pricing model so it stopped being an issue
-
-
@b0rk I've had 3rd party cookies disabled for years, and I use Vivaldi with full blocking turned on and very little breaks. Anything I come across which doesn't work properly I just don't use.
@hylomorphism
Also blocked 3rd party cookies for years. I also use privacy badger.
@b0rk -
@cthos @b0rk @Viss Yes, I block 3rd party cookies and I can still log in with Google to a third party site. This is probably not universally true for all SSO providers, but it does work with Google. @b0rk the main thing I've noticed which breaks (unclear if it's due to 3rd party cookies per se or some other setting I have) is embeds of tweets and Disqus.
-
if you disable all third-party cookies in your browser (like where Site A is never allowed to use cookies from Site B), have you noticed that it breaks anything? What breaks?
@b0rk very few pages break, I used the setting for a long while. I think webkit used to do it by default for some time, even? a good middle-ground is to do cookie-partitioning based on the first party. that's what Firefox does.
-
@b0rk well it'd be for things like if you go to like, i dunno, stackoverflow or somewhere else, and you get that popup that says 'login with google'. im not sure if facebook or twitter are still popular methods for this, but those would also fall into the same category. also any place using stuff like okta or nextcloud for auth are gonna suffer the same way
-
if you disable all third-party cookies in your browser (like where Site A is never allowed to use cookies from Site B), have you noticed that it breaks anything? What breaks?
@b0rk@social.jvns.ca The only thing I've seen break is MS Teams (for work, unfortunately).
-
@b0rk very few pages break, I used the setting for a long while. I think webkit used to do it by default for some time, even? a good middle-ground is to do cookie-partitioning based on the first party. that's what Firefox does.
@freddy thanks, I think I need to read more of your writing / talks on browser security too
