Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

What are the suggested heuristics for 3PC deprecation relief #172

Closed
mrvanes opened this issue Oct 23, 2023 · 7 comments
Closed

What are the suggested heuristics for 3PC deprecation relief #172

mrvanes opened this issue Oct 23, 2023 · 7 comments
Labels
third-party-cookie-deprecation Third-party cookie deprecation

Comments

@mrvanes
Copy link

mrvanes commented Oct 23, 2023

What are the exact suggested heuristics for 3PC deprecation relief and what is the timeline for deprecating this work-around?
@mrvanes mrvanes added the third-party-cookie-deprecation Third-party cookie deprecation label Oct 23, 2023
@johannhof
Copy link

Hi @mrvanes, for details please see the Intent to Prototype here: https://groups.google.com/a/chromium.org/g/blink-dev/c/Eeh2pE0DRaE/m/1BJyBlCUAAAJ which links to the explainer: https://github.com/amaliev/3pcd-exemption-heuristics/blob/main/explainer.md

Note that this is still being developed and we haven't yet committed to which specific heuristics will be shipped at what timeline. The preliminary target for implementation is Chrome M120, which is in Canary right now. You can follow along on the Chromestatus page: https://chromestatus.com/feature/5181771549507584

@johannhof
Copy link

and what is the timeline for deprecating this work-around?

Ah, I misread this to ask about the timeline for shipping. While we intend to work with the other browsers to deprecate the heuristics, we don't have a clear target date yet, as that work depends on a variety of external ecosystem considerations such as site adoption of new technologies.

@mrvanes
Copy link
Author

mrvanes commented Oct 23, 2023

Thank you for the pointers. From Key Use Cases I presume that the heuristics will only mitigate breakage of embedded 3rd party cookies on site-A? Does that mean that 3PC for POST redirects from site-B to A using SameSite=None (SAML Authentication Response flow) are exempt from the planned 3PC deprecation changes anyway?

@johannhof
Copy link

Yes, that's correct. We've written about this in https://github.com/DCtheTall/standardizing-cross-site-cookie-semantics/blob/main/README.md#top-level-cross-site-post-requests (which we're working to turn into a more official WebAppSec WG Note).

Top-level cross-site POST requests will continue to carry SameSite=None cookies for now, though I personally would be interested in finding ways to increase security of these requests in the long term as well.

@mrvanes
Copy link
Author

mrvanes commented Oct 23, 2023
edited
Loading

Thx, final question, a bit out of scope: I couldn't find any references to the rumoured link-decoration deprecation write-ups which would break SAML as well, do you have any pointers to that work perhaps?

@johannhof
Copy link

The only thing that comes to mind are the bounce tracking mitigations we published some time ago, see https://github.com/privacycg/nav-tracking-mitigations/blob/main/bounce-tracking-explainer.md for an explainer. Would be interesting to know if that's affecting any of your flows.

@mrvanes
Copy link
Author

mrvanes commented Oct 24, 2023

Thank you, the information was very helpful but I think I was looking for the linked information called Link decoration and Navigational tracking.

@mrvanes mrvanes closed this as completed Oct 25, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
third-party-cookie-deprecation Third-party cookie deprecation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mrvanes @johannhof