-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Third party cookie investigation for embedding #42170
Comments
I managed to get it to break embedding:
Demo: Screen.Recording.2024-05-03.at.12.22.57.movNote that (at least now, let's see when this feature will get rolled out) there is a UI that allows to re-enabled them for 90 days, but it's likely something users will not do, as there is no UI that warns about the cookies being blocked (it only shows up in the console, which normal users don't watch). |
Alternative solutionsCookies Having Independent Partitioned State (CHIPS)https://developers.google.com/privacy-sandbox/3pcd/chips New "Partitioned" attribute
For metabase:Probably good. The only downside I can see is that if people are logged in on metabase-instance.com they will not be logged in automatically in the iframe on company.com/analytics Storage Access APIhttps://developers.google.com/privacy-sandbox/3pcd/storage-access-api New set of API that can only used from iframe.
For metabase:Probably not a good solution for people whitelabeling and not providing top level access to MB. Related Website SetsIt requiers submitting to google the json of the related websites on github Federated Credential Management APIExperimental thing, it seems it's implemented by all browsers but I haven't looked into it as it seems to require a lot of changes |
CHIPS / "Partitioned" cookies experimentI tried to use Partitioned cookies with the following diff: diff --git a/src/metabase/server/middleware/session.clj b/src/metabase/server/middleware/session.clj
index e4c392ca8a..55dcc96d24 100644
--- a/src/metabase/server/middleware/session.clj
+++ b/src/metabase/server/middleware/session.clj
@@ -190,6 +190,7 @@
(let [cookie-options (merge
(default-session-cookie-attributes session-type request)
{:http-only true}
+ {:partitioned true}
;; If permanent cookies should be used, set the `Max-Age` directive; cookies with no
;; `Max-Age` and no `Expires` directives are session cookies, and are deleted when the
;; browser is closed.
The results are promising, interactive embedding is working across two top level different domains. Partitioned cookies/CHIPS means that if a resource from domain A is embedded in a page on domain B, then the cookies of the embeded resources will saved in Let's assume the customer is hosting their app on customer.com, and their mb instance is mb-cloud.com. IF they have an iframe with src="mb-cloud.com/dashboard/1" (instead of
I initially didn't consider that this would only happen if they're not logged in into their jwt provider, so I think this is a super edge case we can probably ignore. That said, we should probably think if we should allow the customers to opt out of the Partitioned parameter via a setting to make sure we're not accidentaly breaking their possibly unusual flows. |
Some other updates
|
Closing the issue as we decided to proceed with CHIPS |
Context
Chrome is testing disabling 3rd party cookies for 1% of the users, we want to know what effect (if any) this will have on us, and see what solutions we could provide
Main questions:
The text was updated successfully, but these errors were encountered: