Embedded 3rd-party IFrame content opening a new tab/window to the same 3rd-party site should have access to same partitioned cookies as opener #82
Comments
|
@UselessPickles Thanks so much for your excellent notes. Indeed, the solution you presented is something we briefly considered on a W3C Privacy Community Group call previously (see privacycg/storage-partitioning/issues/28); but we need to spend a more time studying security, privacy, and user experience implications for such a solution; since the notion of a popup/redirect using a partitioned-by-opener context is a new concept to the web platform. We will discuss this internally and hope to have an update in a few weeks. Note that we are also considering other solutions that leverage the FedCM API as well, so I would recommend that you examine that API as well, if you haven't already done so. |
|
@krgovind I took a look at the FedCM API, and I don't think it would help in this situation. We're not having any trouble with the identification/authentication workflow. The problem is a stateful server session and a session cookie needed to continue the same stateful session across page loads, new tabs, and popup windows. This is a cookie created by the server AFTER the identification/authentication workflow is complete. Site "B" in my scenario is not an IdP, but a large complicated web application that is embedded in site "A", and uses site "A" as its IdP in this particular integration/configuration. So the authentication cookies will always be "first-party" relative to the "host" site (site "A"). As I mentioned in my initial post, we have already tested and confirmed that we can get the authentication portion working perfectly in this new tab/window use case, but the real problem is that it will create a new independent session on site "B"'s server, causing a disconnect/inconsistency between the opener and the new tab/window. |
|
Hi Jeff, Did you find any solution for this? We also have same situation where our embedded Iframe has window.open - links with same 3rd party site and needs session cookies to allow users. |
|
Chrome is considering a new proposal which might help with this use case: https://github.com/arichiv/partitioned-popins |
|
@arichiv Unfortunately, that "partitioned popins" proposal would not help with our situation:
We need to make some very tough decisions very soon if no viable solution is provided. "Just don't do that" (i.e., rework our application to never launch a page in a new window/tab that requires session cookies from the opener) is not a practical option. Our integration with our partner will be broken when the trial ends if we do not have a solution. |
|
Hi @arichiv As @UselessPickles mentioned, we are also in same situation. Could you please prioritize this? |
|
Hi @arichiv Is there a way for us to test popins? |
|
@srilakshmi-devarapalli-by @UselessPickles Firefox may be working due to heuristics. Chrome is considering something similar: https://developers.google.com/privacy-sandbox/3pcd/temporary-exceptions/heuristics-based-exceptions In both cases I believe these would provide access to unpartitioned cookies in a third-party context. @johannhof if I'm missing something |
|
@arichiv Prior to 3rd-party cookie deprecation, everything "just worked" for us because our cookies are all tagged as Maybe taking a step back and considering our actual use case and requirements (without the assumption of CHIPS) may help? The partitioned cookies solution feels a bit like a hack to me, but it was also the only practical solution I could find that could potentially work for us. It seems wrong to me that our app should have to declare that all of our cookies should be partitioned 3rd-party cookies when we don't really intend for our app to work as a 3rd-party app. It's really a complete self-sufficient 1st-party app that we want to visually embed in a partner app with some SSO authentication integration. The SSO integration does not require any 3rd-party cookies (it's all redirects between our site and the partner site, with tokens passed as URL params, etc). I really just want to be able to render our app in some kind of sandboxed 1st-party context in our parter app, as if it were a separate browser tab, but visually embedded. While doing my initial research, I found that fenced frames are probably EXACTLY what we need, but it was not a practical solution as it was still "experimental" and not supported by any other browsers. Has the future of fenced frame become more certain since I initially investigated it nearly a year ago? Are other browsers planning to support it now? Would it be a safe investment to add conditional support for fenced frame (if detected to exist) and trust that it will eventually work on other browsers and work as our one-and-only cross-browser solution to eliminate our reliance on 3rd-party cookies to embed our app in partner apps? Or is there any other way to achieve such behavior aside from fenced frame? For example:
|
|
@UselessPickles Note that Fenced Frames have certain restrictions that make them unlikely to be attractive for you, such as no access to cookies or storage and limited ways of opening links / popups. You certainly won't be able to use a Fenced Frame to open a pop-up that shares same-site cookie access, which seems to be the main feature you're looking for here?
I understand that you feel like this is a first-party app by your definition, but by web platform terms this is a third-party embed. The fact that you rely on SSO auth via redirect from your partner shows that your app isn't truly isolated from its embedder (though this would still be a 3P embed without such an auth scheme).
If that's the case (you really just want to render an embedded app inside of a partner site) then Partitioned cookies are what you should use. However, it sounds like you want more than that. You also want this embedded app to be able to open new top-level contexts (a pop-up) which share access to the same cookie jar. As we've said on the thread, this is a reasonable request within certain parameters, but it's not trivial to make it work without violating some privacy or UX requirements. Partitioned Popins are meant to solve similar challenges, though I understand why it doesn't perfectly work for you. We're grateful for this feedback as it helps us improve the API over time. It's not something I'd usually recommend, but in this case it might be necessary to use the opener relationship established between the embedded context and the popup to pass some authentication parameters. That would not introduce additional user friction, but it comes with a few drawbacks:
No, if either of your presented options were possible that would be a privacy leak and we'd fix it. |
|
We do face a similar problem with popups having access to a different instance of partitioned storage. I shared the details in an issue that seems to be more appropriate: privacycg/storage-partitioning#28 (comment). |
|
We are facing a very similar issue with our embedded enterprise app, and so far it looks like the only viable solution is the partitioned-popins proposal above. For our use case it would likely be enough(we do not need the full-blown new tabs). But the problem is that the 3rd party cookies might be deprecated before this proposal is implemented and released, and this brings us into a dead end. The only other solution proposed is:
but for me it sounds like it would raise a lot of security-related issues. I cannot find any timeline for the partitioned-popins feature release and it looks like there is not even 100% certainty it would be released at all. Personally I would expect that 3rd party cookie support cannot be disabled until this issue is resolved, as this will basically make the valid use case like ours broken without any viable and secure workaround. Is this something that's taken into consideration at the moment? |
I have a situation involving integration between two partner enterprise software vendors that is broken by deprecation of 3rd-party cookies. Please bare with me, because this takes quite a while to set the scene and explain the problem.
Setting the Scene
Let's call the two vendors/sites "A" and "B". "A" is the "host" vendor into which "B"'s product is integrated as 3rd-party IFrame content.
Vendor "A" provides the authentication for users, and "B" is configured to redirect to an authentication URL from vendor "A", which then redirects back to "B" with verified user info/tokens/etc. Although "A" does maintain the (first-party) cookies related to authentication, "B" still needs to setup its own session cookies (3rd party, because embedded in a 3rd-party IFrame) after authenticating via "A".
Just to be clear: the intent here is only for "B" to consistently have access to its own cookies within the context of being embedded in "A". There is no intent, attempt, or desire to have access to any cross-site tracking 3rd-party cookies. If site "B" is accessed either as a 1st-party top-level site, or embedded in some other partner site "X", then we explicitly do NOT want to have access to the same cookies or user session across all of those contexts.
So the solution seems obvious: CHIPS! If "B" simply flags all of its cookies as
Partitioned, then we should get exactly the behavior we want.The Problem
However, there is one use case that fails: On some pages in the embedded 3rd-party content from vendor "B", clicking on certain UX controls (links, menu items, etc) will open a page from "B"'s site in a new tab or window. The current behavior of CHIPS is that this new tab/window is a brand new top-level first-party context. So the page from "B" in that new tab/window does not have access to the same partitioned session cookies that were setup by the 3rd-party embedded IFrame of "B' inside of "A".
The resulting behavior is, depending on specifics of how the authentication integration is configured between "A" and "B", either:
Behavior 1 is clearly bad/broken.
Behavior 2 appears good on the surface, except is is broken in the worst way: subtly. The server for site "B" is a stateful server that maintains session state, including cached calculated results, state of user workflow, etc.. So the new tab/window opened by "B" needs to share the same session to ensure that all side-effects of any user actions performed in the new tab/window are also applied to the session used by the "main" view of site "B" in the 3rd-party IFrame embedded in "A". Very strange, seemingly intermittent, and unpredictable bugs can occur if the same user is logged in twice under different sessions and actively going back and forth between the two sessions, performing operations, and expecting both sessions to stay in sync with each other.
Firefox
It's worth noting that our integration of sites "A" and "B" works perfectly fine in Firefox with its "Enhanced Tracking Protection" set to "Strict" such that it automatically partitions 3rd-party cookies.
A Proposed Solution
If site "B" could open a new tab/window in a way that it "inherits" the 3rd-party cookie partitioning context of its opener, then everythign would work as we desire. The new tab/window would have the same user session in site "B" as the embedded 3rd-party iframe of site "B" that opened it.
I understand there may be security concerns with this, and I understand why the default behavior should be to NOT inherit the cookie partitioning context of the opener. I'm also not an expert on security issues/attacks involving new tabs/windows, but I think it may be reasonably manageable with some simple rules:
A new tab/window will inherit the cookie partitioning context of its owner if and only if both conditions are met:
windowFeaturesargument to the window.open function).Alternative Solutions Considered
Reproducing/Demonstrating The Problem
Due to the nature of enterprise software, and the fact that we have currently opted out of 3rd-party cookie deprecation and have enrolled into the grace period, it will be a challenge to present a workign example of this problem. With some coordination, it would be possible to temporarily set up one of our test accounts to demonstrate this problem and share private URL and login info. Please let me know if you'd like to coordinate something.
The text was updated successfully, but these errors were encountered: