-
-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reading cookie in cross-site context will be blocked in future Chrome versions #3703
Comments
Chrome has started the deprecation of third party cookies since the last month. This is a serious issue. For third party cookies there are two types of methods: Storage Access API (SAA) and Cookie Partitioning, such as CHIPS. Safari supports SAA but does not support partitioning, while Chrome supports CHIPS and has added support for SAA since version 119. To utilize SAA, the content in the iframe should call the hasStorageAccess() API. To utilize CHIPS, Hydra should add the partitioned attribute to cookies. This blog post explains. In short, Hydra should try SAA then fall back to CHIPS. |
Firefox shows this. Cookie “XXX” will soon be rejected because it is foreign and does not have the “Partitioned“ attribute. When configuration has SameSite with "None" for 3rd party cookies, Hydra should add "Partitioned;" for the message. This is CHIPS. A login dialog may use Storage Access API (SAA) if the API is available. I'm not sure how that works for silent refresh. |
Accessing the Storage API will require a serious amount of work. Adding the partitioned attribute will not cause problems. Regarding the opening post - this is about an iframe correct? Because in other use cases this should not be a problem (to the best of my knowledge) as we can still set cookies on redirects. |
@aeneasr This occurs with both redirect and iframe login methods. With my limited understanding, I don't believe the issue is with setting cookies, but how the cookies are stored and made available to third parties for security reasons. |
I cannot reproduce this issue with redirects. I also can't find any reference about redirects being blocked by 3rd party cookie phase out. I do know that there is an issue with embedded content (iframes) and apparently there is also a problem with ITTP from Safari in web views. |
My apologies. Upon deeper investigation the warning is being thrown when an img file is being requested and ory's cookies are forwarded by the browser. Should I close this issue? It seems there is an actual issue here though that needs addressing. |
This is an important issue. Please keep this open. As Chrome has already started rejecting cookies with samesite=None, Hydra needs to add support for the Partitioned attribute anyway. @aeneasr wrote this for Golang's immediate support for the Partitioned attribute. I think waiting for it would loose time. In addition to Chrome, Firefox also shows this (despite this).
We have two measures for 3rd-party cookie rejection. The Partitioned attribute to cookies with samesite=None (CHIPS), and the SAA that is a set of APIs for asking the user for permission of 3rd-party cookies with samesitge=None. If the user gives permission against SAA, cookies with samesite=None and without Partitioned can be used for keeping login status among multiple sites. However, even with the user's permission, if the cookies have the Partitioned attribute, they are partitioned and the user has to log in at each site. So, adding a partitioned flag to config would be easy but spoil the chance. I'm not sure about what Hydra should do. Adding the partitioned flag as an immediate fix first and adding something later would be a way. Note that Google provides yet another measure called Federated Credential Management API (FedCM). |
Preflight checklist
Ory Network Project
No response
Describe the bug
I have an instance of Ory Kratos and Ory Hydra running on site-a.com. I have an oauth browser client running on site-b.com. Currently, site-b.com is working but the warning in the title is shown.
I wasn't able to find any comments from Ory whether they are already working on this or if a solution is already implemented.
Reproducing the bug
Relevant log output
Relevant configuration
Version
v2.2.0-rc.3
On which operating system are you observing this issue?
Windows
In which environment are you deploying?
Binary
Additional Context
No response
The text was updated successfully, but these errors were encountered: