Difference between revisions of "Identifier use in Browsers"
From MgmtWiki
(→Solutions) |
|||
| Line 5: | Line 5: | ||
==Solutions== | ==Solutions== | ||
| + | Generally these are blink-dev issues either proposed or in development. | ||
| + | |||
*Same-site policy has been added and slowly enhanced to block cross-site scripting attacks (CSRF or XSRF) by asserting that a particular cookie should only be sent with requests initiated from the same registrable domain. [https://caniuse.com/#feat=same-site-cookie-attribute This site] describes the varying impact that this policy has on users on the various browsers. The challenge for [Single Sign On]] efforts with a [[Identifier or Attribute Provider]] at a different site than the [[Relying Party]] is that they rely on cross-site cookies to pass user credentials from one site to another. The problem introduced with iOS 12 from Apple is described on [https://github.com/IdentityServer/IdentityServer4/issues/2595 this site.] | *Same-site policy has been added and slowly enhanced to block cross-site scripting attacks (CSRF or XSRF) by asserting that a particular cookie should only be sent with requests initiated from the same registrable domain. [https://caniuse.com/#feat=same-site-cookie-attribute This site] describes the varying impact that this policy has on users on the various browsers. The challenge for [Single Sign On]] efforts with a [[Identifier or Attribute Provider]] at a different site than the [[Relying Party]] is that they rely on cross-site cookies to pass user credentials from one site to another. The problem introduced with iOS 12 from Apple is described on [https://github.com/IdentityServer/IdentityServer4/issues/2595 this site.] | ||
| + | *First-Party Sets and 'SameParty' cookie attribute has two "explainers" as GitHub pages [https://github.com/privacycg/first-party-sets First Party sets] and [https://github.com/cfredric/sameparty same party]. | ||
==References== | ==References== | ||
Revision as of 10:40, 10 February 2021
Full Title or Meme
The ways that browsers interact with the user's Identifiers is tracked here.
Context
Solutions
Generally these are blink-dev issues either proposed or in development.
- Same-site policy has been added and slowly enhanced to block cross-site scripting attacks (CSRF or XSRF) by asserting that a particular cookie should only be sent with requests initiated from the same registrable domain. This site describes the varying impact that this policy has on users on the various browsers. The challenge for [Single Sign On]] efforts with a Identifier or Attribute Provider at a different site than the Relying Party is that they rely on cross-site cookies to pass user credentials from one site to another. The problem introduced with iOS 12 from Apple is described on this site.
- First-Party Sets and 'SameParty' cookie attribute has two "explainers" as GitHub pages First Party sets and same party.
References
- See the wiki on Trusted Browser for ideas on creating a User Agent that is responsive user security concerns.
