sammacbeth
commented
6 years ago Hi @cowlicks.
Sorry for not replying earlier, I was not watching this repo for questions.
We currently have multiple different heuristics for allowing third-party cookies in limited cases:
- On user-interaction. This is the mechanism mentioned in the blog post, and aims to be a heuristic 'click-to-play' for widgets embedded in the page. When an element is clicked we look for third-party domains inside the embedded element and temporarily whitelist these.
- Redirect-based. When domain
aissues a first-party redirect to domainb, we trustbas a third-party to domainapages for a short time. This handles single sign-on portals which rely on third-party cookies instead of oauth-based methods. - OAuth detection. Practical implementations of oauth sometimes require some third-party cookies to be allowed in order to function correctly (Google is the main case). This heuristic detects the OAuth flow in the browser and allows cookies for these cases.
Unfortunately there are lots of edge-cases around the web, as many sites assume 3rd party cookies are allowed, and simply break when they are not. With these heuristics we manage to reduce some of the main causes of breakage.
cowlicks
Hello, I've been working on an anti tracking browser extension and was researching other projects. The project (privacy possum) also blocks 3rd party cookies, like cliqz. I've been trying to figure out a way to avoid breakages of non-tracking 3rd party iframes.
In your blog post you say "In order to enable this use case, our system allows cookies in cases when user interaction with the widget is detected". I was reading
modules/antitracking/sources/cookie-context.esandoauth-detector.esto try to gain some insight. Do you just detect oauth, then allow cookies for this case? Are there other cases where you allow cookies? Is there documentation that explains more about how this works?