DCtheTall
commented
2 years ago Hello and thanks for your interest in CHIPS. We understand that making partitioned cookies hostname bound is a paradigm shift from domain-bound unpartitioned cross-site cookies.
Here are some solutions that sites can use to migrate to hostname-bound cross-site cookies:
- Anytime you need auth, make a client-side request to api.example.com and have it send an authentication token or identifier in its response. You can then verify this response on the origin of your application.
- Use some kind of redirect functionality to send requests that need authentication through api.example.com. This redirect could be done server-side or client-side, where api.example.com passes along an authentication token to the destination URL in the latter case.
- Note: We are aware that some browsers may intervene on URL parameters passed on iframe redirects, although Chrome currently doesn’t have plans to do so.
If these solutions do not work for your use case, we are interested in hearing your feedback as to why so that we can work together on new solutions.
solatsuta
How would this work for an application embedded in an iframe that uses multiple subdomains in a 3rd party context?
For example, an org owns: api.example.com account.example.com app1.example.com app2.example.com
There is an authentication token set in a cookie by api.example.com meant to available to all example.com sub-domains. The sites listed are the same party but also need partitioned and keyed to a top level site.