privacycg / CHIPS

A proposal for a cookie attribute to partition cross-site cookies by top-level site
Other
131 stars 31 forks source link

Defining top-level context for partitioned cookies #79

Open thisisbb opened 11 months ago

thisisbb commented 11 months ago

TL;DR: partitioned cookies do not consider previous browser redirections.

Our product is a script that embeds into the host-app. Customers run the script that loads resources from other domain and renders them inside their app.

If the user is not authorised to get the resource he is redirected to our product's login page, authorises via credentials or SSO provider and is sent back to the host. Like: window.location.href = 'product.login/auth?return_to=host-app'.

When we implemented partitioned cookies, the 'partition key' is set to the actual product.login domain who issued the cookie, without considering previous redirects, declined by the host-app and going to the infinite redirect loop.

How can I get to get to the "product.login page" so the browser considered the host-app as the rightful issuer of the authorisation cookie ? Is there a way to tell the browser the correct top-level context of the cookie ?

UgoFantozzi commented 11 months ago

We stuck on the same step when tried to implement CHIPS support. The ugly workaround we had in mind was to do auth in the pop-up iframe, but even it will not cover most of the cases, as a lot of companies have policies blocking any pop-up windows for security purposes.

@krgovind kindly advise whether any solutions are being developed for such cases or if this is by design. Thanks!

krgovind commented 11 months ago

@thisisbb @UgoFantozzi My apologies for the delay in responding here. I just answered a similar question on https://github.com/privacycg/CHIPS/issues/80#issuecomment-1869803619 - could you please take a look?