Iframe unable to access the cookies set by the popped out auth window

[parthiiita]

Hi Team, Some of the third party apps in microsoft teams which are rendered inside an iframe in teams are experienceing breaking of their auth flow which is trigerred in a popped out window, and on succesful authentication auth related cookies are set in the popup with atrributes sameSite:none and unpartitioned. These cookies are expected to be accesible by the iframe , but they are not, please find the below scenario via a custom cookie app we developed-

we are unable to access unpartitioned SameSite:none cookies set by a popped out tab in the app iframe in teams , whereas with 3p cookies blocking disabled we can access these.

popped out tab cookie c1:v1 unpartitioned sameSite:None

App iframe , c1:v1 not available with 3p cookies blocking enabled

With 3p cookies blocking disabled c1:v1 is available to app iframe

Please provide what is the guidance to handle such authentication scenarios as its breaking authentication for apps like Lucidcharts etc in teams.

Thanks

[amaliev]

Hi @parthiiita ! During a popup authentication, we typically provide short-term access to third-party cookies via heuristics: see https://github.com/amaliev/3pcd-exemption-heuristics/blob/main/explainer.md for more details. This flow requires a user interaction in the popup window to take effect.

Could you help provide more details on the popup window auth flow which sets the cookies? Is there any way I could reproduce it on my end? If that's infeasible, could you record a video of the popup flow?

Thank you!

[parthiiita]

Hi @amaliev , below is a link to the video repro of the issue with instructions in the video as well as below:

https://drive.google.com/file/d/1lifkm2KJjCzP80bwsq4w30A64YyievEI/view?usp=sharing

Here are the instructions to repro the issue: Disable 3p cookies in your browser. open teams.microsoft.com click on try new teams toggle on the top left click on + apps icon in left rail and then click manage your apps click on lucid charts and click on sign in in lucid charts iframe use any external auth in the popped out sign in page post authentication, observe that lucid charts redirects to sign in page and no cookies are sent on the original url that was opened, this can be seen in the network tab Please use the following credentials to login into teams email:

admin@M365B125723.onmicrosoft.com

password:

7f#j(fNM5F73nC%(

Please let me know in case you need any more details to repro the issue.

Thanks Parth

[amaliev]

Hi @parthiiita , I have reproduced these steps in Chrome, and the Chrome implementation of the popup heuristic handles this case successfully.

With heuristics enabled (as described in the testing instructions):

With heuristics disabled (as described in the testing instructions):

I've confirmed that completing the login flow for lucid.app creates a 3PC access grant for https://[*.]lucid.app when embedded on https://[*.]microsoft.com.

Could you please test in Chrome as well and verify if you are seeing the same issue?

[johannhof]

Hi @parthiiita, if you haven't done so already, would you mind filing a breakage report at https://goo.gle/report-3pc-broken so that we can track your breakage case in the longer run and potentially close this issue? Thanks :)

[parthiiita]

Hi @amaliev , thanks for the explanation, Is heuristics a short term mitigation of the impact of the 3p cookies deprecation or Heuristics will always be supported when the 3P cookie deprecation rolls out, can we rely on Heuristics as a solution for long term ?

[amaliev]

Heuristics is intended as a short-term mitigation. To handle this use case in the long term, I would recommend adopting one of the privacy-preserving APIs listed here.

[parthiiita]

Hi @amaliev , what is the timeline for the heuristics deprecation? Is it going to be disabled soon after January 2025, or it will be disabled in second half of 2025? We want to know how soon we need to be ready with the heuristics disabled and how long can we rely on that ?

[amaliev]

Hi @parthiiita . We don't have a strict timeline for deprecating heuristics for now - this will require ongoing discussions with web standards.

[amaliev]

I will close this issue as we have not been able to reproduce it in the Chrome browser (since it is mitigated by the popup heuristic). If you see this issue reappear, could you please file a breakage report at https://goo.gle/report-3pc-broken? Thank you!