Nice, sounds like I can get rid of the extension I use to toggle `privacy.firstparty.isolate`.
> In addition, Total Cookie Protection makes a limited exception for cross-site cookies when they are needed for non-tracking purposes, such as those used by popular third-party login providers. Only when Total Cookie Protection detects that you intend to use a provider, will it give that provider permission to use a cross-site cookie specifically for the site you’re currently visiting. Such momentary exceptions allow for strong privacy protection without affecting your browsing experience.
That's exactly why I have to toggle it. Anyone that uses auth0, and many publications sites (follow a link to a PDF, get redirected to `/cookie-absent` instead) fall foul.
Moreover, I've heard loud voices before that controlling 3rd party cookies will break login providers - guess what, it turned out if there is a will, there is a way.
I find this very annoying. An OpenID Connect provider is perfectly capable of working without using third-party cookies. The only reason they need them is to allow OIDC authentication without actually redirecting to the provider (by using a hidden iframe to do the OIDC flow on the same site). But if 3rd-party cookies are disabled it should just fall back to the normal OIDC redirect.
The OIDC front channel signout functionality relies on third party cookies to work properly. This feature has the IDP basically loading your app's end session page in a hidden iframe.
Similarly the OpenID Connect Session Management feature (check_session_iframe) also depends on the ability to use third party cookies.
This functionality is needed to be able to detect if user logged out from front-end code without relying on having any back end code that could receive either a front-channel or back-channel signout notification and send it back.
In the absence of that a pure SPA with no backend could only detect the logout if access tokens are stateful, and they get an error message back that the token refers to an ended session.
Some people get really cranky if a single sign out feature does not actually sign you out of everything.
Sorry you're right. I was just thinking about sign in. But at the same time it seems like the cat is already out of the bag on this one. Safari already blocks all third party cookies by default and it seems like other browsers are moving in the same direction.
"Nice, sounds like I can get rid of the extension I use to toggle `privacy.firstparty.isolate` ..."
Forgive me ... do I understand that there is a true/false setting in Firefox named "privacy.firstparty.isolate" that you like to toggle from time to time ... and you use an extension to do that ?
I don't do much browser customization and use only one extension (uBlock Origin) but ... couldn't I toggle a single Firefox setting with a simple command line ?
Toggling it manually requires going to about:config, and searching for it.
On startup it's enabled (i.e. do isolate) via a config file, so I could change it there with a shell script. I think though that I'd have to restart Firefox for it to take effect.
The extension gives me a handy button in the toolbar that's red (danger) when it's off (i.e. not isolating) that I can just click to toggle.
Yes it's a tiny job for an extension, but do one thing well right? Also, to be honest, it's easier that it's there than switching to or pulling up a new shell.
> In addition, Total Cookie Protection makes a limited exception for cross-site cookies when they are needed for non-tracking purposes, such as those used by popular third-party login providers. Only when Total Cookie Protection detects that you intend to use a provider, will it give that provider permission to use a cross-site cookie specifically for the site you’re currently visiting. Such momentary exceptions allow for strong privacy protection without affecting your browsing experience.
That's exactly why I have to toggle it. Anyone that uses auth0, and many publications sites (follow a link to a PDF, get redirected to `/cookie-absent` instead) fall foul.