What makes me wonder is this: Google's authentication is used on many a website. You can enter with your Google account, which entails giving Google itself the ability to leave their third-party...
What makes me wonder is this:
Google's authentication is used on many a website. You can enter with your Google account, which entails giving Google itself the ability to leave their third-party cookies on the website that uses their authentication method. Other platforms – such as GitHub and Apple – use similar ones.
Under no-third-party-cookie rule, how would one be able to sign up using a "broader" account?
I'm a little rusty on OAuth2 flows, but I'm pretty certain it doesn't use or depend on any embeds. The Google part takes place on a page that's purely a Google domain, and then redirects back to...
I'm a little rusty on OAuth2 flows, but I'm pretty certain it doesn't use or depend on any embeds. The Google part takes place on a page that's purely a Google domain, and then redirects back to the original domain using a callback URL with a key in it - proper separation is maintained throughout.
Google Analytics, on the other hand, definitely is an embed and gives them free access to track users across basically every site out there.
I don't think Apple's authentication uses third-party cookies. That'd break with default settings in their own browser. This has been the case for at least three years now.
I don't think Apple's authentication uses third-party cookies. That'd break with default settings in their own browser. This has been the case for at least three years now.
And replacing it with a somewhat more invasive system, it seems.
What makes me wonder is this:
Google's authentication is used on many a website. You can enter with your Google account, which entails giving Google itself the ability to leave their third-party cookies on the website that uses their authentication method. Other platforms – such as GitHub and Apple – use similar ones.
Under no-third-party-cookie rule, how would one be able to sign up using a "broader" account?
I'm a little rusty on OAuth2 flows, but I'm pretty certain it doesn't use or depend on any embeds. The Google part takes place on a page that's purely a Google domain, and then redirects back to the original domain using a callback URL with a key in it - proper separation is maintained throughout.
Google Analytics, on the other hand, definitely is an embed and gives them free access to track users across basically every site out there.
I don't think Apple's authentication uses third-party cookies. That'd break with default settings in their own browser. This has been the case for at least three years now.
Here's the official Chromium blog post about this: https://blog.chromium.org/2020/01/building-more-private-web-path-towards.html
Anyone have a way past the paywall?
http://archive.md/k5DsA
Archived version, full read.