FPI
- Breakage
- 3rd part login flows
- Redirects
Ex. gmail.com -> youtube.com -> mail.google.com
Third parties have access to cookies
Investigate Apple's Tracking protectionLook at the time spent on intermediate sites, and if it is a short time, then delete cookies associated with that site
- This doesn't work if the site is used as a final destination and within a redirect chain- Should we expire cookies after some amount of time?
-
window.open():- Tor Browser blocks communication between tabs using opener
- Post messaging is still an option for communication.
- Do we know how post messaging is used across the web?
- Maybe show a permissions prompt when a child tab tries using post messaging for communicating with the parent tab
SharedWorkers should be FPI already - and there should be a test for it (but what about ServiceWorkers) - 1264593
Shield study showed breakage during login (but not specific details) - 1315205
Login-flow using third-party cookies:
- Apple disable third-party cookies in Safari ("Prevent Cross-Site Tracking")
- https://support.apple.com/guide/safari/prevent-websites-from-tracking-you-sfri40732/mac
- TB does not currently allow third-party cookies