|
|
|
FPI
|
|
|
|
|
|
|
|
- Breakage
|
|
|
|
|
|
|
|
- 3rd part login flows
|
|
|
|
|
|
|
|
- Redirects
|
|
|
|
|
|
|
|
Ex. gmail.com -> youtube.com -> mail.google.com
|
|
|
|
|
|
|
|
Third parties have access to cookies
|
|
|
|
|
|
|
|
Investigate Apple's Tracking protection
|
|
|
|
|
|
|
|
|
|
|
|
Look at the time spent on intermediate sites, and if it is a short time, then delete cookies associated with that site
|
|
|
|
|
|
|
|
- This doesn't work if the site is used as a final destination and within a redirect chain
|
|
|
|
|
|
|
|
|
|
|
|
- Should we expire cookies after some amount of time?
|
|
|
|
- `window.open()`:
|
|
|
|
- Tor Browser blocks communication between tabs using opener
|
|
|
|
- Post messaging is still an option for communication.
|
|
|
|
- Do we know how post messaging is used across the web?
|
|
|
|
- Maybe show a permissions prompt when a child tab tries using post messaging for communicating with the parent tab
|
|
|
|
|
|
|
|
SharedWorkers should be FPI already - and there should be a test for it (but what about ServiceWorkers) - 1264593
|
|
|
|
|
|
|
|
Shield study showed breakage during login (but not specific details) - 1315205
|
|
|
|
|
|
|
|
Login-flow using third-party cookies:
|
|
|
|
|
|
|
|
- Apple disable third-party cookies in Safari ("Prevent Cross-Site Tracking")
|
|
|
|
|
|
|
|
- https://support.apple.com/guide/safari/prevent-websites-from-tracking-you-sfri40732/mac
|
|
|
|
|
|
|
|
- TB does not currently allow third-party cookies |
|
|
|
\ No newline at end of file |