single sign out with Firefox Accounts

Jared Hirsch 6a68 at mozilla.com
Mon Nov 11 13:00:55 PST 2013


On Nov 11, 2013, at 12:27 PM, Sean McArthur <smcarthur at mozilla.com> wrote:

> 
> 
> 
> On Sun, Nov 10, 2013 at 10:23 AM, Chris Karlof <ckarlof at mozilla.com> wrote:
> My understanding is that Safari's default policy is not as simple as "absolutely no third party cookies". 
> 
> Do we understand what Safari classifies as a "third party cookie"? E.g., are x.y.com and z.y.com considered to have a "third party relationship"?

This is all Same Origin Policy stuff[1]. If the domain + protocol (+ port, optionally) don't match, they are third parties; if those pieces match, they're first parties.

Subdomains like x.y.com and z.y.com can become same origins, by sharing cookies on the ".y.com" domain, and both sites setting document.domain = .y.com. This is a fairly ancient trick, known as "domain relaxation." This works on fairly ancient browsers, and I expect will also get around Safari third-party restrictions, simply because the products will all be first-party with respect to each other.

Note that everything or nothing must be on https with this approach, since same-origin policy includes the protocol. Note also that sharing cookies/storage across many products means that a security breach in one affects all the rest.

One other thing we might try is, rather than try to read from third-party localstorage, take the performance hit of messaging over the assertion/creds/etc., either via iframe postmessaging, or cross-domain xhr. This could cover the case of logging into foo.com with creds from bar.com.

[1] https://developer.mozilla.org/en-US/docs/Web/JavaScript/Same_origin_policy_for_JavaScript

> 
> I don't know the answer here. However, we have properties over many domains that would use a Firefox Account: marketplace.firefox.com, developer.mozilla.org, webmaker.org, to name a few.
>  
> 
> Is our understanding of Safari's policy from the Persona context documented somewhere? I found this:
> 
> https://github.com/mozilla/browserid/issues/3905#issuecomment-25002218
> 
> I also realize that "SSO has to work everywhere" was a little vague. In case there was confusion, I meant all web browsers, not all web sites.
> 
> 
> 
> I know you meant all web browsers. I was saying Safari makes this really hard. 
> 
> _______________________________________________
> Dev-fxacct mailing list
> Dev-fxacct at mozilla.org
> https://mail.mozilla.org/listinfo/dev-fxacct




More information about the Dev-fxacct mailing list