single sign out with Firefox Accounts

Lloyd Hilaiel lhilaiel at mozilla.com
Mon Nov 11 13:07:20 PST 2013


On Nov 11, 2013, at 11:00 PM, Jared Hirsch <6a68 at mozilla.com> wrote:

>> Do we understand what Safari classifies as a "third party cookie"? E.g., are x.y.com and z.y.comconsidered to have a "third party relationship"?
> 
> This is all Same Origin Policy stuff[1]. If the domain + protocol (+ port, optionally) don't match, they are third parties; if those pieces match, they're first parties.

I’m a little confused.  The relevant challenges for us have been around the behavior of the browser with respect to local/session storage or cookies for code rendered inside an iframe embedded in code from a different domain.

Specifically.  We have a domain, login.persona.org.  That domain uses local storage and cookies.  Whether code from that domain is rendered first party (url bar displays https://login.persona.org), or third party (url bar displays https://123done.org, and an iframe embedded therein served from https://login.persona.org) - affects its ability to access local/session storage, and affects its ability to read/write cookies.  

The restrictions imposed on code rendered in an iframe vary heavily by browser and settings.

Would a longer post on this topic be useful?

lloyd


More information about the Dev-fxacct mailing list