George Fletcher presented Browser Changes Impacting Identity Flows at the OIDF Workshop at Verizon Media on Monday, September 30, 2019 in Sunnyvale, CA.
OIDF Workshop at Verizon Media -- 9/30/2019 -- Continuous Access Evaluation P...OpenIDFoundation
Atul Tulshibagwale with Google provided an an overview of the Continuous Access Evaluation Protocol (CAEP) at the OIDF Workshop at Verizon Media on Monday, September 30, 2019 in Sunnyvale, CA.
OpenID Foundation Workshop at EIC 2018 - OpenID Enhanced Authentication Profi...MikeLeszcz
OpenID Foundation Enhanced Authentication Profile (EAP) Working Group update presented by Dr. Michael B. Jones (Microsoft) at the OIDF Workshop at EIC 2018 on May 15, 2018 in Munich.
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Federation UpdateOpenIDFoundation
Roland Hedberg with Catalogix and the OpenID Foudation provided an update on OpenID Connect Federation at the OIDF Workshop at Verizon Media on Monday, September 30, 2019 in Sunnyvale, CA.
OIDF Workshop at Verizon Media -- 9/30/2019 -- FastFed Working Group UpdateOpenIDFoundation
OpenID Foundation Fast Federation (FastFed) Working Group update presented by Darin McAdams (Amazon) at the OIDF Workshop at Verizon Media on Monday, September 30, 2019 in Sunnyvale, CA.
OIDF Workshop at Verizon Media -- 9/30/2019 -- Continuous Access Evaluation P...OpenIDFoundation
Atul Tulshibagwale with Google provided an an overview of the Continuous Access Evaluation Protocol (CAEP) at the OIDF Workshop at Verizon Media on Monday, September 30, 2019 in Sunnyvale, CA.
OpenID Foundation Workshop at EIC 2018 - OpenID Enhanced Authentication Profi...MikeLeszcz
OpenID Foundation Enhanced Authentication Profile (EAP) Working Group update presented by Dr. Michael B. Jones (Microsoft) at the OIDF Workshop at EIC 2018 on May 15, 2018 in Munich.
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Federation UpdateOpenIDFoundation
Roland Hedberg with Catalogix and the OpenID Foudation provided an update on OpenID Connect Federation at the OIDF Workshop at Verizon Media on Monday, September 30, 2019 in Sunnyvale, CA.
OIDF Workshop at Verizon Media -- 9/30/2019 -- FastFed Working Group UpdateOpenIDFoundation
OpenID Foundation Fast Federation (FastFed) Working Group update presented by Darin McAdams (Amazon) at the OIDF Workshop at Verizon Media on Monday, September 30, 2019 in Sunnyvale, CA.
OpenID Foundation/Open Banking Workshop - OpenID Foundation OverviewMikeLeszcz
The OpenID Foundation and the Open Identity Exchange co-hosted an Open Banking Workshop on Tuesday, January 30, 2018 in London. This presentation is an and overview of the OpenID Foundation and provides updates on the OpenID Connect standard and OpenID Certification Program that was presented by Mike Jones (Microsoft), OpenID Foundation Secretary.
OIDF Workshop at European Identity Conference 2019 -- 5/14/2019 -- OpenID Cer...OpenIDFoundation
Michael Jones with Microsoft provided an update on the OpenID Certification Program at the OIDF Workshop at the 2019 European Identity Conference on Tuesday, May 14, 2019 in Munich.
Websites and applications are implementing social single sign-on to allow users to login using trusted authentication providers such as Google, Facebook, and even Salesforce. Join us to learn how to configure the OpenID Connect authentication provider to allow users to authenticate at Google to access a Salesforce environment. We'll also look at how you can relieve yourself of the burden of password management by having your web app login users via Salesforce.
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect for Identity As...OpenIDFoundation
Torsten Lodderstedt with yes.com provided an overview of a proposed OpenID Foundation working group focused on identity assurance at the OIDF Workshop at Verizon Media on Monday, September 30, 2019 in Sunnyvale, CA.
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Certification Program U...OpenIDFoundation
Michael Jones with Microsoft provided an update on the OpenID Certification Program at the OIDF Workshop at Verizon Media on Monday, September 30, 2019 in Sunnyvale, CA.
OpenID Foundation Workshop at EIC 2018 - MODRNA Working Group UpdateMikeLeszcz
OpenID Foundation MODRNA Working Group update presented by Bjorn Hjelm (Verizon) and John Bradley (Yubico) at the OIDF Workshop at EIC 2018 on May 15, 2018 in Munich.
To view recording of this webinar please use the below URL:
http://wso2.com/library/webinars/2016/06/enterprise-security-requirements/
Meeting enterprise security requirements has now become challenging due to development of orthogonal aspects. Systems are diverse because a single vendor can’t cater to all these needs. Some enterprise also introduce public SaaS in addition to their internal on-premise system. APIs are used to make data in these systems readily available in order to integrate with other systems and automate processes. Identity and access management (IAM) systems are expected to provide centralized authentication and authorization despite the increase in complexity of data, systems and identities.
This webinar will discuss how to
Enable SSO for heterogeneous systems
Handle different types of enterprise identities
Protect your data and APIs
Implement centralized authorization and authentication management
OpenID Foundation's Risk Incident and Sharing Communication (RISC) Work Group...MikeLeszcz
Presentation from the OpenID Foundation's Risk Incident and Sharing Communication (RISC) Work Group Data Sharing Agreement Workshop on January 31, 2018.
This session is all about Gravitee.io that consists of two modules: Gravitee.io Access Management, which is responsible for providing Authentication and Authorization with help of OAuth2.0 and OpenID Connect, and Gravitee.io API Management, which is responsible for the management of APIs, by simply publishing and consuming the APIs.
Strong Customer Authentication - All Your Questions AnsweredWSO2
This deck will cover what is SCA, the regulatory requirements, the exemptions, SCA approaches, configuring default authenticators and customizing SCA based components.
Watch the Webinar On-Demand here - https://wso2.com/solutions/financial/open-banking/webinars/uk/
Case Studies on STORK, IDAP, & eID. Led by Zaeher Rachid, lead access management and OpenAM engineer at Paradigmo and Wouter Vandenbussche
Identity And Access Management Consultant, Global Consulting and Integration Services | Verizon Enterprise Solutions
Over 30 years, the term Open Source has been gaining momentum and it is at its peak right now, with all tech giants shifting focus into open source. In contrast, you don’t see a lot of penetration in open source IAM, this is largely due to the uncertainty and doubts around the topic. Register here for an in-depth explanation of facts and fiction in this space.
View the on-demand webinar: https://wso2.com/library/webinars/open-source-value-benefits-risks/
This presentation was provided by George Fletcher of Verizon Media, Inc. during the free 60-minute webinar "Browser Changes and Identity Federation: The Impact on Identity Flows." This event was brought to you by NISO in conjunction with the Seamless Access Committee, on May 26, 2020.
OpenID Foundation/Open Banking Workshop - OpenID Foundation OverviewMikeLeszcz
The OpenID Foundation and the Open Identity Exchange co-hosted an Open Banking Workshop on Tuesday, January 30, 2018 in London. This presentation is an and overview of the OpenID Foundation and provides updates on the OpenID Connect standard and OpenID Certification Program that was presented by Mike Jones (Microsoft), OpenID Foundation Secretary.
OIDF Workshop at European Identity Conference 2019 -- 5/14/2019 -- OpenID Cer...OpenIDFoundation
Michael Jones with Microsoft provided an update on the OpenID Certification Program at the OIDF Workshop at the 2019 European Identity Conference on Tuesday, May 14, 2019 in Munich.
Websites and applications are implementing social single sign-on to allow users to login using trusted authentication providers such as Google, Facebook, and even Salesforce. Join us to learn how to configure the OpenID Connect authentication provider to allow users to authenticate at Google to access a Salesforce environment. We'll also look at how you can relieve yourself of the burden of password management by having your web app login users via Salesforce.
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect for Identity As...OpenIDFoundation
Torsten Lodderstedt with yes.com provided an overview of a proposed OpenID Foundation working group focused on identity assurance at the OIDF Workshop at Verizon Media on Monday, September 30, 2019 in Sunnyvale, CA.
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Certification Program U...OpenIDFoundation
Michael Jones with Microsoft provided an update on the OpenID Certification Program at the OIDF Workshop at Verizon Media on Monday, September 30, 2019 in Sunnyvale, CA.
OpenID Foundation Workshop at EIC 2018 - MODRNA Working Group UpdateMikeLeszcz
OpenID Foundation MODRNA Working Group update presented by Bjorn Hjelm (Verizon) and John Bradley (Yubico) at the OIDF Workshop at EIC 2018 on May 15, 2018 in Munich.
To view recording of this webinar please use the below URL:
http://wso2.com/library/webinars/2016/06/enterprise-security-requirements/
Meeting enterprise security requirements has now become challenging due to development of orthogonal aspects. Systems are diverse because a single vendor can’t cater to all these needs. Some enterprise also introduce public SaaS in addition to their internal on-premise system. APIs are used to make data in these systems readily available in order to integrate with other systems and automate processes. Identity and access management (IAM) systems are expected to provide centralized authentication and authorization despite the increase in complexity of data, systems and identities.
This webinar will discuss how to
Enable SSO for heterogeneous systems
Handle different types of enterprise identities
Protect your data and APIs
Implement centralized authorization and authentication management
OpenID Foundation's Risk Incident and Sharing Communication (RISC) Work Group...MikeLeszcz
Presentation from the OpenID Foundation's Risk Incident and Sharing Communication (RISC) Work Group Data Sharing Agreement Workshop on January 31, 2018.
This session is all about Gravitee.io that consists of two modules: Gravitee.io Access Management, which is responsible for providing Authentication and Authorization with help of OAuth2.0 and OpenID Connect, and Gravitee.io API Management, which is responsible for the management of APIs, by simply publishing and consuming the APIs.
Strong Customer Authentication - All Your Questions AnsweredWSO2
This deck will cover what is SCA, the regulatory requirements, the exemptions, SCA approaches, configuring default authenticators and customizing SCA based components.
Watch the Webinar On-Demand here - https://wso2.com/solutions/financial/open-banking/webinars/uk/
Case Studies on STORK, IDAP, & eID. Led by Zaeher Rachid, lead access management and OpenAM engineer at Paradigmo and Wouter Vandenbussche
Identity And Access Management Consultant, Global Consulting and Integration Services | Verizon Enterprise Solutions
Over 30 years, the term Open Source has been gaining momentum and it is at its peak right now, with all tech giants shifting focus into open source. In contrast, you don’t see a lot of penetration in open source IAM, this is largely due to the uncertainty and doubts around the topic. Register here for an in-depth explanation of facts and fiction in this space.
View the on-demand webinar: https://wso2.com/library/webinars/open-source-value-benefits-risks/
This presentation was provided by George Fletcher of Verizon Media, Inc. during the free 60-minute webinar "Browser Changes and Identity Federation: The Impact on Identity Flows." This event was brought to you by NISO in conjunction with the Seamless Access Committee, on May 26, 2020.
Security Best Practices for Bot BuildersMax Feldman
Explore common web application vulnerabilities bot builders should know. You’ll learn how to locate and prevent these vulnerabilities, and you’ll come away with best practices for building bots your customers can trust. For Slack getting started guides: https://www.api.slack.com
As a web designer or web developer, you must have applied meta tags at various places like keyword, description and title. But in this blog, we are going to tell you 4 useful things which you can do with meta tags.
This slide covers the fundamentals of Google Analytics and unveils the misconceptions around most of the metrics and dimensions. A must-read guide to understand how each and every metric gets calculated in Google Analytics.
Validating Session Isolation for Web Crawling to Provide Data IntegrityGiacomo Zecchini
Deep dive into session isolation and why search engines render pages in isolated rendering sessions to avoid having the rendering of one web page affect the functionality or the content of another.
Web crawling tools aim to replicate search engines' crawling and rendering behaviours by implementing and using web rendering systems. This offers insights into what search engines might see when they are crawling and rendering web pages.
While there is no defined standard for an automated rendering process, search engines (e.g. Google, Bing, Yandex) render pages in isolated rendering sessions. This way, they avoid having the rendering of one web page affect the functionality or the content of another. Isolated rendering sessions should have isolated storage and avoid cross-tab talking.
Lets look at an example of what a performant website can look like. This discuss what concepts should we be considering when looking at website performance. Next we will go over two areas pertaining to website performance: 1) website performance tweaks that you as a web developer can directly make 2) website performance tweaks that you may have to work with your hosting provider or IT department to achieve
Generating the Server Response: HTTP Status CodesDeeptiJava
In this session you will learn:
Format of the HTTP response
How to set status codes
What the status codes are good for
Shortcut methods for redirection and error pages
A servlet that redirects users to browser-specific pages
A front end to various search engines
For more information, visit this link: https://www.mindsmapped.com/courses/software-development/online-java-training-for-beginners/
Similar to OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Identity Flows Presentation (20)
OIDF Virtual Workshop -- 5/21/2020 -- OpenID Certification Program UpdateOpenIDFoundation
OpenID Certification Program update presented by Joseph Heenan with Fintech Labs and Certification Program lead developer at the virtual workshop on Thursday, May 21, 2020
OIDF Workshop at Verizon Media -- 9/30/2019 -- Research & Education Working G...OpenIDFoundation
Roland Hedberg with Catalogix provided an update on the Research & Education (R&E) Working Group at the OIDF Workshop at Verizon Media on Monday, September 30, 2019 in Sunnyvale, CA.
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Working Group U...OpenIDFoundation
Michael Jones with Microsoft provided an update on the OpenID Connect Working Group at the OIDF Workshop at Verizon Media on Monday, September 30, 2019 in Sunnyvale, CA.
OIDF Workshop at European Identity Conference 2019 -- 5/14/2019 -- FAPI Certi...OpenIDFoundation
Dr. Torsten Lodderstedt with yes.com provided an update on OpenID Connect for Identity Assurance at the OIDF Workshop at the 2019 European Identity Conference on Tuesday, May 14, 2019 in Munich.
OIDF Workshop 4/29/2019 -- OpenID Research & Education Working Group UpdateOpenIDFoundation
Davide Vaghetti with Consortium GARR provided an update on the OpenID Foundation Research & Education (R&E) Working Group at the OIDF Workshop at Verizon Media on Monday, April 29, 2019.
OIDF Workshop at European Identity Conference 2019 -- 5/14/2019 -- FAPI Certi...OpenIDFoundation
Joseph Heenan is part of the OpenID Certification Program team provided an update on the Financial-grade API (FAPI) at the OIDF Workshop at the 2019 European Identity Conference on Tuesday, May 14, 2019 in Munich.
OpenID Foundation Research & Education Working Group Update - October 22, 2018OpenIDFoundation
OpenID Foundation Research & Education (R&E) Working Group update presented by Nick Roy (Internet2) at the OpenID Foundation Workshop at VMware on Monday, October 22, 2018.
OpenID Foundation iGov Working Group Update - October 22, 2018OpenIDFoundation
OpenID Foundation iGov Working Group update presented by Paul Grassi (Easy Dynamics) and Bjorn Hjelm (Verizon) at the OpenID Foundation Workshop at VMware on Monday, October 22, 2018.
OpenID Foundation Connect Working Group Update - October 22, 2018OpenIDFoundation
OpenID Foundation Connect Working Group update presented by Michael Jones (Microsoft) at the OpenID Foundation Workshop at VMware on Monday, October 22, 2018.
OpenID Foundation Certification Program Update - October 22, 2018OpenIDFoundation
OpenID Foundation Certification Program update presented by Michael Jones (Microsoft) at the OpenID Foundation Workshop at VMware on Monday, October 22, 2018.
Instagram has become one of the most popular social media platforms, allowing people to share photos, videos, and stories with their followers. Sometimes, though, you might want to view someone's story without them knowing.
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfFlorence Consulting
Quattordicesimo Meetup di Milano, tenutosi a Milano il 23 Maggio 2024 dalle ore 17:00 alle ore 18:30 in presenza e da remoto.
Abbiamo parlato di come Axpo Italia S.p.A. ha ridotto il technical debt migrando le proprie APIs da Mule 3.9 a Mule 4.4 passando anche da on-premises a CloudHub 1.0.
Gen Z and the marketplaces - let's translate their needsLaura Szabó
The product workshop focused on exploring the requirements of Generation Z in relation to marketplace dynamics. We delved into their specific needs, examined the specifics in their shopping preferences, and analyzed their preferred methods for accessing information and making purchases within a marketplace. Through the study of real-life cases , we tried to gain valuable insights into enhancing the marketplace experience for Generation Z.
The workshop was held on the DMA Conference in Vienna June 2024.
Understanding User Behavior with Google Analytics.pdfSEO Article Boost
Unlocking the full potential of Google Analytics is crucial for understanding and optimizing your website’s performance. This guide dives deep into the essential aspects of Google Analytics, from analyzing traffic sources to understanding user demographics and tracking user engagement.
Traffic Sources Analysis:
Discover where your website traffic originates. By examining the Acquisition section, you can identify whether visitors come from organic search, paid campaigns, direct visits, social media, or referral links. This knowledge helps in refining marketing strategies and optimizing resource allocation.
User Demographics Insights:
Gain a comprehensive view of your audience by exploring demographic data in the Audience section. Understand age, gender, and interests to tailor your marketing strategies effectively. Leverage this information to create personalized content and improve user engagement and conversion rates.
Tracking User Engagement:
Learn how to measure user interaction with your site through key metrics like bounce rate, average session duration, and pages per session. Enhance user experience by analyzing engagement metrics and implementing strategies to keep visitors engaged.
Conversion Rate Optimization:
Understand the importance of conversion rates and how to track them using Google Analytics. Set up Goals, analyze conversion funnels, segment your audience, and employ A/B testing to optimize your website for higher conversions. Utilize ecommerce tracking and multi-channel funnels for a detailed view of your sales performance and marketing channel contributions.
Custom Reports and Dashboards:
Create custom reports and dashboards to visualize and interpret data relevant to your business goals. Use advanced filters, segments, and visualization options to gain deeper insights. Incorporate custom dimensions and metrics for tailored data analysis. Integrate external data sources to enrich your analytics and make well-informed decisions.
This guide is designed to help you harness the power of Google Analytics for making data-driven decisions that enhance website performance and achieve your digital marketing objectives. Whether you are looking to improve SEO, refine your social media strategy, or boost conversion rates, understanding and utilizing Google Analytics is essential for your success.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
Italy Agriculture Equipment Market Outlook to 2027harveenkaur52
Agriculture and Animal Care
Ken Research has an expertise in Agriculture and Animal Care sector and offer vast collection of information related to all major aspects such as Agriculture equipment, Crop Protection, Seed, Agriculture Chemical, Fertilizers, Protected Cultivators, Palm Oil, Hybrid Seed, Animal Feed additives and many more.
Our continuous study and findings in agriculture sector provide better insights to companies dealing with related product and services, government and agriculture associations, researchers and students to well understand the present and expected scenario.
Our Animal care category provides solutions on Animal Healthcare and related products and services, including, animal feed additives, vaccination
4. SameSite policy changes
SameSite=Strict
● Only sent when page loaded in the browser exactly matches the domain of
the cookie
SameSite=Lax
● Cookie is sent from a non-matching domain if and only if the user explicitly
clicks a link that initiated the load of the off-domain page
SameSite=None; Secure
● The default that we have today except that these cookies will only be sent
over secure connections (HTTPS)
5. What is affected by SameSite=strict
It’s fair to say that mostly everything, Client requesting an
authentication/authorization response from an AS through the regular browser
redirect flow will get hindered like so
● The RP session cookie (in which regularly nonce and state is stored) will not be sent with the
callback.
● The OP session cookie will not be sent with the redirect and therefore AS will resolve to
authenticating the end-user again. It will set a new session cookie and the old one will become
orphaned.
● When an AS redirects to an upstream IdP (facebook, google, etc) it won’t be able to consume the
callback since then we are the RP and we can’t load our session cookie with the state/nonce details
we need to consume a callback.
6. What is affected by SameSite=lax
Any hidden iframe mechanism
● response_mode=web_message used for silently renewing tokens, the origin
of the request is not the AS hence the AS session cookie is disqualified from
being sent.
● OIDC Session Management and Logout Specifications
○ Session Status Change Notification - the origin of the request is not the AS hence the
individual RP session state cookies are disqualified from being accessible to the javascript
context.
○ Front-Channel RP Logout iframe - the origin of the request is not the RP website hence the RP
session cookies are disqualified from being sent.
7. What is affected by SameSite=lax
POST based protocol messages
● response_mode=form_post used to return tokens via the front-channel but directly to the RP
backend service. The origin of the request is the AS hence the RP session cookie (in which regularly
nonce and state is stored) will not be sent with the callback. An RP will fail to consume the callback.
● POST to the authorization_endpoint - the OP session cookie will not be sent with the POST request
and therefore the AS will resort to authenticating the end-user again. It will set a new session cookie
and the old one will become orphaned.
● POST to the end_session_endpoint - the OP session cookie will not be sent with the POST request
and therefore the AS will not be able to identify the authenticated session and logout will not be
performed.
8. What is impacted by SameSite=none
● Cookies marked as SameSite=none MUST also be flagged as ‘Secure’
● This means that these cookies will only be sent to an HTTPS endpoint
● This means that if the RP is using SameSite=none cookies, their callback URI
MUST be HTTPS
● Developers now need to run their dev endpoints as secure (HTTPS)
endpoints
9. Upcoming Changes to current SameSite policy
● Google calls this Incrementally Better Cookies in their individual draft and it
consists of two changes, one being a prerequisite for the other.
○ Default sameSite cookie attribute changes from “none” to “lax”
○ Cookies with sameSite attribute none also have to be secure
● Intent to ship in Chrome by default has been set to version 80 (due in
February 2020), Firefox version 69 behind a preference toggle.
○ https://www.chromestatus.com/feature/5088147346030592
○ https://www.chromestatus.com/feature/5633521622188032
○ https://groups.google.com/forum/#!msg/mozilla.dev.platform/nx2uP0CzA9k/BNVPWDHsAQAJ
●
10. What the change means
When a set-cookie header does not have a sameSite attribute, instead of
defaulting to none (today’s behaviour) it will be defaulted to lax.
When a set-cookie header has an unrecognized sameSite attribute, instead of
defaulting to none (today’s behaviour) it will be defaulted to lax.
11. Impact on Authorization Servers
● Inventory existing flows to determine impact
○ Depending on the existing supported flows (e.g. top-level full page redirects) no changes may
be necessary
● What to do?
○ In order to ensure all existing flows are still working send sameSite=none with all cookies that
are intended to be accessed cross-origin.
○ Use two cookies
● Risk:
○ Some, to work around a known WebKit bug which is still in effect (see below “Existing WebKit
bug”).
12. Impact on Relying Parties
● If a client currently sets their cookies to either of the defined values, it will
continue to work after the default sameSite value changes as well.
● If a client currently uses response type query or fragment, it will continue to
work after the default sameSite value changes as well
● Native SDKs (using custom scheme or claimed https uris) are not affected,
these use either query or fragment.
● If a client uses response_mode=form_post
○ the cookies used to convey a session or ones that contain the request parameters like nonce,
state, etc need to be set to “none”
○ - or -
○ the implementation must be changed to response_mode=fragment with a self-submitting form
being rendered on the client’s GET
13. Temporary workaround for login flows
● If a cookie has been set (session or persistent) within the last 2 minutes
without an explicit SameSite value, it will still be sent with FORM posts
Impacts
● Allows existing flows to *mostly* NOT break when deployed
● Any FROM response based login flow that takes more than 2 minutes will
break as the cookies will not be sent
14. SameSite=none webkit bug
Older instances of iOS webkit do not correctly handle a cookie explicitly marked as
SameSite=none. Instead it defaults the cookie to the ‘strict’ policy.
Resolution:
● At this point it doesn’t appear that older version of webkit will be patched
● Recommended solution is to use two cookies one explicit set to
SameSite=none and one with no SameSite attribute
○ This requires the service receiving the cookies to work through what to do if both arrive :)
15. ITP 2.X
Sites flagged as “tracking sites” have their cookies wiped every 30 days unless the
user explicitly interacts with the eTLD+1. This applies to local storage as well. [ITP
2.1]
Persistent Cookies set via JS are wiped after 24 hours. [ITP 2.2]
Cookies won’t be sent at all in 3rd party contexts.
In Safari 13, local storage will be wiped (after 7 days of no activity to that domain)
if coming to a site from a “tracker site” and request contains query parameters.
[ITP 2.3]
2.3 - https://webkit.org/blog/9521/intelligent-tracking-prevention-2-3/
16. Impact of ITP 2.3
● Since OIDC/OAuth authorization_code flow redirects with query parameters, it
appears this will set the RP domain to have it’s localStorage wiped 7 days
after the user last accesses that domain
17. Browser based “VPNs”
● Concern that request features like IP address might uniquely identify a user
and enable tracking
● Browsers currently collecting metrics regarding this “tracking” approach
● Planning to support “remote proxying” of requests so that IPs are multiplexed
across random users
https://www.technadu.com/firefox-premium-version-integrated-vpn/70071/
https://private-network.firefox.com/
https://github.com/bslassey/privacy-budget
https://blog.cloudflare.com/announcing-warp-plus/
18. navigator.isLoggedIn() proposal
“For the purposes of client-side storage/state, the behavior of the web platform has been “logged in by default,” meaning as
soon as the browser loads a webpage, that page can store data virtually forever on the device, and the browser may have
to treat the user as logged in to that website. That is a serious privacy issue. Long term storage should instead be tied to
where the user is truly logged in.”
“If websites were allowed to set the IsLoggedIn status whenever they want, it would not constitute a trustworthy signal
and would most likely be abused for user tracking. We must therefore make sure that IsLoggedIn can only be set when
the browser is convinced that the user meant to log in or the user is already logged in and wants to stay logged in.”
“If websites were allowed to set the IsLoggedIn status whenever they want, it would not constitute a trustworthy signal
and would most likely be abused for user tracking. We must therefore make sure that IsLoggedIn can only be set when
the browser is convinced that the user meant to log in or the user is already logged in and wants to stay logged in.”
https://lists.w3.org/Archives/Public/public-webappsec/2019Sep/0004.html
19. navigator.isLoggedIn() proposal
There are several ways the browser could make sure the IsLoggedIn status is trustworthy:
● Require websites to use of WebAuthn or a password manager (including Credential Management) before calling the
API.
● Require websites to take the user through a login flow according to rules that the browser can check. This would be
the escape hatch for websites who can’t or don’t want to use WebAuthn or a password manager but still want to set
the IsLoggedIn bit.
● Show browser UI acquiring user intent when IsLoggedIn is set. Example: A prompt.
● Continuously show browser UI indicating an active logged in session on the particular website. Example: Some kind
of indicator in the URL bar.
● Delayed browser UI acquiring user intent to stay logged in, shown some time after the IsLoggedIn status was set.
Example: Seven days after IsLoggedIn was set – “Do you want to stay logged in to news.example?”
● Requiring engagement to maintain logged in status. Example: Require user interaction as first party website at least
every N days to stay logged in. The browser can hide instead of delete the credential token past this kind of expiry to
allow for quick resurrection of the logged in session.
20. navigator.isLoggedIn() proposal
Some websites allow the user to use an existing account with a federated login provider to bootstrap a
new local user account and subsequently log in. The IsLoggedIn API needs to support such logins.
● First, the federated login provider needs to call the API on its side, possibly after the user has
clicked a “Log in with X” button:
● For the promise to resolve, the user needs to already have the IsLoggedIn status set for the
federated login provider, i.e. the user needs to be logged in to the provider first.