On 19/03/13 14:38, Seb35 wrote:
Hello,
According to [1] and [2], Firefox 22 (release June 25, 2013) will change
the default third-party cookie policy: a third-party cookie will be
authorized only if there is already a cookie set on the third-party
website.
This would break most of the automatic login on sister projects on
Wikimedia websites, since the page just after the log in will no more
set cookies of sister projects, and you will have to manually log in to
each domain (of level
wikipedia.org, not of level
de.wikipedia.org) -- I
tested with Firefox 16.
What could be done to mitigate this effect? (...)
[1]
http://webpolicy.org/2013/02/22/the-new-firefox-cookie-policy/
[2]
https://developer.mozilla.org/en-US/docs/Site_Compatibility_for_Firefox_22
~ Seb35
Copying Jonathan Mayer.
Background information: When you log into eg.
en.wikipedia.org, you get
cookies logging you into not only *.wikipedia.org but also
*.wiktionary.org, *.wiktionary.org, *.wikibooks.org,
commons.wikimedia.org, etc.
Obviously, that uses third-party cookies.
Firefox 22 will block our single-login (unless you are already logged on
the other project, which would be the case in which you would already
have cookies there).
If it can't be corrected, we will have to publicise this fact quite
well, as I expect many complaints of "Unified login doesn't work".
Jonathan, do you have any suggestion?
An idea to fix it would be to take advantage of the new certificate
which includes all projects, by having firefox detect that the
‘third-party site’ belong to the same entity, since they share the https
certificate (we would need to enable https to all logins, but that was
planned, anyway).
Regards