On Tue, Mar 19, 2013 at 6:38 AM, Seb35 <seb35wikipedia(a)gmail.com> wrote:
According to [1] and [2], Firefox 22 (release June 25,
2013) will change the
default third-party cookie policy: a third-party cookie will be authorized
only if there is already a cookie set on the third-party website.
This would break most of the automatic login on sister projects on Wikimedia
websites, since the page just after the log in will no more set cookies of
sister projects, and you will have to manually log in to each domain (of
level
wikipedia.org, not of level
de.wikipedia.org) -- I tested with Firefox
16.
What could be done to mitigate this effect? According to [1] Safari already
have this policy; is there some workaround already in place for Safari
users? I don’t see other solutions than displaying some warning to the
Firefox/Safari users (via JavaScript).
We're already seeing this on mobile (especially with Safari).
Definitely needs fixing...
Putting a login cookie on a central site and fetching some kind of
token over a CORS request might work... but I'm not sure how "fun"
this is going to be to fix. :P
-- brion