On 19/03/13 17:41, Chris Steipp wrote:
On Tue, Mar 19, 2013 at 8:57 AM, Brion Vibber brion@pobox.com wrote:
On Tue, Mar 19, 2013 at 7:52 AM, Platonides platonides@gmail.com wrote:
An idea to fix it would be to take advantage of the new certificate which includes all projects, by having firefox detect that the ‘third-party site’ belong to the same entity, since they share the https certificate (we would need to enable https to all logins, but that was planned, anyway).
I'm pretty sure Firefox won't detect this condition; the security model is based on domains, not SSL certificates.
I hadn't heard of this technique to get around the issue, but if there is an exception for it, we're already doing this in our certs, so it would already be fixed.
It was an idea I *made up* that firefox *could* implement to detect that the two domains are owned by the same entity, and so relax the «ignore third-party cookies» rules. It scales quite well for other types login cookies (eg. flickr.com and yahoo.com) but doesn't open a hole for advertising companies (eg. example.com and google-analytics.com).