On Tue, Mar 19, 2013 at 6:38 AM, Seb35 seb35wikipedia@gmail.com wrote:
According to [1] and [2], Firefox 22 (release June 25, 2013) will change the default third-party cookie policy: a third-party cookie will be authorized only if there is already a cookie set on the third-party website.
This would break most of the automatic login on sister projects on Wikimedia websites, since the page just after the log in will no more set cookies of sister projects, and you will have to manually log in to each domain (of level wikipedia.org, not of level de.wikipedia.org) -- I tested with Firefox 16.
What could be done to mitigate this effect? According to [1] Safari already have this policy; is there some workaround already in place for Safari users? I don’t see other solutions than displaying some warning to the Firefox/Safari users (via JavaScript).
We're already seeing this on mobile (especially with Safari). Definitely needs fixing...
Putting a login cookie on a central site and fetching some kind of token over a CORS request might work... but I'm not sure how "fun" this is going to be to fix. :P
-- brion