Chris: On the latest iPhone cookies were not accepted from iframes from sites that were not visited. You had to physically visit the site by following a link or typing the url into the address bar first. We are currently investigating whether meta refresh etc can help here - although that's not ideal. For our projects that would result in over 13 redirects - a horrible user experience!!
Correct me if I'm wrong but the 2 problems that CentralAuth solves are 1) Takes away the inconvenience of having to login across multiple sites 2) Allows communication between wiki sites via CORS that require authentication.
I'm guessing openid / oauth will solve #1 ? An idea I've banded around to solve #2 would be to allow wikis to access other projects via the api.
e.g. http://en.wikipedia.org/w/api.php?action=query&titles=Photo&project=... would allow a developer to access the page Photos on wikimedia.commons.org rather than having to resort to a CORS request (ie. it would route the query to the database for commons rather than wikipedia)
For api requests that require credentials it would send the credentials of the current project (in this case wikipedia).
Is that something that is feasible?
(FWIW I actually dislike that CentralAuth currently logs me into various projects that I never use such as wiktiversity...)
On Tue, Mar 19, 2013 at 10:32 AM, Luke Welling WMF lwelling@wikimedia.org wrote:
If you want to play cat and mouse, a good reference for things that work is http://samy.pl/evercookie/
It's mostly targeted at a single domain stopping users from deleting cookies, but some of the same things should break cross domain security too.
I'm not sure that end of web ethics is where we want to go in general but sleazy is a spectrum and depends on intent so there may be useful inspiration in it.
Luke
On Tue, Mar 19, 2013 at 12:56 PM, Greg Grossmeier greg@wikimedia.orgwrote:
<quote name="Seb35" date="2013-03-19" time="14:38:40 +0100"> > Hello, > > According to [1] and [2], Firefox 22 (release June 25, 2013) will > change the default third-party cookie policy: a third-party cookie > will be authorized only if there is already a cookie set on the > third-party website.
These two bugs are related to this: https://bugzilla.wikimedia.org/show_bug.cgi?id=45578
https://bugzilla.wikimedia.org/show_bug.cgi?id=45452
-- | Greg Grossmeier GPG: B2FA 27B1 F7EB D327 6B8E | | identi.ca: @greg A18D 1138 8E47 FAC8 1C7D |
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l