On 19/03/13 14:38, Seb35 wrote:
Hello,
According to [1] and [2], Firefox 22 (release June 25, 2013) will change the default third-party cookie policy: a third-party cookie will be authorized only if there is already a cookie set on the third-party website.
This would break most of the automatic login on sister projects on Wikimedia websites, since the page just after the log in will no more set cookies of sister projects, and you will have to manually log in to each domain (of level wikipedia.org, not of level de.wikipedia.org) -- I tested with Firefox 16.
What could be done to mitigate this effect? (...)
[1] http://webpolicy.org/2013/02/22/the-new-firefox-cookie-policy/ [2] https://developer.mozilla.org/en-US/docs/Site_Compatibility_for_Firefox_22
~ Seb35
Copying Jonathan Mayer. Background information: When you log into eg. en.wikipedia.org, you get cookies logging you into not only *.wikipedia.org but also *.wiktionary.org, *.wiktionary.org, *.wikibooks.org, commons.wikimedia.org, etc.
Obviously, that uses third-party cookies.
Firefox 22 will block our single-login (unless you are already logged on the other project, which would be the case in which you would already have cookies there). If it can't be corrected, we will have to publicise this fact quite well, as I expect many complaints of "Unified login doesn't work".
Jonathan, do you have any suggestion?
An idea to fix it would be to take advantage of the new certificate which includes all projects, by having firefox detect that the ‘third-party site’ belong to the same entity, since they share the https certificate (we would need to enable https to all logins, but that was planned, anyway).
Regards