Thirdparty: Difference between revisions

Jump to navigation Jump to search

Thirdparty (view source)

Revision as of 18:11, 9 June 2010

403 bytes removed ,  9 June 2010
→‎Rationale
Line 64: Line 64:
:1. Typing in the urlbar is clearly not something that can be considered as integral to the functioning of a particular site.
:1. Typing in the urlbar is clearly not something that can be considered as integral to the functioning of a particular site.


:2. There are two cases when clicking on a link: a) the link is targeted at the same domain; b) it is not. For the former, what we do is irrelevant. For the latter, by and large, it means the link is not integrally related -- I strongly doubt, for instance, that any federated login processes use <href> tags pointing at their domain. ''Is this really true? Are there other relevant use cases?''
:2. There are two cases when clicking on a link: a) the link is targeted at the same domain; b) it is not. For the former, what we do is irrelevant. For the latter, by and large, it means the link is not integrally related -- I strongly doubt, for instance, that any federated login processes use <href> tags pointing at their domain.


:3. The answer to this really depends on what use cases exist on the web. Someone out there undoubtedly uses document.location to implement an authentication scheme. Need more hard data here. However, I suspect that the right thing to do is consider it unrelated.
:''Is this really true? Are there other relevant use cases?''


:4. This case is clearer. Many services, such as bit.ly, immediately and permanently redirect to a target. Sites that redirect from ''original'' to ''target'' and back to ''original'' probably mean the two are related, and could easily be an implementation of federated login. It could also be an implementation of an auto-redirect ad. What we do here is important to get right.
:3. The answer to this really depends on what use cases exist on the web. Someone out there undoubtedly uses document.location to implement an authentication scheme. Need more hard data here. I'll posit that the right thing to do is consider it unrelated.


:The key is [TBD...]
:4. This can be divided into two cases. Many services, such as bit.ly, immediately and permanently redirect to a target (an ''open redirect sequence''). Sites that redirect from ''original'' to ''target'' and back to ''original'' (a ''closed redirect sequence'') probably mean the two are related, and could easily be an implementation of federated login. It could also be an implementation of an auto-redirect ad. What we do here is important to get right.


Since it's an obvious hole, we have to track first party context through redirects. (So going to digg.com --> redirect to clickthrough ad on ads.google.com --> click back to digg.com would maintain a first party context of digg.com throughout.) If we didn't, those clickthrough ads would be first parties, and could track the user across sites.
:''OpenID providers can implement login via redirects (although there's conjecture that this is deprecated behavior), and I believe that OpenID itself does not rely on third party cookies -- authentication is done via backchannel. So maintaining the sandbox may not matter here.''


Facebook Connect uses a JS lightbox to throw the login dialog (http://wiki.developers.facebook.com/index.php/Authenticating_Users_with_Facebook_Connect). This counts as part of the page, rather than a popup window, and thus would be considered a third party. So double-keying would work fine here. Note that the embedder can specify they want to use a popup dialog instead, but let's say
:''There may be ways we can figure out whether a redirect sequence is open or closed -- after the fact. Perhaps create a special sandbox for cookies during redirect, until we can determine whether it's open or closed. Needs more thought.''
that's not the common case.


OpenID probably uses redirects in general (http://www.merchantos.com/makebeta/php/single-sign-on-with-openid-and-google-part-1/), though I'm not sure about provider specifics. If we track redirects and consider them third parties -- which would require some extra mechanics -- then this would work just fine. (So going to digg.com --> redirect to clickthrough ad on ads.google.com --> click back to digg.com would maintain a first party context of digg.com throughout. If we didn't, those clickthrough ads would be first parties, and could track the user across sites. So doing this is good all around.)
:''Is the assertion really correct that open redirects should be first party? Counterexamples?''


Note that Opera does something interesting here: by default, they consider redirects to be "unverified transactions", which are considered third party. Link clicks are verified transactions -- first party. This is actually part of RFC2965 (http://www.faqs.org/rfcs/rfc2965.html) section 3.3.6: "A transaction is verifiable if the user, or a user-designated agent, has the option to review the request-URI prior to its use in the transaction." In Opera, with "automatic redirection" turned off, I believe this means that redirects throw a page which says "this is a redirect to http://foo.com, continue?" or somesuch. Clicking that link then makes the transaction verified, and the cookies are first party.
:5. Consider two cases: ad popups, and login popups. Both need to be considered as having a first party domain of window.opener. By way of example -- Facebook Connect uses a popup window for the Facebook login; this login cookie then needs to be accessible from within an iframe on the original site. Otherwise, the Facebook content will not appear, and in fact the login process will entirely fail. The only way to fix this, with the predicate that iframe is third party, is to keep the popup window within the same sandbox. Conceptually, it makes some sense that popups be considered related to window.opener.


With that, I propose (where it is implied that the first party domain carries over, until reset):
:''What about using window.open to a site that should be considered first party -- think bit.ly but with popups instead of redirects. Do such cases exist? How prevalent are they? Can we do something smarter here?''


:1. Typing in the urlbar, loading bookmarks, other totally toplevel actions -- resets first party domain.
=== Random Notes ===
:2. Link clicks (href tags) -- resets (but I'm not sure about this yet).
:3. Setting document.location -- carries over first party domain. (It's hard to distinguish a user-initiated action that results in a document.location change vs. an automated change. So we have to go with carrying over here.)
:4. Redirects -- carries over.
:5. Popup windows -- carries over.


We might want to make link clicks carry over the first party. Rationale: a site that relies on an href click (to a third party) to perform a login operation, rather than using a redirect or document.location, needs that load to carry over the first party such that things work when redirected back. The downside is that long browsing sessions in a single tab, across multiple sites, will result in them all being considered third party. (And thus allow behavioral tracking during that tab lifetime.) Having it reset is probably a good tradeoff, since it's less surprising. But it would allow holes, e.g. where a site has a link targeted at ads.google.com which then redirects back to some content.
Facebook Connect can use a JS lightbox to throw the login dialog (http://wiki.developers.facebook.com/index.php/Authenticating_Users_with_Facebook_Connect). This counts as part of the page, rather than a popup window, and thus would be considered a third party. So double-keying would work fine here. Note that the embedder can specify they want to use a popup dialog instead, and there's conjecture that this is the recommended behavior. ''My testing on digg.com and huffingtonpost.com indicates that popups are used in both cases.''
 
OpenID probably uses redirects in general (http://www.merchantos.com/makebeta/php/single-sign-on-with-openid-and-google-part-1/), though I'm not sure about provider specifics.
 
Opera does something interesting with redirects: by default, they consider redirects to be "unverified transactions", which are considered third party. Link clicks are verified transactions -- first party. This is actually part of RFC2965 (http://www.faqs.org/rfcs/rfc2965.html) section 3.3.6: "A transaction is verifiable if the user, or a user-designated agent, has the option to review the request-URI prior to its use in the transaction." In Opera, with "automatic redirection" turned off, I believe this means that redirects throw a page which says "this is a redirect to http://foo.com, continue?" or somesuch. Clicking that link then makes the transaction verified, and the cookies are first party.


= Implementation =
= Implementation =
Dwitte
148

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/229361"

Navigation menu