Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Embedded applications that use multiple subdomains #39

Closed
dkelly-echo360 opened this issue May 4, 2022 · 4 comments
Closed

Embedded applications that use multiple subdomains #39

dkelly-echo360 opened this issue May 4, 2022 · 4 comments

Comments

@dkelly-echo360
Copy link

How would this work for an application embedded in an iframe that uses multiple subdomains in a 3rd party context?

For example, an org owns:
api.example.com
account.example.com
app1.example.com
app2.example.com

There is an authentication token set in a cookie by api.example.com meant to available to all example.com sub-domains. The sites listed are the same party but also need partitioned and keyed to a top level site.
@DCtheTall
Copy link
Collaborator

Hello and thanks for your interest in CHIPS. We understand that making partitioned cookies hostname bound is a paradigm shift from domain-bound unpartitioned cross-site cookies.

Here are some solutions that sites can use to migrate to hostname-bound cross-site cookies:

  • Anytime you need auth, make a client-side request to api.example.com and have it send an authentication token or identifier in its response. You can then verify this response on the origin of your application.
  • Use some kind of redirect functionality to send requests that need authentication through api.example.com. This redirect could be done server-side or client-side, where api.example.com passes along an authentication token to the destination URL in the latter case.
    • Note: We are aware that some browsers may intervene on URL parameters passed on iframe redirects, although Chrome currently doesn’t have plans to do so.

If these solutions do not work for your use case, we are interested in hearing your feedback as to why so that we can work together on new solutions.

@DCtheTall DCtheTall mentioned this issue Jun 14, 2022
Closed
@DCtheTall DCtheTall mentioned this issue Jul 18, 2022
Closed
@DCtheTall
Copy link
Collaborator

DCtheTall commented Aug 22, 2022
edited
Loading

Closing this now that #43 is also closed. CHIPS no longer requires cookies to not be set with Domain.

@solatsuta
Copy link

@DCtheTall
Hello. I have posed a similar question to privacy sandbox.
I saw this issue here and I have a question.
privacysandbox/privacy-sandbox-dev-support#144

I am aware that the use case in this issue has not been resolved.
How should we handle cookies used on multiple subdomains in the future?

@solatsuta
Copy link

@DCtheTall Hello. I have posed a similar question to privacy sandbox. I saw this issue here and I have a question. GoogleChromeLabs/privacy-sandbox-dev-support#144

I am aware that the use case in this issue has not been resolved. How should we handle cookies used on multiple subdomains in the future?

It was my lack of knowledge. I was not aware of the specification changes.
My issue was resolved.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@DCtheTall @solatsuta @dkelly-echo360