by aleyan on 7/16/21, 4:06 AM with 11 comments
by colinclerk on 7/17/21, 4:21 PM
I think what OP has glazed over a little bit, is that authentication is a massive, thorny exception to their advice of "adopt the Same Origin Policy instead."
Consider these authentication use cases:
- Sharing sessions across mail.google.com and drive.google.com
- Sharing sessions across google.com and youtube.com
- An okta.com generating a session on google.com
- Persisting a youtube.com session even when youtube.com is in an iframe on example.com
All of these scenarios are reasonable, but it's a huge challenge to support all of them in a privacy- and security-conscious way.
That being said, I generally agree with the advice of "adopt the Same Origin Policy instead" after authentication is solved.
by thayne on 7/18/21, 3:21 AM
However, there is also state that you do want to share between the sites, like whether the user is logged in or not to show different links on marketing pages, or tracking the marketing pages the user has seen to give recommendations once they get to the product, or measure the effectiveness of a/b tests or pages at leading to registrations.
If the domains are on seperate eTLDs, this is already a difficult situation, and will get even more difficult, possibly impossible with the disappearnce of third party cookies. If SOP was used for everything, it would make this difficult or impossible even if they were subdomains of the same eTLD+1.
If anyone know of a good solution to this, I'd love to hear about it.
The really annoying thing is that the server doesn't even need this shared state, but the SOP on localstorage and similar prevents using a local-only solution.
by IX-103 on 7/17/21, 4:48 PM
by dang on 7/17/21, 5:40 PM
Public Suffix List - https://news.ycombinator.com/item?id=27835197 - July 2021 (43 comments)
Other threads listed at https://news.ycombinator.com/item?id=27853498
by theamk on 7/16/21, 2:17 PM
by twic on 7/17/21, 2:22 PM