Reading cookie in cross-site context will be blocked in future Chrome versions

[dannycarrera]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe the bug

I have an instance of Ory Kratos and Ory Hydra running on site-a.com. I have an oauth browser client running on site-b.com. Currently, site-b.com is working but the warning in the title is shown.

I wasn't able to find any comments from Ory whether they are already working on this or if a solution is already implemented.

Reproducing the bug

1. Run Ory Kratos
2. Run Ory Hydra
3. Run an OAuth Browser Client
4. Login or return to a session on the Browser Client

Relevant log output

Cookies with the SameSite=None; Secure and not Partitioned attributes that operate in cross-site contexts are third-party cookies. In future Chrome versions, reading third-party cookies will be blocked. This behavior protects user data from cross-site tracking.

Relevant configuration

# Kratos
cookies:
  same_site: None

# Hydra
cookies:
  domain: site-a.com
  same_site_mode: None
  secure: true

Version

v2.2.0-rc.3

On which operating system are you observing this issue?

Windows

In which environment are you deploying?

Binary

Additional Context

No response

[HIRANO-Satoshi]

Chrome has started the deprecation of third party cookies since the last month. This is a serious issue.

For third party cookies there are two types of methods: Storage Access API (SAA) and Cookie Partitioning, such as CHIPS. Safari supports SAA but does not support partitioning, while Chrome supports CHIPS and has added support for SAA since version 119.

To utilize SAA, the content in the iframe should call the hasStorageAccess() API.

To utilize CHIPS, Hydra should add the partitioned attribute to cookies.

This blog post explains.

https://medium.com/miro-engineering/the-end-of-third-party-cookies-and-its-impact-on-miro-apps-and-integrations-ee73358cda1e

In short, Hydra should try SAA then fall back to CHIPS.

[HIRANO-Satoshi]

Firefox shows this.

Cookie “XXX” will soon be rejected because it is foreign and does not have the “Partitioned“ attribute.

When configuration has SameSite with "None" for 3rd party cookies, Hydra should add "Partitioned;" for the message. This is CHIPS.

A login dialog may use Storage Access API (SAA) if the API is available. I'm not sure how that works for silent refresh.

[aeneasr]

Accessing the Storage API will require a serious amount of work. Adding the partitioned attribute will not cause problems.

Regarding the opening post - this is about an iframe correct? Because in other use cases this should not be a problem (to the best of my knowledge) as we can still set cookies on redirects.

[dannycarrera]

@aeneasr This occurs with both redirect and iframe login methods.

With my limited understanding, I don't believe the issue is with setting cookies, but how the cookies are stored and made available to third parties for security reasons.

[aeneasr]

I cannot reproduce this issue with redirects. I also can't find any reference about redirects being blocked by 3rd party cookie phase out. I do know that there is an issue with embedded content (iframes) and apparently there is also a problem with ITTP from Safari in web views.

[dannycarrera]

My apologies. Upon deeper investigation the warning is being thrown when an img file is being requested and ory's cookies are forwarded by the browser.

Should I close this issue? It seems there is an actual issue here though that needs addressing.

[HIRANO-Satoshi]

This is an important issue. Please keep this open. As Chrome has already started rejecting cookies with samesite=None, Hydra needs to add support for the Partitioned attribute anyway.

@aeneasr wrote this for Golang's immediate support for the Partitioned attribute. I think waiting for it would loose time.

In addition to Chrome, Firefox also shows this (despite this).

Cookie “ory_hydra_login_csrf_dev_2630171196” will soon be rejected because it is foreign and does not have the “Partitioned” attribute.

We have two measures for 3rd-party cookie rejection. The Partitioned attribute to cookies with samesite=None (CHIPS), and the SAA that is a set of APIs for asking the user for permission of 3rd-party cookies with samesitge=None.

If the user gives permission against SAA, cookies with samesite=None and without Partitioned can be used for keeping login status among multiple sites.

However, even with the user's permission, if the cookies have the Partitioned attribute, they are partitioned and the user has to log in at each site.

So, adding a partitioned flag to config would be easy but spoil the chance.

I'm not sure about what Hydra should do. Adding the partitioned flag as an immediate fix first and adding something later would be a way.

Note that Google provides yet another measure called Federated Credential Management API (FedCM).