FedCM is one of three APIs that appear to have broad support among the three browser engine teams. Broad support means that it's likely all three will eventually support the standard, not that it is implemented. FedCM was released in Chrome in November 2022, and is also implemented in Edge and Opera (built on the Chrome engine). Firefox has a FedCM project tracker in bugzilla indicating active work. Apple stated in the Webkit developer making list that they are generally supportive.
The specification from the W3C FedId community group is under active development. That community group is working on proposing a W3C working group, which has greater authority; at this point, it is in negotiation where the spec will continue development.
|How does it work||Mitigations||Impact|
|Bounce tracking transfers a user via redirect (or POST) from one site to another, exchanging information in the process. A common pattern is to have "decorated links" that have embedded identifiers for the user.|
Proposal Draft: when a user has no interaction with a site (at eTLD+1 level), limit cookies to an hour lifetime.
EVOLVING PRACTICE: FedCM is a possible signal to allow a more aggressive mitigation of bounce tracking while protecting SSO.
Authentication protocols use cross-site redirection with "link decoration" and POST to exchange information about the sites and the user.
While SSO is understood as a critical element, it is understood much more as a single bounce, consumer side authentication, without the many bounces to translate across protocls and implementations, nor is there understanding the trust models and authorization elements involved.
This is the main focus of REFEDS Working group interaction with the W3C groups.
|Third party cookies||"Third party cookies" are those sent or set in a browser when the top level document (the URL in the browser bar) makes image or iframe calls to other sites.|
Third party cookies are not needed at any protocol specification. However, some consumer authentication libraries embedded in various sites and apps use third party cookies.
Within SAML, identity federation, and higher ed, implementations of logout (Why are third party cookies relevant to single logout) and of Seamless Access are affected. In Seamless Access, the "smart button" is not available without third party cookies and introduces additional clicks in the flow for sites using advanced integration.
Cross site request cookies (2021)
|Cookies received by a site when a user is directed to that site via a link from another site.|
In a proposal shared in the W3C WebAppSec WG regarding "Standardizing Security Semantics of Cross-Site Cookies", the authors note a pattern they call "Top-Level Cross-Site POST Requests." The document recommends "Given the existing widespread usage and lack of clear alternatives, we recommend following the current state of the web and not blocking cross-site cookies in this scenario."
This applies to any SAML SP that has
IP address obfuscation
Apple's Private Relay for iCloud+ customers is a "lite" relay network used only with Safari and TCP Port 80 (aka http) traffic. All DNS requests are encrypted and go through Apple.
GoogleOne subscribers have access to Google VPN
|Network relays and proxies can obscure the IP address of the users device or a network's WAN IP address(es) to protect endusers from being associated with a specific origin.|
Apple's relay is the most "friendly" providing details about the IP address ranges and documentation:
Campus networks that need users on the network to not go through a relays but to appear to originate from the network must make changes documented at "Prepare your network or web server for iCloud Private Relay."
Systems that assume region or city level geo-accuracy when interpreting IP address may only get country level accuracy if the user chooses that setting in the relay configuration.
Google and Mozilla's VPNs do not seem to have publicized their final IP address ranges, nor any DNS to block in order to signal that VPN or relay use is unwelcome on the network.
|Robot identification||CAPTCHA solving is hard on mobile, challenging for accessibility reasons. Some CDNs essentially fingerprint browsers to distinguish "real" from "bot" surfing.|
Privacy Pass was introduced by Cloudflare (06/08/2022) and Apple (as Private Access Tokens). Work has been transferred to the IETF PrivacyPass working group. There are PrivacyPass plugins for Firefox and Chrome; believe its built into Safari.
|No impact to federated authentication. Potential impact at sites that use CDNs to manage traffic.|
Secondary sources and articles
- Chrome's "Privacy Sandbox", phasing out some third party cookies and including Shared Storage, starts general availability in Q3 2023
Chavez, Anthony. “The next Stages of Privacy Sandbox: General Availability and Supporting Scaled Testing.” The Privacy Sandbox News, May 18, 2023.
- Lardinois, Frederic. “Google Will Disable Third-Party Cookies for 1% of Chrome Users in Q1 2024.” TechCrunch, May 18, 2023.
- " Starting in early 2024, Google plans to migrate 1% of Chrome users to Privacy Sandbox and disable third-party cookies for them"
Merewood, Rowan, and Alexandria White. “Preparing to Ship the Privacy Sandbox Relevance and Measurement APIs.” Chrome Developers, May 18, 2023.
- "CHIPS: Allow developers to opt-in a cookie to partitioned storage, with a separate cookie jar per top-level site. CHIPS became available in Chrome Stable in February 2023."
- "Federated Credential Management (FedCM): Support federated identity without sharing the user's email address or other identifying information with a third-party service or website, unless the user explicitly agrees to do so. FedCM shipped in November 2022."
- Web Environment Integrity
- Privacy Pass
- Thibault Meunier, Cloudflare https://www.usenix.org/conference/pepr23/presentation/meunier Tuesday, September 12, 2023 - 11:50 am–12:10 pm
We also have a collection of Slides, blogs, and videos from the community.
[Hamilton] Dave Hamilton, “Digging into Apple’s ICloud Private Relay,” The Mac Observer, June 9, 2021, accessed May 24, 2023, https://www.macobserver.com/tips/deep-dive/digging-into-apples-icloud-private-relay/.
[RFC-7258] S. Farrell and H. Tschofenig, “RFC-7258 BCP-188 Pervasive Monitoring Is an Attack,” IETF, Best Current Practice RFC7258, May 2014 [Online]. Available: https://tools.ietf.org/html/rfc7258. [Accessed: Feb. 03, 2016]
[W3C TAG 2015] M. Nottingham, “Unsanctioned Web Tracking,” W3C, W3C TAG Finding, Jul. 2015 [Online]. Available: https://www.w3.org/2001/tag/doc/unsanctioned-tracking/. [Accessed: Aug. 20, 2021]