On 19/03/13 17:41, Chris Steipp wrote: > On Tue, Mar 19, 2013 at 8:57 AM, Brion Vibber <br...@pobox.com> wrote: >> On Tue, Mar 19, 2013 at 7:52 AM, Platonides <platoni...@gmail.com> wrote: >>> An idea to fix it would be to take advantage of the new certificate >>> which includes all projects, by having firefox detect that the >>> ‘third-party site’ belong to the same entity, since they share the https >>> certificate (we would need to enable https to all logins, but that was >>> planned, anyway). >> >> I'm pretty sure Firefox won't detect this condition; the security >> model is based on domains, not SSL certificates. > > I hadn't heard of this technique to get around the issue, but if there > is an exception for it, we're already doing this in our certs, so it > would already be fixed.
It was an idea I *made up* that firefox *could* implement to detect that the two domains are owned by the same entity, and so relax the «ignore third-party cookies» rules. It scales quite well for other types login cookies (eg. flickr.com and yahoo.com) but doesn't open a hole for advertising companies (eg. example.com and google-analytics.com). _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l