On Tue, Mar 19, 2013 at 8:57 AM, Brion Vibber <[email protected]> wrote: > On Tue, Mar 19, 2013 at 7:52 AM, Platonides <[email protected]> wrote: >> An idea to fix it would be to take advantage of the new certificate >> which includes all projects, by having firefox detect that the >> ‘third-party site’ belong to the same entity, since they share the https >> certificate (we would need to enable https to all logins, but that was >> planned, anyway). > > I'm pretty sure Firefox won't detect this condition; the security > model is based on domains, not SSL certificates.
I hadn't heard of this technique to get around the issue, but if there is an exception for it, we're already doing this in our certs, so it would already be fixed. If that fails, any solution that lets us keep the cookies with httponly set is preferred. Has anyone tested firefox to see if it will accept third-party cookies loaded from: * iframes * ajax + cors * 301, 302, meta refresh, or javascript redirects I don't really want to play cat and mouse with Mozilla, but it would be nice to know if we have options. _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
