On mid-2022 Google plans to disable third party cookies by default.
My use with 3rd party cookies is through google chrome extension (not for ads service)
I use an Iframe to translate some words on the document.
It looks something like this:
I have a chrome extension that loads an Iframe (In red)
The Iframe (in green) is under my domain x.com (i wish)
Each request that goes from my iframe client to the server is attaching cookie, but from mid-2022 it will be blocked due to chrome policy change and considering that the cookies are 3rd party
I have tried to find solution for this,
All I have found for now is TheTradeDesk Unified ID 2.0 but it will not help me since it's not store value / jwt (its anonymous id)
But could't find any other solution
Any ideas how to handle this?Thanks in advance.
We're also facing something similar, where we noticed if you have your browser configured to block 3rd party cookies, functionality regarding authentication did not work.
This afternoon, we followed a hunch to try and see if the setting to block 3rd party cookies also has an effect on an extension's background page (we're still using manifest v2). And turns out, it is not. So even with 3rd party cookies being blocked, requests made from the extension's background page can still use them.
Not sure if this is by design or a bug. And we still need to investigate how this works with manifest v3.
But hope this helps!
A good news is that Google keeps postponing the timeline for removing 3rd party cookies from Chrome. Right now (Dec 2022) it's planned for the second half of 2024 (https://blog.google/products/chrome/update-testing-privacy-sandbox-web/).
Eventually, we'll need a workaround, though. As #schmkr mentioned, Chrome extension's own code (background page / service worker, and iframes sources from the embedded HTML via chrome://... URLs) are not considered 3rd party. So there are two workarounds:
Pack your iframe app (html/js) as a part of the chrome extension instead of loading it from the external website (x.com in your example).
Keep the iframe app externally sourced, but change its logic. It should not send XHR/Fetch requests any more. Instead it should ask the extension background page / service worker to do that (using the messaging API).
Related
I am using Microsoft Graph login in my chrome extension and I am facing a disturbing issue, seems that the user login info is not cleared even if I fully clear browser data, its only forgotten after I restart the browser.
Is this a security vulnerability ?
How is this even possible as my extension is closed and all data is cleared , where is this info saved ?
( I am aware of the logout api, the reason I am asking is because this seems like a security issue to me )
Thanks Jacob. Could you please verify the known issue for the Microsoft Graph and here is the URL:- https://learn.microsoft.com/en-us/graph/known-issues
you can also verify the Content Security Policy (CSP) for the chrome extensions. Please verify the content scripts of the Chrome extension and make sure you know the chrome limitations.
Content scripts are JavaScript files that run in the context of web pages. By using the standardDocument Object Model (DOM), they can read details of the web pages the browser visits, or make changes to them.
Here are some examples of what content scripts can do:
Find unlinked URLs in web pages and convert them into hyperlinks
Increase the font size to make text more legible
Find and process microformat data in the DOM
However, content scripts have some limitations. They cannot:
Use chrome. APIs, with the exception of:
extension ( getURL , inIncognitoContext , lastError , onRequest ,sendRequest )
i18n
runtime ( connect , getManifest , getURL , id , onConnect , onMessage , sendMessage )
storage*
Use variables or functions defined by their extension’s pages
Use variables or functions defined by web pages or by other content scripts
These limitations are for Content scripts can indirectly use the chrome.* APIs, get access to extension data, and request extension actions by exchangingmessages with their parent extension. Content scripts can also make cross-site XMLHttpRequests to the same sites as their parent extensions, and they cancommunicate with web pages using the shared DOM. For more insight into what content scripts can and can’t do, learn about the execution environment.
Please share the log file for further investigations.
I currently have a web app made in node.js. One feature of this app is to take notes. I want to provide the user with a way to browse the internet and select a text to add as a note in our web app without having to manually copy-pasting from one browser window to our app.
I know I can do this relatively simply using a Chrome extension that would be linked to the user account and would save the note to the database. However, I cannot use this approach since not all my users can install Google Chrome.
Therefore, I am looking for a way to browse the web from inside our web app. For example, it could be in an iFrame where we display a complete browser. That way, the user could navigate the web for information from inside the app, select text to save and click on a button (probably located outside the iFrame browser) to save the selected text as a note in our database.
How can I achieve such a thing in node.js ?
This is, essentially, impossible.
For you to get any data about the site the user was browsing you could either:
Restrict them to browsing sites willing to partner with you to give you permission to access their data via postMessage (a technical change on their part to work around the Same Origin Policy)
Proxy every request through your server which would:
Have large bandwidth requirements
Require a lot of rewriting of URLs (including dynamically generated ones in JS)
Require rewriting of X-Frames-Options and Access-Control-Allow-Origin headers
Need users who would trust you with all the data you passed through your system (including their passwords to third party sites)
Not work for Intranet sites (since your server could not reach them)
Is there an API to access all site data on all domains from a chrome extension (or firefox addin)?
Full story: I want to create a pseudo profile switcher, as an alternative to google's Google's "multiple sign-in". It will basically help user to switch between profiles that are created inside my extension. Right now, it is only a cookie-switcher because it can only access cookies (just like this extension: Swap My Cookies).
For creating a new profile (inside my extension) it saves all cookies in JSON format in filesystem and then deletes all cookies in browser, just like chrome's new profile. To switch between two profiles, it saves current cookies, clears cookies, and loads cookies for target profile. Note that I am not accessing chrome's actual profiles at all, and I am certainly not reading cookies from chrome's other profiles. This is just a pseudo profile switcher. Many websites are not working as they should work, because these websites store more things than just cookies. Is there a way to access all site data, and not just cookies? I have been working with chromium so far, but for this I am ready to switch to firefox or any other browser.
Following is picture of url chrome://settings/cookies after clearing all cookies using chrome extension API, how do I access the rest of data?
Image showing site data other than cookies
I want to create a pseudo profile switcher
For Firefox there is a per-tab container API under development which may pretty much provide what you want.
I'm using MVC4 c# and have incorporated a home grown security token service (STS). The user calls the actual web address, and they're passively redirected to the STS login. When they successfully authenticate they're redirected to where they're supposed to go, which was all urlencoded in the URL on the redirect to the sts.
Upon logout, we call:
this.Session.Abandon();
this.Response.Cache.SetCacheability(HttpCacheability.NoCache);
this.Response.ClearContent();
// expires the claims
FederatedAuthentication.SessionAuthenticationModule.SignOut();
FederatedAuthentication.SessionAuthenticationModule.CookieHandler.Delete();
WSFederationAuthenticationModule authModule = FederatedAuthentication.WSFederationAuthenticationModule
Response.Redirect(WSFederationAuthenticationModule.GetFederationPassiveSignOutUrl(authModule.Issuer, authModule.Realm, null));
Everything seems to work great on the desktop version of our app. The user is back at the STS login page, and the URL shows wlogin1 (and lots of other stuff) and will allow the user to login again without issue. The url is exactly the same as when they first were redirected to the STS. Perfect, and this is what I want.
Now, when on mobile, which by the way uses the exact same domain/controller/Methods, it just uses jQueryMobile and different partial views, the logout appears to work and the user is brought back to the STS login. This time, however, the URL only shows the Domain/Controller/Method that was actually called from the mobile actionLink used for Logout. When the user tries to login again, the login is always unsuccessful because this link isn't appropriate for an sts login.
Thoughts on how to fix this, or what's wrong? Please let me know if you require any clarification. Thanks!
I was able to fix this!!
Looking at the headers for the mobile site it showed:
X-Requested-With: XMLHttpRequest
So, my logout was attempted with ajax and something wasn't working. This was the only difference between the desktop and mobile headers (besides user-agent, obviously). Started poking around this as the issue.
Within one of my mobile-specific scripts I added the following within the mobileinit. BINGO! Wow, what an easy solution for such a confusion problem.
$(document).bind("mobileinit", function (event) {
$.mobile.ajaxEnabled = false;});
Make sure that you correctly load your libraries too!
I have loaded my jquery libraries in this order:
jquery
mobile jquery init file (the stuff above)
jquerymobile
jquery validation
everything else
We're using the following jQuery libraries:
jquery 1.9.1
jquery-ui 1.10.3
jquery.mobile 1.3.1
jquery.validate
Hope this helps others!
I have Some Questions for October 1 changes -
For old FBML based Facebook Canvas Apps, do we need to enable
secure canvas url?
Will the old FBML apps stop working if https is not enabled on the server?
What code change do we make to convert he old fbml app code to new system?
I do not think you need a Secure URL. But test it by navigating Facebook with HTTPS (change your settings) and visiting your app. If it will require a Secure canvas URL it will prompt you to temporarly navigate facebook without HTTPS.
Should still work (try #1)
Depends on the Facebook Functionality on your page. One of the easiest ways is using the Facebook JS SDK.
Here is a full tutorial that should let you get the initial setup and functionality:
http://thinkdiff.net/facebook/new-javascript-sdk-oauth-2-0-based-fbconnect-tutorial/
FBML apps do not need secure canvas url. Here is the answer given by Douglas Purdy, the head of developer relations: http://www.facebook.com/groups/fbdevelopers/?view=permalink&id=251904368186418