Menu
▾
▴
Re: [Unity-idm-discuss] 3rd site content and cookies
|
From: Marcus H. <ha...@ki...> - 2020-10-05 09:12:00
|
On 10/02/20 11:54, Krzysztof Benedyczak wrote: > Hi Sander, > > W dniu 02.10.2020 o 11:17, Sander Apweiler pisze: > > Hi Krzysztof, > > > > On Fri, 2020-10-02 at 11:13 +0200, Krzysztof Benedyczak wrote: > > > Hi Sander, > > > > > > W dniu 02.10.2020 o 10:54, Sander Apweiler pisze: > > > > Good Morning Krzysztof, > > > > > > > > we got a lot of feedback of 3rd site content and cookies triggered > > > > by > > > > unity. This content is are the logos and cookies of the remote IdPs > > > > (from eduGAIN). The users never visited these IdPs. The users are > > > > very > > > > unhappy with this behaviour. Can this be changed, that unity > > > > fetches > > > > the logos, caches them and provide them with the login screen? > > > > > > > Do you mean that the process of showing SAML federation logos (which > > > are > > > provided as links in federation metadata) should not happen lazy > > > when > > > user enters the authentication page, but rather be done in > > > background, > > > from time to time, so that all logos are served from Unity server > > > itself? > > Exactly. I guess when the logos are served from unity instead of the > > IdPs, the cookie issue is solved, too. > > Yes - we can change the behavior, I've opened a ticket. This will be a > rather complex process (this is lot's of data which would need to be > downloaded, stored and refreshed) - rather a bigger change, so hard to say > when we schedule it. > > On the other hand, users are constantly tracked by FB, Google, and ton of > other sites with real consequences. Yes, and in addition to google and facebook, nyob has started to sue 101 companies in europe that do the same thing [1]. > The fact that the user gets a cookie > from a site which was not visited is just few bytes on her hard drive, > nothing more. So I can ask: what is the real problem here? By requesting the picture, the user informs _all_ IdPs that he is about to log in to unity. That does not seem right, does it? Plus, some (very few) are configured to offer certificate authentication, if an appropriate certificate is in the browser. The browser shows a popup for the user to choose. So, when I want to choose KIT on unity, some other site asks for the certificate? Fortunately, not _all_ IdPs are queried (as did another project in an early version). [1] https://noyb.eu/en/update-noybs-101-complaints-eu-us-data-transfers -- Marcus. |
