Menu
▾
▴
Re: [Unity-idm-discuss] 3rd site content and cookies
|
From: Krzysztof B. <kb...@un...> - 2020-10-06 07:24:30
|
Marcus, W dniu 05.10.2020 o 10:47, Marcus Hardt pisze: >> The fact that the user gets a cookie >> from a site which was not visited is just few bytes on her hard drive, >> nothing more. So I can ask: what is the real problem here? > By requesting the picture, the user informs _all_ IdPs that he is about to > log in to unity. That does not seem right, does it? No, that's not true. The IdPs can only know that some *anonymous* one is trying to enter unity instance (and only after if and after they check that referer URL is of some unity instance). Nothing more. What privacy concern is there? > Plus, some (very few) are configured to offer certificate authentication, > if an appropriate certificate is in the browser. The browser shows a popup > for the user to choose. So, when I want to choose KIT on unity, some other > site asks for the certificate? Fortunately, not _all_ IdPs are queried > (as did another project in an early version). That is obvious misconfiguration of your IdP sites. They should not require authN for public assets like a logo advertised in metadata for authentication purposes. I can see the value in the request to cache the images by unity - but that's more of an optimization, not a privacy issue. Best, Krzysztof |
