Menu
▾
▴
Re: [Unity-idm-discuss] 3rd site content and cookies
|
From: Marcus H. <ha...@ki...> - 2020-10-06 07:32:58
|
On 10/06/20 09:24, Krzysztof Benedyczak wrote: > Marcus, > > W dniu 05.10.2020 o 10:47, Marcus Hardt pisze: > > > The fact that the user gets a cookie > > > from a site which was not visited is just few bytes on her hard drive, > > > nothing more. So I can ask: what is the real problem here? > > By requesting the picture, the user informs _all_ IdPs that he is about to > > log in to unity. That does not seem right, does it? > > No, that's not true. The IdPs can only know that some *anonymous* one is > trying to enter unity instance (and only after if and after they check that > referer URL is of some unity instance). Nothing more. The anonymous is the goal here. For this unity needs to proxy the requests. At the moments it's my browser requesting those images. This is by no means anonymous. > What privacy concern is there? I am unneccessarily forced to releasing information to third parties, potentially outside europe, that I've never wanted to authorise. > > Plus, some (very few) are configured to offer certificate authentication, > > if an appropriate certificate is in the browser. The browser shows a popup > > for the user to choose. So, when I want to choose KIT on unity, some other > > site asks for the certificate? Fortunately, not _all_ IdPs are queried > > (as did another project in an early version). > > That is obvious misconfiguration of your IdP sites. Not at all. It's any IdP that is in the metadata. We have no control about them. > They should not require > authN for public assets like a logo advertised in metadata for > authentication purposes. Absolutely agreed. > I can see the value in the request to cache the images by unity - but that's > more of an optimization, not a privacy issue. -- Marcus. |
