Chrome SameSite
Charlie Mos
cmosfet10 at gmail.com
Wed Feb 5 14:27:41 EST 2020
We have confirmation from all our vendors that there are no impact.
Our team kicked up the gear on communications. It cause some
unintended confusion.
Fortunately we had confirmation from federation testing as well that is all
clear.
The chrome change is very geeky. There was much confusion here from the
google and online materials. Sometimes no communications is better than too
much communications.
On Tue, Feb 4, 2020 at 11:53 AM Cantor, Scott <cantor.2 at osu.edu> wrote:
> > Has the Chrome SameSite been a damp squid? Or maintain vigilance? Our
> > communications team went all out alerting on potential impact. They
> rather
> > communicate and be caught out not communicating.
>
> You're not going to see the real impact until the 2 minute rule is gone.
> Then you're going to see a mess on a whole lot of internal systems.
> Optimistically most cloud systems will likely have been patched by then,
> but that's just a guess.
>
> The biggest risks will be true inter-site business processes where actual
> site switches happen mid-session to allow things like purchase orders to be
> submitted and the like. People are focusing on SSO and ignoring some actual
> cases where CSRF is a *feature* of the system and not a bug. But the usual
> response there will be to document "don't use Chrome" or using managed
> browser settings on enterprise clients.
>
> -- Scott
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
--
---
CM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200205/025f8743/attachment.html>
More information about the users
mailing list