Shibboleth Developers

["Scott Cantor" <>]

I don't want this to turn into a rathole on logout, though since I'm sort of
attempting to sanity check the very possibility, I suppose it's unavoidable.
But let me just ask a specific question.

Can somebody demonstrate a case in which Firefox, *without* accepting third
party cookies, will handle setting or returning a session cookie via a frame
or iframe if the source of the frame is a totally distinct domain from the
outer frameset?

Because from what I can see this is a DOA approach. I've tried with and
without the P3P bits that make IE work in the same scenario, but FF does not
appear to notice that difference.

I've tried this in a very simple test harness with the initial frameset or
outer document served over http or https, and with the embedded frame or
iframe as http and https, and there appears to be no combination that allows
Firefox to work without creating exceptions. I've also tested cases in which
the cookie is created in advance and seeded outside the frame, and that
doesn't work either.

I would note that FF *does* work if the frame and outer document share a
subdomain (even if they're different servers). That doesn't appear to get
handled as a third party case. I don't think that makes a lot of sense, but
that's what it does. But that's not generally relevant to SAML.
 
I know that there have been very fancy logout demos that appear to work, but
my past experience with frames has led me to try to reproduce a very basic
example to try and get a cookie to work, and so far I'm not seeing it. Is it
possible these demos are artificially sharing a subdomain? Does using
Javascript to get/set a cookie perhaps operate under different rules?

I can provide the samples I used if needed, it's just a CGI shell script to
deal with the cookie and a static HTML page. I haven't tried with any
Javascript yet.

-- Scott