Nudge users with 3rd-party cookies blocked to allow them, if reasonable
Opened this issue · 1 comments
User identities are not revealed in iframed sheets even when the containing folder is shared to the user when third-party cookies are blocked by the browser. This results in more anonymous animals than ideal.
This gets tripped up by Safari in its default configuration as well as by some ad-blockers or privacy extensions for other browsers.
It would be nice if we could detect these circumstances (user has a linked Google identity but 3rd-party cookies are blocked) and nudge the user to take actions that would allow other hunters to be able to tell who a particular cursor is.
I took a look at this. I think it would be feasible to detect if all third-party cookies are blocked using an approach like https://github.com/mindmup/3rdpartycookiecheck. We would embed an iframe pointed to a URL on some other domain - a GitHub pages site pointed to a static page in the repository could be a natural place for this - which runs some Javascript to set a cookie, redirect to another static page, and then attempt to read the cookie back. I've verified that this can catch the Firefox setting to disable "All cross-site cookies".
However, the default Firefox setting seems to be to disable "Cross-site tracking cookies" or otherwise restrict the blocking to some presumed blocklist of known tracking cookies. In this case, I seem to show up as anonymous, but the third-party check above passes. The logical explanation would be that Sheets is relying on a cookie that Firefox has deemed a tracking cookie, but this doesn't trigger on the checker's test cookie.
Weirdly, though, Firefox shows an empty list of blocked cross-site tracking cookies for the site, even though disabling tracking protection does fix it. I'm not sure if I've misunderstood something or it's just a UI bug/quirk in Firefox.
So I'll probably just document this in the setup instructions rather than try and build some detection. I think this is going to be the more common case at least for the moment, and detecting that tracking cookies specifically are blocked seems more challenging.