I’ve done some more work investigation on how various browsers with various configurations behaves when it comes to access to cookies throuh iframes, redirects, JSONP and images.
I got many use cases where you do not really want to redirect the user to a third party, because you loose control of the user, and you have no way to implement fall-backs from service interruptions on their side.
- DiscoJuiceReadWrite protocol
- Identity Federations Virtual Organisations Protocol Design
- Feide’s Single-Logout implementation
This research is background material for selecting which method to use when doing reliable front-channel cross-domain communication.
I’ll be back with more information on this at a later time. The first preliminary results are that the test is extremely useful, as the behaviour varies a lot between browsers.