Google Identity Services or iframe / cross-site cookies

I have a question regarding Google Identity Services popup.

Screenshot 2022-08-11 195737

You might know that when you visit some website with registration capabilities, it will show you a popup “Sign in to Website with Google”. This popup will contain your name and picture. As I understand, this popup is an iframe; if you authenticate with Google, they will show this information.
What I don’t get is how they are doing this. Why am I authenticated inside the iframe? I thought Brave was not sending third-party cookies.
I’ve checked the Network tab, and I can see that my cookies are getting sent in this iframe loading request. Also, I don’t see such popups while using Firefox.

As an example, you can check the Grammarly website.

Moved this question to Browser support.
Also, Block cross-site cookies feature is enabled.

@2tunnels Hi and welcome to the community. I can’t help, sorry. I’m going to tag @mattches and @fanboynz (Brave support) who may pop in and explain. Maybe this is something that should be blocked and isn’t for some reason. Hope someone can provide some insight! Take care.

1 Like

Apologies for the late reply here.
So I think what you’ll need to do in order to block these types of login prompts is to go to Settings → Social media blocking and toggle the Allow Google login buttons on 3rd party sites option “off”.

Can you do that and then test again and let me know if the prompt still appears?

Adding ||$script,third-party into brave://adblock will prevent the popup

I’m not sure why this option is enabled by default. In another browsers, where 3rd party cookies are disabled you can still use OAuth 2.0 for SSO. I don’t think that “Login with Google account” functionality isn’t working in Safari. OAuth 2.0 and OIDC should work without 3rd party cookies.
Or because it’s Chromium, Google assumes something about authentication flows and disabling 3rd party cookies breaks login buttons.
In my opinion this type of widgets are the worst thing for privacy and having this feature enabled by default in browser that sells itself as “privacy first” just doesn’t make any sense.
For example after installing Privacy Badger extension I can see that a lot of things are getting blocked by extension, not by Brave.
Also, I don’t see this settings in Brave on mobile, so I assume it’s sending 3rd party cookies on mobile.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.