I didn't specify those protocols for a reason. While that's technically true at the API level, I was referring to things like the “Sign-On with <service>” widgets – you can make a completely static version of that which doesn't use cookies but there is a nice UI improvement if the button can load and say things like “Login as @tootie” or “@tootie, you have 5 DMs” anywhere you see it.
Instead, I think we're going to recognize that this is too broad to be secured and either come up with ways to scope it down (e.g. requiring the third-party to have some sort of opt-in prompt) or that entire market category replaced with browser-controlled alternatives, which isn't great for companies other than Apple, Google, and maybe Microsoft but does have the appeal of not trusting an entity which the user isn't already trusting.
