W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2016

Re: Defining First and Third Party Cookies

From: Roy T. Fielding <fielding@gbiv.com>
Date: Mon, 18 Jan 2016 10:56:19 -0800
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <8B504522-E2A9-4357-9DCF-BB353CCC5971@gbiv.com>
To: Mark Nottingham <mnot@mnot.net>
I appreciate the value of such a technical definition from the perspective of a browser, but that doesn't make it an accurate definition of first party for the user or for the services in question. 

The problem is that the draft is equating the notion of "party" (a legal term) with the technical ideal of same-domain, but the fact is that a single party often owns many domains that a user expects to be the same party but won't be under this definition. Likewise, a party might control other domains for the sake of providing that same service, and a single domain often hosts services for multiple parties.

These are important distinctions because they are present in most modern privacy regulations and data protection laws. Hence, the draft's definitions conflict with the defined terms of DNT, since DNT was written with respect to those laws.

There is no feasible technical mechanism for a browser to determine what is a first-party. My preference would be to use a different term for this new definition that isn't loaded with legal baggage. IMO, what the draft defines would be better called same-domain or same-ancestor or "within the document domain", since domain ancestry really has nothing to do with the legal definitions of first or third party.

Changing the technical terms has no impact on the technology or the algorithms. It just shortens the arguments and avoids some unfortunate conflicts.

....Roy


> On Jan 17, 2016, at 6:52 PM, Mark Nottingham <mnot@mnot.net> wrote:
> 
> It doesn't look like there's enough interest in Mike's first-party cookie draft to consider a CfA for it yet.
> 
> However, I'm wondering if it would be useful to pull the definitions of first and third party cookies out of that and into CookieBIS, since they're currently not defined anywhere normatively.
> 
> Specifically:
>  https://tools.ietf.org/html/draft-west-first-party-cookies-04#section-2.1
> 
> What do people think?
> 
> --
> Mark Nottingham   https://www.mnot.net/
> 
> 
> 
> 
> 
Received on Monday, 18 January 2016 18:56:46 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 22 March 2016 12:47:10 UTC