Re: Defining First and Third Party Cookies from Mike West on 2016-01-18 (ietf-http-wg@w3.org from January to March 2016)

From: Mike West <mkwst@google.com>
Date: Mon, 18 Jan 2016 21:11:49 +0100
To: "Roy T. Fielding" <fielding@gbiv.com>
Cc: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAKXHy=dBZOd1KFqrgCuA7Fy=s760V3xLcH5MLAq9-HR3f2NPfw@mail.gmail.com>

On Mon, Jan 18, 2016 at 7:56 PM, Roy T. Fielding <fielding@gbiv.com> wrote:

> I appreciate the value of such a technical definition from the perspective
> of a browser, but that doesn't make it an accurate definition of first
> party for the user or for the services in question.
>
> The problem is that the draft is equating the notion of "party" (a legal
> term) with the technical ideal of same-domain, but the fact is that a
> single party often owns many domains that a user expects to be the same
> party but won't be under this definition. Likewise, a party might control
> other domains for the sake of providing that same service, and a single
> domain often hosts services for multiple parties.
>
> These are important distinctions because they are present in most modern
> privacy regulations and data protection laws. Hence, the draft's
> definitions conflict with the defined terms of DNT, since DNT was written
> with respect to those laws.
>
> There is no feasible technical mechanism for a browser to determine what
> is a first-party. My preference would be to use a different term for this
> new definition that isn't loaded with legal baggage. IMO, what the draft
> defines would be better called same-domain or same-ancestor or "within the
> document domain", since domain ancestry really has nothing to do with the
> legal definitions of first or third party.
>

Fair. I have _very_ little interest in getting into arguments with lawyers.
The browser deals with origins, and I'm happy not to claim anything more.

That said, note that the definition in the document isn't really
"same-domain", as it relies on notions of public suffixes and registrable
domains that browsers have adopted for compatibility with the web (e.g.
Chrome and Firefox's "block third-party cookie" options both allow `
example.com` -> `sub.example.com` chains to send cookies to both origins,
Safari's sends any which would be sent to the top-level origin (which has a
similar effect, as cookies are nuts)). Perhaps "same-site" or something
equally vague would be appropriate?

-mike

Received on Monday, 18 January 2016 20:12:41 UTC