W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2016

Re: Defining First and Third Party Cookies

From: Mike West <mkwst@google.com>
Date: Tue, 19 Jan 2016 13:13:56 +0100
Message-ID: <CAKXHy=fpbtFxRXaKKdWaGMg8TSXdujwZPaBm2z9VCMeX68NSZA@mail.gmail.com>
To: Matthew Kerwin <matthew@kerwin.net.au>
Cc: "Roy T. Fielding" <fielding@gbiv.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On Mon, Jan 18, 2016 at 11:52 PM, Matthew Kerwin <matthew@kerwin.net.au>

> * local / remote cookies
> * internal / external cookies
> The English words are pretty open, and AFAIK they're not really used in
> this domain, so there's hopefully less chance of them carrying particular
> arbitrary definitions for folk who encounter them (unlike "site" which
> means many things to many people.)

I think most words are going to carry some baggage, "internal", "external",
"local", and "remote" included. I mean, all cookies are "external" in the
sense that they're sent out there to the public internet, and all cookies
are "local" in that they're stored on my hard drive. We can define those
terms in this context to mean something else, certainly, but we could also
solidify the definition of "site" as it applies to cookies.

> That means the definition we write will be the first/true one.

Except insofar as the world has already settled on
"first-party"/"third-party". :) Colloquial usage of those terms is fairly
pervasive (see Chrome, Firefox, and Edge's settings pages, as well as
RFC6265 itself). Lawyers aside, those are the "first" and "true"
definitions that exist status quo.

Safari is the only browser I know of that avoids the "*-party" terminology,
settling for "Cookies from this website" and "websites I visit", which lead
me to "site" as a potentially viable option which has similar connotations
to the verbose-but-accurate "same-registrable-domain".

Received on Tuesday, 19 January 2016 12:14:46 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 22 March 2016 12:47:11 UTC