Re: [w3c/payment-handler] Open Window Algorithm and tracking through 1ps (#351) from pes on 2019-11-07 (public-webpayments-specs@w3.org from November 2019)

From: pes <notifications@github.com>
Date: Thu, 07 Nov 2019 15:59:44 -0800
To: w3c/payment-handler <payment-handler@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/payment-handler/issues/351/551321908@github.com>

> I'd argue that the payment handler window is not fundamentally different from a new tab that's triggered by the user clicking on an <a href="..." target="_blank">, so it shouldn't be subject to the storage partition ideas for 3P iframes.

The difference is that different tabs / 1ps cannot communicate with each other.  Thats exactly how cross site tracking is accomplished, and what 3p containment protects against.  You can test this, for example, by clicking a cross-domain `<a target=_blank>` link in safari, and then noticing that `window.opener` is null.  In general, you will find few places where 1p contexts can communicate with each other, and the few that exist are being actively addressed / worked on for removal.

> If I click on a link to ewallet.com from store1.com, log in with account1, and then click on a link to ewallet.com from store2.com and log in with account2, ewallet.com can also link my two identities. 

I don't understand this claim That is not true with out some common hook to tie account1 to account 2.  If you have segmented (3p) storage, the ewallet.com lacks that common hook.

But further, consider other types of tracking you're enabling:

1) I click on the link to ewallet.com and then decide not by anything
2) I click on ewallet.com, it opens for a second, stores the tracking cookie, transmits the cookie back to the site I came from (store1.com) and now store1.com, store2.com and ewallet.com can all collude to share information.  This is not possible if ewallet.com gets segmented storage.
3) More broadly, if all thats needed is a user gesture to get a common / global 1p storage, my analytics script can use that to track users across all sites (e.g. anytime the user is trying to leave the site, spin up this modal window, cookie sync, and then let them leave).  That would undo 100% of the benefit of partitioned storage.

> Being able to follow links is a fundamental property of the web.

This is not at all like following links on the web.  Tracking user across link clicks is currently accomplished by using the referrer header and / or query parameters.  Browsers (Safari, Brave, Firefox) are all working on ways of preventing exactly this.  The proposal as is would re-introduce the privacy harm currently being worked on / solved by these platforms.  The issue here has nothing to do with following links, and all about what 1p contexts can learn about the behavior of the user in other 1p contexts.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-handler/issues/351#issuecomment-551321908

Received on Thursday, 7 November 2019 23:59:46 UTC