- From: Phil Lello <phil@dunlop-lello.uk>
- Date: Sun, 10 Apr 2016 11:30:23 +0100
- To: Ryan Hamilton <rch@google.com>
- Cc: Patrick McManus <mcmanus@ducksong.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Received on Sunday, 10 April 2016 10:30:52 UTC
On Sun, Apr 10, 2016 at 5:04 AM, Ryan Hamilton <rch@google.com> wrote: > On Sat, Apr 9, 2016 at 10:41 AM, Phil Lello <phil@dunlop-lello.uk> wrote: > >> Specifically, although I know that, for example, google.com and >> youtube.com, are tightly related, the average user might not. Over a TLS >> end-to-end connection, Alt-Svc seems to make it easy to track activities >> between domains without user knowledge or consent. Ditto for >> blog1.wordpress.com and blog2.wordpress.com. >> > > Cookies can already be set on wordpress.com which would apply to blog1 > and blog2 so isn't the tracking your are describing already possible? > > Yes, in the common base domain scenario, it's already possible, but requires design choices by the hosted application(s) to set domain-level cookies. In cross-domain scenarios, it's as bad for privacy as 3rd party cookies. Alt-Svc abstracts the behaviour up to at least the webserver level, if not out to the network edge.
Received on Sunday, 10 April 2016 10:30:52 UTC