Re: [ISSUE-60] Will a recipient know if it itself is a 1st or 3rd party?

* Kevin Smith wrote:
>In Boston, we talked about how in some cases such as iFrames, a site or
>service may not know whether it was 1st or 3rd party.  As I thought more
>about this, I think the problem might actually be much more widespread
>than iframes.  I do not think there is any generic way to determine if
>even a normal request is a 3rd or 1st party request, because the server
>does not know what domain or site the user is actually on.

You can't tell from an arbitrary HTTP request where the top-level window
in a user's browser is from in all cases, that is correct. Reasons in-
clude that the HTTP request might not be coming from a user agent that
has a concept of a top-level window. With the "differently-branded" con-
cept, I myself as a citizen would not be able to tell 1st and 3rd party
apart either. Is flickr a 1st party when I read my Yahoo! mails? Is some host 1st party from even if the former
is mapped to some "obviously" 3rd party host?

>In other words, it's much easier to say "this is a 1st party than "this
>is not a 1st party", although even that may be inaccurate sometimes.

If it is relatively easy to establish that you are the first party, you
can assume that when you do not positively establish that, then you are
the third party; that would make both determinations equally "easy" even
if the determinations might not be equally as accurate.

>Consequently, I do not think its technically feasible to come up with a
>method or combination of methods that would always accurately determine
>party.  And if it were possible, it is probably outside the scope of
>this document.

I agree that formulating some algorithm that would deterministically
answer who in some particular situation is first party and who is not,
that suits everybody in all circumstances is probably impossible, but I
also do not see why that would be a requirement or why that could not be
met by changing the status quo. If browser can know who is 1st and who
is 3rd party, they can put that information into their requests, for
instance. If the group wishes to discriminate between 1st and 3rd party
requests, I would not regard such a requirement as out of scope either.
Björn Höhrmann · ·
Am Badedeich 7 · Telefon: +49(0)160/4415681 ·
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · 

Received on Sunday, 16 October 2011 01:18:32 UTC