- From: イアンフェッティ <ifette@google.com>
- Date: Wed, 25 Apr 2012 08:21:08 -0700
- To: Rigo Wenning <rigo@w3.org>
- Cc: public-tracking@w3.org
- Message-ID: <CAF4kx8cw+TDT-7RehZ5xkq7Oe+i7iFYqB66pKjtwZrcL8f-_sA@mail.gmail.com>
I'm not aware of any browsers that in a default configuration allow people to make decisions on individual cookies. Even in Chrome, when you go into a crazy mode of making decisions on each cookie, we essentially store the cookies in memory only until you decide to commit them, so as not to block anything. I suspect that, in this case, although the API is asynchronous the site probably wants to know what the heck is going on before it delivers you content if it's going to request an exception. Thus, this now turns into something that is essentially blocking. Also, I don't think we should just punt something by saying "It's a UI issue." The spec has implications on UI that should not be ignored. explicit/explicit means we have to come up with UI to support this, where so far we have failed, it means sites now have to worry about corner cases they didn't before, etc. The argument is very similar to permissions on mobile phones (Android as an example), or extensions in browsers (Chrome as an example). In theory you could imagine saying "Yes, I want to grant the app this permission but not that other permission". In reality, you then end up with a very complex UI that the vast majority of users have insufficient information to make a good decision on, and you have app developers (or in this case website developers) having to test for 2^n permutations of permissions. You seem to think that options are free. In reality, options are far from free, and the cost of these options gets borne out by the majority by having to handle edge cases, as opposed to just the users who exercise these options. -Ian On Wed, Apr 25, 2012 at 5:23 AM, Rigo Wenning <rigo@w3.org> wrote: > Ian, > > interesting issue. Your suggestion of total bundling is not absolutely > necessary. I agree it is rather an UI issue. I can allow an > explicit/explicit and have a simple UI shortcut saying "all third parties > on > this site" which in turn will trigger */* for explicit/explicit. The > Specification itself only needs to mention explicit/explicit as all other > cases are simplifications that cluster some amount of explicit/explicit > together. > > Most browsers allow for individual management of cookies, but also offer > rules like "all third party cookies" . Here you could do the same.. > > Rigo > > On Tuesday 24 April 2012 15:39:22 Ian Fette wrote: > > I've done a quick writeup for ACTION-173 to describe the problems around > > (explicit,explicit) exception pairs, including a screenshot of what I > view > > to be our rather problematic attempt at applying this to geolocation > > permissions in Chrome. The writeup with screenshots is at > > > https://docs.google.com/document/d/19mNwTiZgYsrhgYDQHTljuId49DFDrApoTRZrVl > > -tniA/edit > > > > I've included the contents below, but I suspect it will probably get > > munged by mailing lists and drop images etc. You're probably better off > > viewing the google doc via the link above, but for the sake of archival > > I've copied the body into this email. > > > > > > *Perils of cross-products in settings >
Received on Wednesday, 25 April 2012 15:21:45 UTC