Re: explicit-explicit exception pairs

I'm not aware of any browsers that in a default configuration allow people
to make decisions on individual cookies. Even in Chrome, when you go into a
crazy mode of making decisions on each cookie, we essentially store the
cookies in memory only until you decide to commit them, so as not to block
anything. I suspect that, in this case, although the API is asynchronous
the site probably wants to know what the heck is going on before it
delivers you content if it's going to request an exception. Thus, this now
turns into something that is essentially blocking.

Also, I don't think we should just punt something by saying "It's a UI
issue." The spec has implications on UI that should not be ignored.
explicit/explicit means we have to come up with UI to support this, where
so far we have failed, it means sites now have to worry about corner cases
they didn't before, etc.

The argument is very similar to permissions on mobile phones (Android as an
example), or extensions in browsers (Chrome as an example). In theory you
could imagine saying "Yes, I want to grant the app this permission but not
that other permission". In reality, you then end up with a very complex UI
that the vast majority of users have insufficient information to make a
good decision on, and you have app developers (or in this case website
developers) having to test for 2^n permutations of permissions.

You seem to think that options are free. In reality, options are far from
free, and the cost of these options gets borne out by the majority by
having to handle edge cases, as opposed to just the users who exercise
these options.

-Ian

On Wed, Apr 25, 2012 at 5:23 AM, Rigo Wenning <rigo@w3.org> wrote:

> Ian,
>
> interesting issue. Your suggestion of total bundling is not absolutely
> necessary. I agree it is rather an UI issue. I can allow an
> explicit/explicit and have a simple UI shortcut saying "all third parties
> on
> this site" which in turn will trigger */* for explicit/explicit. The
> Specification itself only needs to mention explicit/explicit as all other
> cases are simplifications that cluster some amount of explicit/explicit
> together.
>
> Most browsers allow for individual management of cookies, but also offer
> rules like "all third party cookies" . Here you could do the same..
>
> Rigo
>
> On Tuesday 24 April 2012 15:39:22 Ian Fette wrote:
> > I've done a quick writeup for ACTION-173 to describe the problems around
> > (explicit,explicit) exception pairs, including a screenshot of what I
> view
> > to be our rather problematic attempt at applying this to geolocation
> > permissions in Chrome. The writeup with screenshots is at
> >
> https://docs.google.com/document/d/19mNwTiZgYsrhgYDQHTljuId49DFDrApoTRZrVl
> > -tniA/edit
> >
> > I've included the contents below, but I suspect it will probably get
> > munged by mailing lists and drop images etc. You're probably better off
> > viewing the google doc via the link above, but for the sake of archival
> > I've copied the body into this email.
> >
> >
> >   *Perils of cross-products in settings
>

Received on Wednesday, 25 April 2012 15:21:45 UTC