Re: technical issues with multiple first parties

On Monday 18 March 2013 18:02:01 David Singer wrote:
> So, where you say "an assumption we would be undoing is the assumption
> that the User Agent (UA) knows who the first party is before it sends
> an HTTP request".  No, we don't assume that;  the user-agent has to
> work on machine-testable questions, and it knows the address in the
> address bar.  We kinda assume that that maps fairly well to the first
> party most of the time.

There are many many cases where domain names do not match parties. There 
are two ways to address the issue: 

1/ only work on domain names and ignore the rest (Roy and Adrian 
stating: no known implementation implements the TSR) => it becomes the 
responsibility of the browser to determine the party. But they can't, 
they can only look at domains. This then creates developer nightmare 
resulting in "make browser happy" implementations so that the site 
works. Confronted with cheating or site not working, people will go for 
cheating and will find understanding in courts. 

2/ look into what the service tells you => responsibility of the 
service. If the response to a GET request on is Tk:1 you 
treat them as a first party. As nobody is implementing this.... => the 
browser remains responsible. 

There is a feedback loop from the service to the browser for a reason. 
And this reason is not only to have pre-flight conditions or having one 
researcher holding up the entire industry for doing some obscure 
measurements. It is also for the service to be able to give context to 
the browser. If the browser ignores the context, it acquires the 


Received on Friday, 22 March 2013 11:03:51 UTC