- From: Mike West <notifications@github.com>
- Date: Fri, 25 May 2018 06:54:29 -0700
- To: whatwg/url <url@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/url/pull/391/c392065177@github.com>
> again, that'd be more convincing if Google didn't double down on relying upon it. Both server-side with accounts and in Chrome with site isolation. Google is large, it contains multitudes. FWIW, Chrome's isolation folks are actively working on origin isolation (`document.domain` and related weirdness makes that hard), and I think it's fair to say that they see "site" isolation as a stopgap they'd like to move past (though that itself was a ~4 year engineering project). I think it's also true that Google's sign-in team is enthusiastic about separating `accounts.google.com` from everything else, but that there's real value in creating some association with `docs.google.com` and `mail.google.com`. I'm hopeful that we won't be stuck with that model forever, but it seems like one we're going to be dealing with for (at least) the next 5 years. I think it's helpful to create primitives that help developers work within the model we've created for ourselves, on the one hand, and to use our other hand to poke at the model in the hopes of shifting it. Making `Sec-Metadata` less granular, or not shipping SameSite cookies or etc. seems like it would make the short term pain more acute, and wouldn't actually advance the goal of shifting to a more origin-based view of the world. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/url/pull/391#issuecomment-392065177
Received on Friday, 25 May 2018 13:54:52 UTC