- From: Mike West <notifications@github.com>
- Date: Sun, 04 Nov 2018 23:53:38 -0800
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 5 November 2018 07:54:00 UTC
> Third-party tracking would still be possible, even without access to third-party cookies. The mechanism you're sketching below uses first-party context in order to enable tracking by specific third-parties in a given first-party's context. That's certainly a thing that can happen! It seems non-unique to this proposal, however, as any local storage mechanism (`localStorage`, for instance) can be used in the same way. I'm not sure that there's any technical mechanism we can provide that would allow websites to keep track of user state on the one hand, but technically disable them from sharing it with third-parties on the other. One benefit of this proposal is that it forces that sharing mechanism to rely on explicit server-side cooperation, as the token isn't exposed to JavaScript. That does basically nothing to address the issue, given the number of alternative storage mechanisms, but at least it takes cookies off the table as a trivial mechanism for storing arbitrary state. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/297#issuecomment-435783312
Received on Monday, 5 November 2018 07:54:00 UTC