Re: [w3ctag/design-reviews] HTTP State Tokens (#297) from michael-oneill on 2018-11-06 (public-webapps-github@w3.org from November 2018)

From: michael-oneill <notifications@github.com>
Date: Tue, 06 Nov 2018 07:45:23 -0800
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/297/436299633@github.com>

Users should have control over third-party tracking, so more needs to be done than just blocking the session token in nested contexts. One way is to clear all user state for an origin after a reasonable time-out, say 24 hours. Perhaps an extension to Clear-Site-Data so the state gets purged after a user configurable duration, defaulting to 24 hours (say) if the header is not in the response. If the primary content provider has user consent  they could supply a CSD header with a longer duration, and the user made aware of that by suitable UA UI.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/297#issuecomment-436299633

Received on Tuesday, 6 November 2018 15:45:45 UTC