Re: [w3ctag/design-reviews] HTTP State Tokens (#297)

> Assuming same-site means same origin (does it?)

`same-site` means `same-site` (the enum in the explainer is `cross-site`, `same-site`, or `same-origin`; the default is `same-site` for delivery, as that enables the SSO pattern of `sso.site.tld` that we see all over the place, which seems like a reasonable kind of thing to encourage as the default behavior).

> If the tracking happens automatically without any opt-in from the site

The proposal suggests that we mint tokens proactively for things that the user navigates to as first-parties. It does not suggest that we do the same for things that the user does not navigate to as a first-party, even if they really want it. Can you help me understand the scenario in which Lightbeam would show users bad information, or somehow misunderstand/underestimate the tracking potential a user's navigations expose?

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/297#issuecomment-434741682

Received on Wednesday, 31 October 2018 16:02:45 UTC