- From: krgovind <notifications@github.com>
- Date: Thu, 15 Apr 2021 09:53:12 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3ctag/design-reviews/issues/342/820580927@github.com>
> The Moz folks should correct me if I'm wrong, but current Firefox partitions all cookies by default, not just sites labeled by disconnect (with some exceptions for compat / existing SSO flows). Per [this announcement](https://blog.mozilla.org/security/2021/02/23/total-cookie-protection/) the "partitioning by default" mode is only in the *opt-in* Strict mode, with additional heuristics in place. As @englehardt mentions above, there is additional work to be done to completely remove reliance on lists, heuristics, and consent prompts that are hard to understand. > Or, in other words, if FPS is meant to be an interim solution, an interim between the the status quo and what? Sorry, perhaps an Oxford comma or two would have helped with my statement. 😅 I meant to refer to the Disconnect-me lists as an interim solution that Firefox/Edge are using. I did not intend to refer to FPS as an interim solution. In my personal opinion, we haven't yet seen viable solutions to remove this mechanism in the future, so it may be premature to say that we can. However, if other browsers would prefer to engage with FPS as a medium-term solution, I think that would still be a **vast improvement** over reliance on lists and heuristics. Blocklists are never exhaustive, they _fail open_, and are prone to errors such as those evidenced in the Disconnect entities list. Heuristics cause platform predictability issues. > Apologies but I'd don't quite follow the concern above. My point is that either 1) there should be a firm privacy boundary between instagram.com and facebook.com which the browser should enforce, or 2) Facebook should make it clear to users that there is no such boundary with [www.facebook.com](http://www.facebook.com) and instagram.facebook.com. The point I was anchoring on in your statement was about prompting the user **before** committing the navigation. If a user navigated to `instagram.com`, they may not anticipate that it will redirect to `instagram.facebook.com`. So it seems like if the site author configured such a redirect, it would automatically allow joining of identity across `facebook.com` and `instagram.facebook.com` without (or before) the user noticing. This would suggest that the browser should prompt the user before that redirect happens, in order to confirm that it meets the user expectations. > But there wouldn't be any need for notification in the example you gave. Users would still know that things they did on instagram.com were different and isolated from facebook.com and instagram.facebook.com This goes back to your previous assertion that the domain name in the URL is the only way to communicate the privacy boundary to the user. However, FPS also offer the opportunity to communicate that boundary as a collection of domains. I think this question is orthogonal to the point you were making about prompting the user **before** committing a navigation. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/342#issuecomment-820580927
Received on Thursday, 15 April 2021 16:53:24 UTC