- From: Steven Englehardt <notifications@github.com>
- Date: Thu, 15 Apr 2021 11:18:11 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3ctag/design-reviews/issues/342/820634921@github.com>
> > Or, in other words, if FPS is meant to be an interim solution, an interim between the the status quo and what? > > Sorry, perhaps an Oxford comma or two would have helped with my statement. sweat_smile > > I meant to refer to the Disconnect-me lists as an interim solution that Firefox/Edge are using. I did not intend to refer to FPS as an interim solution. In my personal opinion, we haven't yet seen viable solutions to remove this mechanism in the future, so it may be premature to say that we can. (I would be thrilled to be proven wrong in the future) > > However, if other browsers would prefer to engage with FPS as a medium-term solution, I think that would still be a **vast improvement** over reliance on lists and heuristics. Blocklists are never exhaustive, they _fail open_, and are prone to errors such as those evidenced in the Disconnect entities list. Heuristics cause platform predictability issues. I agree that there is more work to do in figuring out solutions for moving away from heuristics. However, FPS by no means obviates the need for heuristics While FPS could certainly fix some instances of breakage (e.g., https://bugzilla.mozilla.org/show_bug.cgi?id=1620530), there are many more where it can't be used because the breakage is cross-"entity". Here are some examples that we've seen in Firefox: * https://bugzilla.mozilla.org/show_bug.cgi?id=1578068 - embedded Disqus widgets. They partially work right now because of the our pop-up heuristic, but image upload is still broken. * https://bugzilla.mozilla.org/show_bug.cgi?id=1653552 - Scroll's integration doesn't work. The Storage Access API could be used to fix this, though in past PrivacyCG meetings Scroll has expressed concerns about their inability to know _which_ users to prompt. * https://bugzilla.mozilla.org/show_bug.cgi?id=1656171 - federated login providers (Google, Facebook, Twitter) * https://bugzilla.mozilla.org/show_bug.cgi?id=1660446 - also federated login providers * https://bugzilla.mozilla.org/show_bug.cgi?id=1654064 - even more federated login providers * https://bugzilla.mozilla.org/show_bug.cgi?id=1658257 - Zendesk cross-site auth. Already fixed with the Storage Access API (in FF and Safari at least)! The Storage Access API could be (or already has been) used to fix these issues. FPS could not. The benefit of the Storage Access API is that it can **also** be used to fix many of the types of things we might want to fix with FPS. Either way, we are going to have to work through a more generic approach to resolving breakage from reliance on cross-site state and we prefer to focus our efforts on these generic solutions. By focusing on a generic solution to user-controlled cross-site state, we also lessen the chance that we give large conglomerates a competitive advantage when it comes to UX. I don't think it's great if a multi-site company is granted passive storage access between all of their sites, while single-site companies that rely on embedded content from other sites are forced into showing a storage access API prompt. Of course one could argue that these multi-site companies will then combine everything under a single site, but we've heard during our calls that companies _want_ to maintain the separate branding and identity between their sites. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/342#issuecomment-820634921
Received on Thursday, 15 April 2021 18:18:24 UTC