- From: krgovind <notifications@github.com>
- Date: Thu, 12 Aug 2021 13:35:40 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3ctag/design-reviews/issues/654/897950019@github.com>
> > It's not clear to me why and how developer opt-in to partitioning aids user privacy? If cookies that are not opted in to partitioning will eventually be deprecated then why not simply double key all cookies to begin with rather than requiring an opt-in? Is the opt in only relevant to the phase-in period? > > The third-party opt-in is for web compatibility. We believe introducing a third-party opt-in will help ease the transition for third-party site owners to the new semantics of cross-site cookies. > > Also adding a new attribute which requires the __Host- prefix will ideally broaden adoption of existing cookie features which improve the security model of cookies. @torgo In addition to the points @DCtheTall mentioned; I envision that there is a need for a third-party developer opt-in even for the medium-to-long term (i.e. after the phase-in period). On most browsers, users/enterprise admins are able to enable support for unpartitioned third-party cookies. For example, users can disable tracking protection on Safari and Firefox. On Chrome (and presumably on other browsers), users and enterprise admins are able to create allowlists of domains that third-party cookie blocking does not apply to. Requiring developer opt-in ensures a consistent semantic regardless of browser treatment of third-party cookies. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/654#issuecomment-897950019
Received on Thursday, 12 August 2021 20:35:53 UTC