Re: [w3ctag/design-reviews] Cookies Having Independent Partitioned State (CHIPS) (#654)

> I believe the web feature that is being referenced is unpartitioned cross-site cookies a.k.a “third-party cookies”. 

Hi @krgovind just a quick note. I was actually refering to the high level user-facing feature - embedded content of any kind (such as a facebook like button, as we discussed in the session) that leaks information to a third party without the user's consent. In the facebook like button example, the harm from the cited example (UK NHS putting like buttons on their pages and thereby unintentionally leaking sensitive health information to Facebook) is a clear example of user harm that can result from this pattern – which is one of the things that has led to the (in progress) deprecation of "unpartitioned cross-site cookies." 

My initial reaction to your question about permission prompts is that it should be required for 3rd party cookies in order to ensure that there is user consent going on when information is shared to those 3rd parties – and to inform them when they visit (e.g.) an NHS or NYTimes page that "(e.g.) Facebook would like to know what pages you visit here." If that same functionality is possible via partitioned JS storage then yes, I also think that should be gated behind a permission. However I don't think we need to fix both problems at once and I don't think we should be weakening one set of protections just because another set is already weak.

We're going to discuss again at our plenary call this week and try to come back to you with some useful feedback taking your poitns above into account and possibly schedule a live session after that.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/654#issuecomment-887453604

Received on Tuesday, 27 July 2021 12:03:05 UTC