Re: [w3ctag/design-reviews] FYI Private State Token API Permissions Policy Default Allowlist Wildcard (Issue #990) from Alexandre Nderagakura on 2024-10-31 (public-webapps-github@w3.org from October 2024)

From: Alexandre Nderagakura <notifications@github.com>
Date: Thu, 31 Oct 2024 03:58:31 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/990/2449577231@github.com>

Trying to understand the [blink discussion](https://groups.google.com/a/chromium.org/g/blink-dev/c/5jI8kLLdIFw) and the privacy side : 
- In case of the user denies giving consent to X vendors / tech via the CMP (Consent Management Platform), will the token be shared cross site if a wildcard is set anyway? The question also works with the Global privacy control
- Is there a way to prevent any adtech to redeem the token to display an ads anywhere outside? (But I think this question is already in the blink discussion)
- Not related but somehow related, if the token is considered First party tracking ([Potential risk noted in the spec](https://github.com/WICG/trust-token-api/blob/main/README.md#first-party-tracking-potential)) then combined with the wildcard, you have a cross site tracking : How to prevent that?

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/990#issuecomment-2449577231
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/990/2449577231@github.com>

Received on Thursday, 31 October 2024 10:58:35 UTC