Re: Cross-Origin Cookies Sharing Proposal from Daniel Veditz on 2013-06-21 (public-webappsec@w3.org from June 2013)

From: Daniel Veditz <dveditz@mozilla.com>
Date: Fri, 21 Jun 2013 11:09:43 -0700
To: Huan Du <dh20156@gmail.com>
CC: whatwg@whatwg.org, public-webappsec@w3.org, Kang-Hao Lu <kennyluck@w3.org>, 程劭非 <csf178@gmail.com>, yiorsi@gmail.com
Message-ID: <51C496E7.6020707@mozilla.com>

On 6/21/2013 4:49 AM, Huan Du wrote:
> As privacy awareness becomes prevelant, the trend is that future
> browsers are going to ban third-party Cookies by default.

I doubt that, too much existing popular content breaks. Even the weaker
partial 3rd-party blocking done by Safari (desktop and mobile) and being
experimented with by Mozilla breaks some content, but that form
shouldn't interfere with 3rd-party content where the user has
established a 1st-party relationship. I don't know what Alibaba is doing
but if you're characterizing it as having "user accounts" it should work
under that rule.

This makes partial-blocking a somewhat hard-sell: still breaks some
content, and still angers the privacy advocates because it allows things
like facebook and G+ buttons to track you (for most values of "you").

> Is it possible to, like Cross-Origin Resource Sharing, allow a site to
> indicate which domains it would like to share Cookies with?

That's extremely unlikely. Presumably the sites themselves are already
happy to share with the 3rd-parties or they wouldn't be including their
content on their sites; script inclusion in particular indicates a high
level of trust. It's the visitors who don't want their information
shared, so the people who advocate 3rd-party cookie blocking will simply
advocate for prefs to turn off this new feature. Or more likely kill it
before it even happens. There's no benefit that justifies the level of
effort to standardize and implement such a feature.

It's already possible for the including domain to share all kinds of
information with the 3rd-party content, for example by putting it in the
request URL or via postMessage() to a frame. The way you phrased it
above is based on a somewhat incorrect model: the domain is not sharing
cookies with anyone, you want the domain to control whether the user
shares cookies which have nothing to do with that domain with the
3rd-party. That's just not going to happen, you'll have better success
convincing users and browser vendors that 3rd party cookie blocking
breaks things and is bad for users.

-Dan Veditz

Attachments

application/pkcs7-signature attachment: S/MIME Cryptographic Signature

Received on Friday, 21 June 2013 18:10:15 UTC