- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Fri, 21 Jun 2013 11:09:43 -0700
- To: Huan Du <dh20156@gmail.com>
- CC: whatwg@whatwg.org, public-webappsec@w3.org, Kang-Hao Lu <kennyluck@w3.org>, 程劭非 <csf178@gmail.com>, yiorsi@gmail.com
- Message-ID: <51C496E7.6020707@mozilla.com>
On 6/21/2013 4:49 AM, Huan Du wrote: > As privacy awareness becomes prevelant, the trend is that future > browsers are going to ban third-party Cookies by default. I doubt that, too much existing popular content breaks. Even the weaker partial 3rd-party blocking done by Safari (desktop and mobile) and being experimented with by Mozilla breaks some content, but that form shouldn't interfere with 3rd-party content where the user has established a 1st-party relationship. I don't know what Alibaba is doing but if you're characterizing it as having "user accounts" it should work under that rule. This makes partial-blocking a somewhat hard-sell: still breaks some content, and still angers the privacy advocates because it allows things like facebook and G+ buttons to track you (for most values of "you"). > Is it possible to, like Cross-Origin Resource Sharing, allow a site to > indicate which domains it would like to share Cookies with? That's extremely unlikely. Presumably the sites themselves are already happy to share with the 3rd-parties or they wouldn't be including their content on their sites; script inclusion in particular indicates a high level of trust. It's the visitors who don't want their information shared, so the people who advocate 3rd-party cookie blocking will simply advocate for prefs to turn off this new feature. Or more likely kill it before it even happens. There's no benefit that justifies the level of effort to standardize and implement such a feature. It's already possible for the including domain to share all kinds of information with the 3rd-party content, for example by putting it in the request URL or via postMessage() to a frame. The way you phrased it above is based on a somewhat incorrect model: the domain is not sharing cookies with anyone, you want the domain to control whether the user shares cookies which have nothing to do with that domain with the 3rd-party. That's just not going to happen, you'll have better success convincing users and browser vendors that 3rd party cookie blocking breaks things and is bad for users. -Dan Veditz
Attachments
- application/pkcs7-signature attachment: S/MIME Cryptographic Signature
Received on Friday, 21 June 2013 18:10:15 UTC