On Tue, Jul 26, 2016 at 7:41 PM, Brad Hill <hillbrad@gmail.com> wrote: > I think there will likely be many versions over time, or customized to > specific user agents, as part of A/B tests, etc. I like the idea of > versioning it with the hash, or an etag type mechanism; it seems there is > no need for an arbitrary, human-readable string. > > Will there be distinctions on use of this in first-party vs third-party > contexts (hello, Safari team) as it is a cookie equivalent? That does > complicate the operational model a bit for iframed application components, > but not too badly. > Ah, that I didn't consider. Yes, if we broadcast the ID back to the origin server, we'd need to treat it like a cookie for all the ways in which a cookie can be controlled in a user agent. Basically, if you can't set cookies for a request, you also can't have origin policy for the request. I'll add some text. -mike
Received on Tuesday, 26 July 2016 17:53:05 UTC