- From: Ángel <angel@16bits.net>
- Date: Wed, 29 Mar 2017 01:23:27 +0200
- To: public-webappsec@w3.org
On 2017-03-27 at 11:51 -0700, John Wilander wrote: > > What does this encompass? > > > Today youtube.com is considered a third-party on a google.com site. > That’s simply not true. We’re inflating the third-party numbers and > users have no way of learning how many real third-parties are involved > in a page load. Is single trust scope "technical" or "legal" ? If legal, the goal is simply to have a browser panel stating: « The data you enter into this page might be accessed by: The Very Great Healthcare Provider Ltd. (doctor.com) jQuery foundation (cdn.jquery.com) Google Inc (recaptcha.google.com) » which can probably be extracted from the TLS certificates. However, melding origins into one doesn't seem that a great idea but for the simplest pages. There's the already mentioned need of the relationship being asynchronous. randomjoe.blogspot.com CAN ultimately trust accounts.google.com, but accounts.google.com MUST NOT trust blogspot.com Plus, given that you are adding a new interface, it makes more sense that the specific APIs have to be opt-in specifically. Thus, you could allow access to a IndexedDB but not to cookies, for instance.
Received on Tuesday, 28 March 2017 23:23:59 UTC