- From: Ian Hickson <ian@hixie.ch>
- Date: Wed, 4 Sep 2013 22:25:41 +0000 (UTC)
- To: Huan Du <dh20156@gmail.com>, Nils Dagsson Moskopp <nils@dieweltistgarnichtso.net>
- Cc: "whatwg@whatwg.org" <whatwg@whatwg.org>
- Message-ID: <alpine.DEB.2.00.1309041932060.7443@ps20323.dreamhostps.com>
On Fri, 21 Jun 2013, Huan Du wrote: > > As privacy awareness becomes prevelant, the trend is that future > browsers are going to ban third-party Cookies by default. > > This is a good thing for users, but for giant internet companies, this > has no doubt increases the difficult and complexity of implementing user > session synchronization. > > Is it possible to, like Cross-Origin Resource Sharing, allow a site to > indicate which domains it would like to share Cookies with? Why would a user be ok with sharing cookies with these sites if they're not ok with sharing them otherwise? I don't really understand what the user threat model is here. On Fri, 21 Jun 2013, Nils Dagsson Moskopp wrote: > > I have a suspicion that the only thing that cannot be done easily > without cookies is tracking – that is, pretending that a user has an > account, but ensuring that she has not made that choice consciously. That's pretty easy to do even without cookies or other storage mechanisms. You can fingerprint a user pretty precisely. On Sat, 22 Jun 2013, Huan Du wrote: > > There are 3 web sites in Alibaba at least: taobao.com, tmall.com, > etao.com. all of them are using a same account management system > including Sign up, Sign in. > > The requirement is simple for the account management system. when user A > signed in taobao.com, we expect A is signed in tmall.com and etao.com. Right. There are lots of cases such as this where third-party cookies (or a similar mechanism) are an integral part of the experience. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 4 September 2013 22:26:06 UTC