-
Notifications
You must be signed in to change notification settings - Fork 55
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Related Website Sets (formerly First-Party Sets) #342
Comments
A few notes from reading through the explainer (which I haven't fully digested yet):
|
Thanks to @dbaron for the comment in w3ctag/design-reviews#342 (comment)
Thanks for the feedback, @dbaron! It might also be useful to get feedback from @englehardt and @ehsan, with whom I briefly discussed this proposal. I'd love to figure out if we can make this more robust together. :)
First, as is probably clear, the rules are somewhat up in the air. This first pass seems like a reasonable balance between deployment difficulty and stability, but we might well want to revisit some of the restrictions. The incremental verification suggestion you mention is one route that occurred to me, but I'm sure there are others. For example, the Second, I don't know how much we need this sort of thing to be trivial to change. The history of Mozilla's
That's a typo. :) Should have read "is itself a public suffix". Fixing it in WICG/first-party-sets@34adb31.
I'm hopeful that we can create non-proprietary and publicly auditable alternatives to the lists Apple, Google, and Mozilla are independently maintaining for various features. In the best case, something like this feature would give us the ability to offer entity-related features like credential sharing, and reduce the risk of rolling out tighter controls on cross-entity sharing.
I think the current design fairly substantially mitigates this risk by making deployment bidirectional and atomic (e.g. the pain point you noted at the top). It seems to me that we can mitigate it more by locking sites into a given set for some period of time if we decide that the inherent difficult is either unacceptable or not enough. Thanks again! |
I think it would be useful to say something like that in the explainer. |
@plinss: Skimming the minutes, I don't think y'all got to this in the 05.03 meeting, and it looks like it fell off the radar for the 12.03 meeting. Perhaps there's an upcoming slot it could fit into? @dbaron: Yes. I need to restructure the explainer a bit to improve the explanation of the problem I'm aiming to solve, as it grew out of a different document with a distinct purpose. I'll certainly take some time to do that (though I don't think it'll create substantive changes, and hopefully won't block y'all taking a closer look). Thank you both! |
Hi Mike! Hope you missed me. Lovely explainer. May I ask about a few bits below.
Can you please elaborate why it's likely, and which folks specifically do you mean here? Not asking for all their names and addresses, of course.
Any other risks that you can imagine (apart from the stuff listed later in the explainer)? Aside from the Ordinary User not knowing about the existence first/third party stuff, would it make sense to require browser UI changes to indicate that some site is linked with another?
That looks unfortunate indeed. Good the explainer is listing plenty of concerns.
Would there be a way to deregister from the set, and e.g. change sets in quick time intervals, or something like that? I'm simply wondering if site1 can easily change its membership (rather than: being member of two separate sets on the same time, which is already marked as concern). Apart from the natural expiration of 7 days you speak of, unless it could be the same.
How would the risk after such mitigation compare with today's risk of making the same? Would you imagine it conceivable that advertisers will start serving their stuff from XXXYYYZZZ.ccTLD, and smartly game the number-limited system? (but: "Forget the entity" looks good).
Sounds like an opportunity for a new batch of research papers? I'm sure many will be happy ;-) |
@mikewest we discussed at today's call having a focused discussion on this one at our next f2f - week of 20th of May. Is that going to be too late to be useful for you? If not, would you like to dial in for that (we will be in ~UTC). |
Thanks, @torgo!
Sure! Chrome will likely have begun implementation by then, but y'all's feedback would be quite welcome as we work through the initial stages.
I can probably make time to chat with y'all; that week looks pretty open. Let me know when you're closer to scheduling something? |
Thanks, @lknik! Sorry I missed your feedback when you first provided it.
The example I linked in the document (https://lists.w3.org/Archives/Public/public-webappsec/2017Mar/0034.html) came to mind as an existence proof of folks with interesting ideas about loosening the same-origin policy based on affiliation.
The document lists the risks I've thought about. If I come up with more, I'll add them. :) I don't personally think there's any value in exposing the relationship between A and B to users directly via browser UI, but I'm not at all a UI guy. I'd expect folks like @estark37 to have strong, well-informed opinions on these topics, and I'd defer to them completely. That said, however Chrome comes down on that question, I don't think it makes sense to specify UI in this kind of document.
I don't think it would be helpful to create a way to deregister oneself in an accelerated fashion without also taking some catastrophic action against the data that's been built up given the existing first-party relationships. I could imagine the
How would this "game the system"? The risk mitigated by limiting the size of a set is the incentive that would otherwise exist to create a single global set of all an advertisers' otherwise unrelated publishers (e.g.
I agree! Mechanisms that encourage transparency are good. |
Regarding use cases, I'd like to draw your attention to https://mikewest.github.io/cookie-samesite-firstparty/draft-west-cookie-samesite-firstparty.html (http://tools.ietf.org/html/draft-west-cookie-samesite-firstparty if you prefer "paginated" text), which builds upon the primitive described here in a way that might allow us to avoid some developer pain points while tightening cookie controls over time. |
@mikewest Thanks for the answer (We're discussing at f2f Reykjavik). |
Given that the repo is now at https://github.com/krgovind/first-party-sets, feels like ccing @krgovind might be useful. |
@mikewest just picking this up again, I think we are stalled and this topic has gone into our "abyss." Can you let us know the status and (most usefully) if there are specific questions where the TAG might weigh in. Does it make sense to discuss this at TPAC? |
Thank you for the update and the detailed explanation of the changes. Just to let you know: we discussed this in our virtual f2f last week and we agreed we like the direction this is going in. We're still formulating some questions to ask - and the same regarding requestStorageAccessForOrigin. |
There's now an I2S out for this; was the TAG able to discuss? https://groups.google.com/a/chromium.org/g/blink-dev/c/7_6JDIfE1as/m/wModmpcaAgAJ |
@slightlyoff right now the focus is more on |
Hi all. We are looking at this at our TAG f2f. We're noting a pause in the I2S — can you tell us more context about this? How might any consequences might impact the design of FPS, especially any of the aspects we've discussed in this review? |
@hadleybeeman Thank you for checking! We announced a pause in our rollout of the feature in Chrome because we discovered a regression in some of our metrics. Our analysis suggests that the regression may be due to the fact that our implementation currently blocks all network requests on the completion of the set change handling algorithm described here. The algorithm clears out all site data for any site that is leaving an existing set, so we had previously chosen the more conservative route of blocking all network requests until this operation was complete, in order to avoid being in a state where a site that is about to have its data cleared receives requests before the clearing is complete. We are currently waiting for our tentative fix (optimizing this implementation) to propagate, and hope to validate it in the next couple of weeks. With regards to how that impacts this review; your question made us realize that we had previously neglected to specify this implementation detail in the algorithm, so we've now written up a PR at WICG/first-party-sets/pull/169 that describes this behavior, along with a note recommending that user agents optimize for request latency by being smarter about what requests/fetches to block. |
Hi TAG! We wanted to provide you with some updates:
|
We recognize that there are some substantial changes to the API since our original review. We acknowledge that our use of the term origin in this feedback may have lead to confusion, and that we should have used the term site in this context. However, the fundamental points raised in that original review stand. The primary change here is a reliance on the Storage Access API. However, the decision to automatically grant requests has the same net effect as in the original proposal. We do not think that labeling an auto-grant decision as "implementation-defined" is acceptable, as that defines how the web is experienced by websites and users. The argument has been made that other browsers ship heuristics that do much the same thing. Our argument has been and continues to be that these heuristics are essentially a workaround and that we should not be building new technologies into the platform that cement this way of working. Furthermore, we observe that many browsers are working to eliminate the need for these heuristics. We are therefore re-closing this review. |
Guten TAG!
I'm requesting a TAG review of:
Further details (optional):
You should also know that y'all are marvelous.
We'd prefer the TAG provide feedback as:
The text was updated successfully, but these errors were encountered: