-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Request for position: First-Party Sets #93
Comments
The feedback below was previously shared and reproduced to preserve the original formatting. We think it's still applicable to this revised proposal. Given that, I plan to label this "position: oppose" on January 6 given the holidays. As far we know, Google explicitly intends to use First Party Sets, or FPS, to allow cross-site cookies and storage within sets. We will include feedback on that even though FPS by itself doesn’t have to mandate what it’s used for. Feedback on partitioning and cross-site cookies in the context of FPS
General feedback on FPS
Feedback on use cases other than relaxed partitioningWe don’t currently believe that a trustworthy and equitable version of FPS can be created. That said, were that to happen, we think such a technology could potentially be useful in the following ways:
|
Hi @annevk, thank you for the response. However, the feedback you pasted was actually already shared verbatim in May 2022 on the PrivacyCG mailing list. It is referring to the previous version of the proposal, and Webkit’s feedback from that thread was an important consideration in developing our updated version which we published in July 2022. As an example, John Wilander said in the PrivacyCG discussion that Webkit would “be fine with browsers allowing prompt-less cross-site cookies and storage within a set as long as it went through the SAA path”, which we try to enable now. There are various other pieces of feedback here that aren't quite fitting anymore. As we're seriously trying to incorporate feedback from other browser vendors, even if it is just to help us maintain interoperability with non-FPS environments, we'd appreciate if you could take another look at the updated proposal. If it helps, we can share which of the feedback you posted above should be reconsidered now. |
Hi, Johann! We will look at the updates for sure. We're just making sure that positions and feedback provided in other formats earlier is collected here. Also, some mailing lists don't archive HTML emails so the formatting gets all messed up. The above is the latest we've said publicly. |
Apologies for not directly responding to the changes. Though as said above we think our original feedback is still very much applicable. It’s also the more significant and fundamental feedback with regards to FPS as the changes made very much assume FPS works, which we are not convinced of. As for the three bullet points in OP:
|
@annevk - Thanks for reviewing the updated proposal. We have some clarifications:
Please let us know if you see any other unresolved issues. |
Closing as we've identified our position. |
Request for position on an emerging web specification
Information about the spec
Design reviews and vendor positions
Anything else we need to know
First-Party Sets proposes a new web-platform mechanism to declare that a collection of related domains is a First-Party Set.
This proposal has previously been discussed in PrivacyCG and WebKit has indicated a position in May 2022. However, the First-Party Sets proposal has undergone some significant changes since that position was published, in particular:
These changes were introduced in WICG/first-party-sets#92. They align the proposal with other browsers' approaches of using the Storage Access API to mediate sites' requests for cross-site cookie access.
Given the extent of the changes (particularly as they relate to some more recent WebKit comments), I'd like to request a "re-"review of the First-party Sets proposal. Thanks!
The text was updated successfully, but these errors were encountered: