Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Third-party cookies #1372

Closed
mnot opened this issue Jan 10, 2021 · 9 comments
Closed

Third-party cookies #1372

mnot opened this issue Jan 10, 2021 · 9 comments
Labels
6265bis

Comments

@mnot
Copy link
Member

mnot commented Jan 10, 2021

In the current draft's privacy considerations:

Given this risk to user privacy, some user agents restrict how third-party cookies behave, and those restrictions vary widly. For instance, user agents might block third-party cookies entirely by refusing to send Cookie headers or process Set-Cookie headers during third-party requests. They might take a less draconian approach by partitioning cookies based on the first-party context, sending one set of cookies to a given third party in one first-party context, and another to the same third party in another.

This document grants user agents wide latitude to experiment with third-party cookie policies that balance the privacy and compatibility needs of their users. However, this document does not endorse any particular third-party cookie policy.

Is this still true?
@mnot mnot added the 6265bis label Jan 10, 2021
@chlily1
Copy link
Contributor

chlily1 commented Jan 11, 2021

Which part of it are you asking about, specifically?

The part about "grants user agents wide latitude" is certainly true. It allows UAs to ignore Set-Cookie headers in their entirety and omit the Cookie header entirely. I suppose it does not technically allow for selectively withholding certain cookies from the Cookie header. (Maybe that should be allowed?)

The part about not endorsing any third-party cookie policy is probably also fine. It gives examples of a third-party cookie policy that drops Set-Cookie and Cookie headers entirely on third-party requests, but I don't think this constitutes an endorsement.

@chlily1
Copy link
Contributor

chlily1 commented Feb 23, 2021

@mnot Does that answer your question? Please reopen if not, or if you think there are any changes needed.

@chlily1 chlily1 closed this as completed Feb 23, 2021
@mnot
Copy link
Member Author

mnot commented Jan 3, 2022

I was wondering if, given how much has changed in the intervening years, we could go a little further and say something about how third-party cookies cannot be relied upon to work by sites because they are abused, and current techniques for mitigating that abuse are not standardised.

Happy to write up a proposal if that would help.

@mnot mnot reopened this Jan 3, 2022
@sbingler
Copy link
Collaborator

sbingler commented Jan 4, 2022

I don't feel strongly here but if you think some updated wording would help I'm happy to review a proposal.

mnot added a commit that referenced this issue Jan 5, 2022
@mnot
Noodle on third-party cookies
8297fae 
For #1372.
@mnot mnot mentioned this issue Jan 5, 2022
Merged
@mnot
Copy link
Member Author

mnot commented Jan 5, 2022

See PR.

mikewest pushed a commit that referenced this issue Apr 14, 2022
@mnot @martinthomson
Noodle on third-party cookies (#1878)
4d8ac5a 
For #1372.

Co-authored-by: Mark Nottingham <mnot@mnot.net>
Co-authored-by: Martin Thomson <martin.thomson@gmail.com>
@annevk
Copy link

annevk commented Apr 29, 2022

Given that the PR got merged, should this be closed?

There's agreement emerging to block cross-site cookies, but perhaps that's best covered in a new issue.

@jwrosewell

This comment was marked as off-topic.

Sign in to view
@mnot
Copy link
Member Author

mnot commented Apr 29, 2022

chair hat on

@jwrosewell, in the comment above you characterise / assume others' motivations. That does not promote good-faith participation in the work, and can be harmful to the consensus process. It also is perceived as an ad hominem attack by some. Please refrain from doing this in the future.

Additionally, this document is a technical document -- it does not purport to state legal constraints, nor do we have the authority to do so. As such, it's off-topic, and so I'm hiding the comment.

@miketaylr
Copy link
Collaborator

Given that the PR got merged, should this be closed?

It seems fair to close now, yes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
6265bis
Milestone
No milestone
Development

No branches or pull requests
6 participants
@miketaylr @mnot @annevk @jwrosewell @sbingler @chlily1