-
Notifications
You must be signed in to change notification settings - Fork 138
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Third-party cookies #1372
Comments
Which part of it are you asking about, specifically? The part about "grants user agents wide latitude" is certainly true. It allows UAs to ignore Set-Cookie headers in their entirety and omit the Cookie header entirely. I suppose it does not technically allow for selectively withholding certain cookies from the Cookie header. (Maybe that should be allowed?) The part about not endorsing any third-party cookie policy is probably also fine. It gives examples of a third-party cookie policy that drops Set-Cookie and Cookie headers entirely on third-party requests, but I don't think this constitutes an endorsement. |
@mnot Does that answer your question? Please reopen if not, or if you think there are any changes needed. |
I was wondering if, given how much has changed in the intervening years, we could go a little further and say something about how third-party cookies cannot be relied upon to work by sites because they are abused, and current techniques for mitigating that abuse are not standardised. Happy to write up a proposal if that would help. |
I don't feel strongly here but if you think some updated wording would help I'm happy to review a proposal. |
See PR. |
For #1372. Co-authored-by: Mark Nottingham <mnot@mnot.net> Co-authored-by: Martin Thomson <martin.thomson@gmail.com>
Given that the PR got merged, should this be closed? There's agreement emerging to block cross-site cookies, but perhaps that's best covered in a new issue. |
This comment was marked as off-topic.
This comment was marked as off-topic.
chair hat on @jwrosewell, in the comment above you characterise / assume others' motivations. That does not promote good-faith participation in the work, and can be harmful to the consensus process. It also is perceived as an ad hominem attack by some. Please refrain from doing this in the future. Additionally, this document is a technical document -- it does not purport to state legal constraints, nor do we have the authority to do so. As such, it's off-topic, and so I'm hiding the comment. |
It seems fair to close now, yes. |
In the current draft's privacy considerations:
Is this still true?
The text was updated successfully, but these errors were encountered: