Noodle on third-party cookies #1878
Conversation
Co-authored-by: Martin Thomson <martin.thomson@gmail.com>
Co-authored-by: Martin Thomson <martin.thomson@gmail.com>
|
I'm concerned about the general direction of this PR and the document in general. A reliable method of sharing information between data controllers is needed to enable smaller organisations to band together to offer comparable services to larger organisations that are able to operate their services under a single domain or origin or have sufficient brand presence to nudge users to login across multiple services. This PR emphasis unspecified concerns in the industry and appears to endorse a direction set by internet gatekeepers without evidence of those concerns and without providing any specifics concerning the equivalent guidance for user agents to support lawful use cases. |
|
@jwrosewell concern isn't actionable. What specific statements are incorrect? |
|
The technical standards environment has been conditioned over a long period to tolerate and advance discrimination against suppliers and smaller operators. The text needs to be balanced to include the position of competition and privacy regulators if it is to properly inform the reader concerning the state of data sharing including third party cookies. As it stands the text perpetuates selective prosecution by internet gatekeepers. |
|
James, this isn't a competition regulator or a courtroom -- it's recording the consensus of the technical community, which has had a long history of balancing privacy concerns against technical capabilities. The proposed text is largely a statement of fact and history, not creating policy. The one exception I see - recommending that UAs adopt restricted third-party cookie policies -- is something that the various iterations of the Cookie spec have done since the very beginning. Again, if you believe there's an inaccuracy, please point it out. |
|
Completeness
In which case it should reflect all the facts and all the history rather than being selective. Experiment The latest PR contains the following text.
Checking the meaning of the word experiment with Websters provides the following definition.
All web browser vendors have adopted concrete and widely communicated policies on the subject and many have widely deployed implementations. There is nothing experimental. Established practice The IETF considers factors beyond the text of past specifications. RFC 8890 is one such example. The sharing of state between different origins or domains via HTTP and other methods has enabled a great deal of innovation and benefits to end users including free and easy access to services. End users have many service providers to choose from. We have moved on from the days of closed services such as Compuserve, Prodigy and AOL. The guidance in future specifications must show how benefits to end users are preserved and enhanced by mitigating the potential harms. |
draft-ietf-httpbis-rfc6265bis.md
Outdated
| previous specifications), while avoiding disruption to features they judge desirable for the health | ||
| of the Web. | ||
|
|
||
| It is too early to declare consensus on which specific mechanism(s) should be used to mitigate the privacy impact of cookies; ongoing developments in user agents are best characterised as experiments that |
There was a problem hiding this comment.
I think some browsers are well beyond what would be characterized as experiments.
|
The text should further modified to incorporate the positions of law makers. Extract from An EU Strategy on Standardisation.
|
Co-authored-by: Mark Nottingham <mnot@mnot.net>
Co-authored-by: Mark Nottingham <mnot@mnot.net>
Co-authored-by: Mark Nottingham <mnot@mnot.net>
Co-authored-by: Mark Nottingham <mnot@mnot.net>
For #1372.