Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
I'm filing this issue as Mozilla's feedback on the current draft of First Party Sets.
We have concerns over five different categories. Three of those categories are very similar to those submitted by the WebKit team in #6, so I'll refrain from repeating them here:
The rest are as follows.
Imposing a small size over a First-Party Set may limit the competition opportunities for publishers
If we assume that a limit of 5 origins per set is chosen as described in the proposal, that may give publisher.example the option of choosing a set of publisher.example, ad-tech1.example, ad-tech2.example, anti-ad-fraud.example and verification-vendor.example for displaying ads on their website. If ad-tech1.example and ad-tech2.example have a high market power and they force the publisher into selecting anti-ad-fraud.example and verification-vendor.example as the other two domains in their set, it may become impossible for the publisher to ever start to experiment with ad-tech3.example. This may be an unintended consequence of one of the techniques that have so far come up for preventing abuse in this proposal.
Compatibility with GDPR and other similar data protection legislation
It is unclear whether extending the scope of the browser’s cookie jar from the traditional definition of the first-party to the first-party set without affirmative user consent is compatible with GDPR and other data protection legislations in the same vain that, for example, impose user consent requirements for data collection on behalf of third-parties on websites.
To be clear, forming a first-party set between domains that are not actually of the same organization (“first party”) is explicitly forbidden with this proposal. The intent is that use cases involving third parties such as ad-tech providers, anti-fraud vendors, etc. would use other APIs such as the Conversion Measurement API and Trust Tokens API. Our updated proposal has ideas for technical mitigations to prevent formation of such consortiums.