Closed cfredric closed 1 year ago
The feedback below was previously shared and reproduced to preserve the original formatting. We think it's still applicable to this revised proposal. Given that, I plan to label this "position: oppose" on January 6 given the holidays.
As far we know, Google explicitly intends to use First Party Sets, or FPS, to allow cross-site cookies and storage within sets. We will include feedback on that even though FPS by itself doesn’t have to mandate what it’s used for.
We don’t currently believe that a trustworthy and equitable version of FPS can be created. That said, were that to happen, we think such a technology could potentially be useful in the following ways:
Hi @annevk, thank you for the response.
However, the feedback you pasted was actually already shared verbatim in May 2022 on the PrivacyCG mailing list. It is referring to the previous version of the proposal, and Webkit’s feedback from that thread was an important consideration in developing our updated version which we published in July 2022. As an example, John Wilander said in the PrivacyCG discussion that Webkit would “be fine with browsers allowing prompt-less cross-site cookies and storage within a set as long as it went through the SAA path”, which we try to enable now. There are various other pieces of feedback here that aren't quite fitting anymore.
As we're seriously trying to incorporate feedback from other browser vendors, even if it is just to help us maintain interoperability with non-FPS environments, we'd appreciate if you could take another look at the updated proposal. If it helps, we can share which of the feedback you posted above should be reconsidered now.
Hi, Johann! We will look at the updates for sure. We're just making sure that positions and feedback provided in other formats earlier is collected here. Also, some mailing lists don't archive HTML emails so the formatting gets all messed up. The above is the latest we've said publicly.
Apologies for not directly responding to the changes. Though as said above we think our original feedback is still very much applicable. It’s also the more significant and fundamental feedback with regards to FPS as the changes made very much assume FPS works, which we are not convinced of.
As for the three bullet points in OP:
SameParty
seems good, but with the proposed requestStorageAccessFor()
/requestStorageAccessForOrigin()
there is still an equivalent amount of cookie sharing possible. As we commented in https://github.com/privacycg/storage-access/issues/107 allowing the top-level site to ask the user on behalf of embedded sites without involvement from those embedded sites is incorrect and can be harmful to users. The proposal essentially only kinda work with FPS, but FPS itself does not seem workable as per our prior feedback.requestStorageAccess()
you propose that (at least for the first call) the user activation requirement is still in effect, but that no dialog is shown to the user. As indicated in our prior reply we do think the user needs to be informed at this point. If FPS was somehow workable it could perhaps be used to influence the language shown to the user.
@annevk - Thanks for reviewing the updated proposal. We have some clarifications:
Please let us know if you see any other unresolved issues.
Closing as we've identified our position.
Request for position on an emerging web specification
Information about the spec
Design reviews and vendor positions
Anything else we need to know
First-Party Sets proposes a new web-platform mechanism to declare that a collection of related domains is a First-Party Set.
This proposal has previously been discussed in PrivacyCG and WebKit has indicated a position in May 2022. However, the First-Party Sets proposal has undergone some significant changes since that position was published, in particular:
These changes were introduced in https://github.com/WICG/first-party-sets/issues/92. They align the proposal with other browsers' approaches of using the Storage Access API to mediate sites' requests for cross-site cookie access.
Given the extent of the changes (particularly as they relate to some more recent WebKit comments), I'd like to request a "re-"review of the First-party Sets proposal. Thanks!