DaveStein
commented
19 hours ago @ts-web is it possible for you to create a small repro on a jsfiddle-like (I am dating myself) site? AFAIK the JS SDK just reads data out of the file. That file may have a cloud manifest, in which case we would hit a server where that cloud manifest lives. There is no reason anything in the code should be passing any kind of cookies through since it would just be a generic GET to a public URL.
Aside from making a small repro case, it would be helpful if you could post screenshots of the network requests' request and response headers.
I'm investigating a reported concern in my c2pa browser extension about tracking. What happens is: my extension uses the c2pa library to get the manifest of an image, and if that image has an external manifest, the library makes a
fetchrequest to that URL, which includes cookies. These cookies may include tracking cookies.I'm still wrapping my mind around how much of an issue this is. The fetch request doesn't pass any headers like Origin or Referer, so the domain can't see which URL the user is viewing. But it does pass the cookies.
For example with Adobe URLs the cookies include values like
gpv(get previous value), which shows the last visited content.I suppose these cookies don't send the domain any new information, besides the event of passing the cookies. But this itself not new information, because the server knows that it's receiving a request.
Ah! There is new information: that the user is viewing a certain manifest. If the cookies identify a specific user, then the external manifest server can track which manifests the user is viewing.
So there is a valid concern about tracking. Does that track with you guys? (sorry, pun intended)
Would it make sense to add an option (or just change the behavior) to not send credentials with the fetch request?
Of course if the manifest url is behind auth, then not passing credentials would make the request fail. But do any external manifest urls require cookies like that? I'd assume not.