W3C Slaps Down Google's Proposal To Treat Multiple Domains as Same Origin (theregister.com) 40
A Google proposal which enables a web browser to treat a group of domains as one for privacy and security reasons has been opposed by the W3C Technical Architecture Group (TAG). From a report: Google's First Party Sets (FPS) relates to the way web browsers determine whether a cookie or other resource comes from the same site to which the user has navigated or from another site. The browser is likely to treat these differently, an obvious example being the plan to block third-party cookies. The proposal suggests that where multiple domains owned by the same entity -- such as google.com, google.co.uk, and youtube.com -- they could be grouped into sets which "allow related domain names to declare themselves as the same first-party." The idea allows for sites to declare their own sets by means of a manifest in a known location. It also states that "the browser vendor could maintain a list of domains which meet its UA [User Agent] policy, and ship it in the browser."
In February 2019, Google software engineer Mike West requested a TAG review and feedback on the proposal was published yesterday. "It has been reviewed by the TAG and represents a consensus view," the document says. According to the TAG, "the architectural plank of the origin has remained relatively steady" over the last 10 years, despite major changes in web technology. It added: "We are concerned that this proposal weakens the concept of origin without considering the full implications of this action." The group identified some vagueness in the proposal, such as whether FPS applies to permissions such as access to microphone and camera. A Google Chrome engineering manager has stated: "No, we are not proposing to change the scope for permissions. The current scope for FPS is only to be treated as a privacy boundary where browsers impose cross-site tracking limitations." But the TAG reckons that the precise scope of FPS should be laid out in the proposal. A second concern is over the suggestion that browser vendors would ship their own lists. "This could lead to more application developers targeting specific browsers and writing web apps that only work (or are limited to) those browsers, which is not a desirable outcome," said the TAG.
In February 2019, Google software engineer Mike West requested a TAG review and feedback on the proposal was published yesterday. "It has been reviewed by the TAG and represents a consensus view," the document says. According to the TAG, "the architectural plank of the origin has remained relatively steady" over the last 10 years, despite major changes in web technology. It added: "We are concerned that this proposal weakens the concept of origin without considering the full implications of this action." The group identified some vagueness in the proposal, such as whether FPS applies to permissions such as access to microphone and camera. A Google Chrome engineering manager has stated: "No, we are not proposing to change the scope for permissions. The current scope for FPS is only to be treated as a privacy boundary where browsers impose cross-site tracking limitations." But the TAG reckons that the precise scope of FPS should be laid out in the proposal. A second concern is over the suggestion that browser vendors would ship their own lists. "This could lead to more application developers targeting specific browsers and writing web apps that only work (or are limited to) those browsers, which is not a desirable outcome," said the TAG.
Attempt at neutering third-party cookie blocking (Score:5, Insightful)
This is a clear attempt at bypassing the whole idea of third-party cookie blocking and other cross-site privacy controls. The immediate follow-up would be advertisers saying that to use their page code sites have to add the advertiser's domains to their first-party sets. And poof goes any ability to block tracking cookies.
TAG is entirely right to reject this. I think they're only being polite in saying the impact on privacy hasn't been completely thought through, though, I think Google did think it through completely and just bet that TAG wouldn't.
Re: Attempt at neutering third-party cookie blocki (Score:2)
So... why would third party blockers pay any attention to this white list?
Re: (Score:1)
Otherwise they would be blocked from addons store?
Re: (Score:2)
Because currently the biggest third party cookie blockers are the browsers themselves. And I heard a little rumor that Google wrote one of those.
Re: (Score:1)
There's also another interesting point here; that the proposal wasn't put forward by Google's ad teams, it was put forward by the Chrome team.
Given this, it really confirms that the Chrome team view providing users with a good browser secondary to using the browser to force ads and tracking upon you. Of course, many suspected this anyway, but this is solid confirmation that people need to stop using Chrome- if you consider security of your personal data important then its flat out dangerous and its dev team
Re: (Score:2)
IMO it looks like a clear attempt to make it so the top browser vendor can gatekeep who gets to bypass cross-site privacy controls and who can't, making it impossible to build a competing advertising product without their permission.
More cookies is more bad (Score:5, Informative)
99% of cookies are used to abuse end users. To track their activities in a big brother fashion. To collect their personal information for targeted advertising. And to associate their spending habits with clicks and mouse overs that are sold to millions of businesses. None of this information was collected in good faith, and while it might not meet the legal definition of fraud, there is an ethical charge that they've stolen something they do not own and sold it.
Re: (Score:2)
99% of google's tech is to abuse end users.
past time to castrate them
Re: (Score:2)
Law makers aren't likely to understand. We're at a point where the uninformed believe Google is the Internet.
If legislation tries to go after Google, we'll get a lot of nonsense about how Google gives people free email and what are these people supposed to do now? They'll scream: OMG I'll lose my email address!
Re: (Score:2)
Totally agree with you. Google is trying to be everything to everyone. I personally dumped Chrome in favour of Brave. I value my privacy and the less Google knows, the happier I am. I don't care if the advertisement I see are not tailored to my taste. I don't even read them.
Re: (Score:3)
You dumped Chrome in favor of a browser that is entirely dependent on Google for all the code that does the hard work of web rendering and still does plenty of its own tracking.
Sorry but Brave is about the most asinine counter productive project out there. At least be half-way serious about helping to preserve a real non-google alternative and use something mozilla based.
Re:More cookies is more bad (Score:4, Funny)
Or if you're against using a browser made by a huge company like Google, buy a Mac and use Safari!
Re: (Score:2)
Okay, that made me chuckle.
Re: (Score:2)
Or if you're against using a browser made by a huge company like Google, buy a Mac and use Safari!
While I agree that this is funny, the big difference is that Apple doesn't live off of your data. Not that they're better than Google or anything, it's not just their business model at the moment. They tried ans they're not good at it, so they stopped.
So yes, I feel much better off by using Safari than Chrome.
Re: (Score:2)
So now we’re against using OSS?
Re: (Score:3)
Re: (Score:2)
of third-party cross site cookies?
Re: (Score:2)
Not so much when you are talking about business applications that are delivered via the web where different components could be written and/or hosted by other vendors. This would be a valid use for the proposal.
Ask for forgiveness rather than permission. (Score:5, Informative)
I'm sure the W3C's opinion on this is very, very important and that Google will wait for feedback before...
"Google has already implemented both First Party Sets and SameParty cookies in Chrome 89..."
Oh.
Carry on, then.
Re: (Score:2)
Re: (Score:1, Insightful)
Great idea, wrong implementation... (Score:3)
This should be done in DNS. Allow a record that says that this other domain is first-party for me. If the other domain also lists you as a first-party, then the browser will treat them as linked. This also means that Google would have to give ad domains full first-party access to google.com if they wanted to get around third-party cookies. Probably not something they want to do... In addition, this would make it fairly simple to defeat with a PiHole.
Re: Great idea, wrong implementation... (Score:2)
The problem is DNS generally runs without a security layer, so it's not a good source of truth for when to drop security. This is what HTTP headers are for.
Re:Great idea, wrong implementation... (Score:5, Insightful)
It already is. If Google wants all the different national search engines, maps, gmail, youtube, etc to be considered the same domain, simply name them:
uk.google.com
us.google.com
youtube.google.com
maps.uk.google.com (or uk.maps.google.com)
etc....
That's how DNS is supposed to work, it's supposed to be a hierarchy. Anything that is "part of Google" should be a subdomain of Google.com. If they want to keep youtube separate by putting it under youtube.com then they can - but it's separate, with everything that implies.
Re:Great idea, wrong implementation... (Score:4, Funny)
Get out of here with your logic... this is slashdot, not a forum for technical discussions.
Re: (Score:2)
Yeah! Let's talk about A.I. assistants in augmented reality using catgirl waifus 3D models!
Re: (Score:2)
But if they did that it would be harder to classify their Ireland operation as a separate entity. With separate domain names in each region/country they give the illusion that they are different entities even though everyone knows realistically they are not.
Re: Great idea, wrong implementation... (Score:2)
Security, security, security.
Top 3 reasons to say no to this idea
I like it! Google, Facebook, Twitter (Score:3)
How does this help the user? (Score:3)
Re: (Score:2)
About the only half-way reasonable use case I can see for it is M&A.
You have MyApp.example.com you buy Exemplar that owns examplar.com because they have features that would integrate nicely into MyApp. I guess you could use this to freely mix and match web things on both domains without having to use iframes, and message passing or some elaborate cors construct.
Re: (Score:2)
I guess you could use this to freely mix and match web things on both domains
Oh yeah nothing bad could possibly come of that.
Re: (Score:2)
They recently made a chance in google docs/drive and all that, where they now require you to allow cross site cookies to be able to download your own content....
So I'm not surprised they are pushing this crap
If it can be disabled, who cares? (Score:2)
You have been able to disable third-party cookies for many decades. I guess this is "causing problems" for Google and other organizations that make money by spying (there are a lot of them).
Just as long as disabling third-party cookies continues to disable third-party cookies (and especially including the ones that the remote arsehole thinks should not be third-party cookies) who gives a shit?
I have had third-party cookies disabled since cookies were invented and do not permit the use of "web browsers" tha
Re: (Score:2)
Google currently does allow disabling of third-party cookies. However this proposal makes it quite clear that they intend to leave the switch in there but completely disable what it does.
Re: (Score:2)
The problem is that they can continue to block third-party cookies while, under this policy, allowing advertisers through because what FPS does is say "Cookies from this advertiser aren't third-party cookies, they're first-party.". It's still up to the web site to decide which domains are considered first-party domains, but you can be sure the first thing advertisers will do if FPS is ever accepted is tell sites "To carry our ads you have to add our domains to your FPS declarations.".
Even when they win (Score:2)
Google: Even when they win they try to ratfuck the rules so they win even more.
"Don't be evil" is now "Don't give a shit and don't get caught".
Don't be evil, huh? (Score:1)
Wasn't that a long long time ago...?