Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Google IT

W3C Slaps Down Google's Proposal To Treat Multiple Domains as Same Origin (theregister.com) 40

Posted by msmash from the closer-look dept.
A Google proposal which enables a web browser to treat a group of domains as one for privacy and security reasons has been opposed by the W3C Technical Architecture Group (TAG). From a report: Google's First Party Sets (FPS) relates to the way web browsers determine whether a cookie or other resource comes from the same site to which the user has navigated or from another site. The browser is likely to treat these differently, an obvious example being the plan to block third-party cookies. The proposal suggests that where multiple domains owned by the same entity -- such as google.com, google.co.uk, and youtube.com -- they could be grouped into sets which "allow related domain names to declare themselves as the same first-party." The idea allows for sites to declare their own sets by means of a manifest in a known location. It also states that "the browser vendor could maintain a list of domains which meet its UA [User Agent] policy, and ship it in the browser."

In February 2019, Google software engineer Mike West requested a TAG review and feedback on the proposal was published yesterday. "It has been reviewed by the TAG and represents a consensus view," the document says. According to the TAG, "the architectural plank of the origin has remained relatively steady" over the last 10 years, despite major changes in web technology. It added: "We are concerned that this proposal weakens the concept of origin without considering the full implications of this action." The group identified some vagueness in the proposal, such as whether FPS applies to permissions such as access to microphone and camera. A Google Chrome engineering manager has stated: "No, we are not proposing to change the scope for permissions. The current scope for FPS is only to be treated as a privacy boundary where browsers impose cross-site tracking limitations." But the TAG reckons that the precise scope of FPS should be laid out in the proposal. A second concern is over the suggestion that browser vendors would ship their own lists. "This could lead to more application developers targeting specific browsers and writing web apps that only work (or are limited to) those browsers, which is not a desirable outcome," said the TAG.
This discussion has been archived. No new comments can be posted.

W3C Slaps Down Google's Proposal To Treat Multiple Domains as Same Origin More

W3C Slaps Down Google's Proposal To Treat Multiple Domains as Same Origin

Comments Filter:

  • Attempt at neutering third-party cookie blocking (Score:5, Insightful)

    by Todd Knarr ( 15451 ) on Friday April 09, 2021 @01:02PM (#61255728) Homepage

    This is a clear attempt at bypassing the whole idea of third-party cookie blocking and other cross-site privacy controls. The immediate follow-up would be advertisers saying that to use their page code sites have to add the advertiser's domains to their first-party sets. And poof goes any ability to block tracking cookies.

    TAG is entirely right to reject this. I think they're only being polite in saying the impact on privacy hasn't been completely thought through, though, I think Google did think it through completely and just bet that TAG wouldn't.

    • So... why would third party blockers pay any attention to this white list?

      • Re: (Score:1)

        by rot16 ( 4603585 )

        Otherwise they would be blocked from addons store?

      • Re: (Score:2)

        by green1 ( 322787 )

        Because currently the biggest third party cookie blockers are the browsers themselves. And I heard a little rumor that Google wrote one of those.

    • Re: (Score:1)

      by Anonymous Coward

      There's also another interesting point here; that the proposal wasn't put forward by Google's ad teams, it was put forward by the Chrome team.

      Given this, it really confirms that the Chrome team view providing users with a good browser secondary to using the browser to force ads and tracking upon you. Of course, many suspected this anyway, but this is solid confirmation that people need to stop using Chrome- if you consider security of your personal data important then its flat out dangerous and its dev team

    • IMO it looks like a clear attempt to make it so the top browser vendor can gatekeep who gets to bypass cross-site privacy controls and who can't, making it impossible to build a competing advertising product without their permission.

  • More cookies is more bad (Score:5, Informative)

    by OrangeTide ( 124937 ) on Friday April 09, 2021 @01:08PM (#61255752) Homepage Journal

    99% of cookies are used to abuse end users. To track their activities in a big brother fashion. To collect their personal information for targeted advertising. And to associate their spending habits with clicks and mouse overs that are sold to millions of businesses. None of this information was collected in good faith, and while it might not meet the legal definition of fraud, there is an ethical charge that they've stolen something they do not own and sold it.

    • 99% of google's tech is to abuse end users.

      past time to castrate them

      • Law makers aren't likely to understand. We're at a point where the uninformed believe Google is the Internet.

        If legislation tries to go after Google, we'll get a lot of nonsense about how Google gives people free email and what are these people supposed to do now? They'll scream: OMG I'll lose my email address!

    • Totally agree with you. Google is trying to be everything to everyone. I personally dumped Chrome in favour of Brave. I value my privacy and the less Google knows, the happier I am. I don't care if the advertisement I see are not tailored to my taste. I don't even read them.

      • Re: (Score:3)

        by DarkOx ( 621550 )

        You dumped Chrome in favor of a browser that is entirely dependent on Google for all the code that does the hard work of web rendering and still does plenty of its own tracking.

        Sorry but Brave is about the most asinine counter productive project out there. At least be half-way serious about helping to preserve a real non-google alternative and use something mozilla based.

    • As vice chairman of the pedantic society I have to disagree and say that 99% of cookies are simply used to maintain session state, it's the other 1% that cause all the problems.

    • Re: (Score:2)

      by spudnic ( 32107 )

      Not so much when you are talking about business applications that are delivered via the web where different components could be written and/or hosted by other vendors. This would be a valid use for the proposal.

  • Ask for forgiveness rather than permission. (Score:5, Informative)

    by thevirtualcat ( 1071504 ) on Friday April 09, 2021 @01:13PM (#61255778)

    I'm sure the W3C's opinion on this is very, very important and that Google will wait for feedback before...

    "Google has already implemented both First Party Sets and SameParty cookies in Chrome 89..."

    Oh.

    Carry on, then.

    • Need to start an Insecure By Design campaign.

    • Re: (Score:1, Insightful)

      by Anonymous Coward
      What did W3C expect to happen if it takes them over 2 years to do a review on a proposal? Apparently we all move at Internet speed except the people who supposedly handle Internet standards. That seems - really out of whack. Actually, I am surprised that Google didn't just move on to something else or forget that they even had a request with W3C in progress after over two years.

  • Great idea, wrong implementation... (Score:3)

    by reg ( 5428 ) <reg@freebsd.org> on Friday April 09, 2021 @01:34PM (#61255886) Homepage

    This should be done in DNS. Allow a record that says that this other domain is first-party for me. If the other domain also lists you as a first-party, then the browser will treat them as linked. This also means that Google would have to give ad domains full first-party access to google.com if they wanted to get around third-party cookies. Probably not something they want to do... In addition, this would make it fairly simple to defeat with a PiHole.

  • I like it! Google, Facebook, Twitter (Score:3)

    by oldgraybeard ( 2939809 ) on Friday April 09, 2021 @02:01PM (#61256018)
    etc etc all same origin cool > /dev/null

  • How does this help the user? (Score:3)

    by LordWabbit2 ( 2440804 ) on Friday April 09, 2021 @03:56PM (#61256398)
    How is this going to add value to the end user? It seems more like it would be used to help advertisers and other scum who abuse users and track the fuck out of everything. Maybe I am missing something?

    • Re: (Score:2)

      by DarkOx ( 621550 )

      About the only half-way reasonable use case I can see for it is M&A.

      You have MyApp.example.com you buy Exemplar that owns examplar.com because they have features that would integrate nicely into MyApp. I guess you could use this to freely mix and match web things on both domains without having to use iframes, and message passing or some elaborate cors construct.

    • Re: (Score:2)

      by G00F ( 241765 )

      They recently made a chance in google docs/drive and all that, where they now require you to allow cross site cookies to be able to download your own content....

      So I'm not surprised they are pushing this crap

  • You have been able to disable third-party cookies for many decades. I guess this is "causing problems" for Google and other organizations that make money by spying (there are a lot of them).

    Just as long as disabling third-party cookies continues to disable third-party cookies (and especially including the ones that the remote arsehole thinks should not be third-party cookies) who gives a shit?

    I have had third-party cookies disabled since cookies were invented and do not permit the use of "web browsers" tha

    • Re: (Score:2)

      by green1 ( 322787 )

      Google currently does allow disabling of third-party cookies. However this proposal makes it quite clear that they intend to leave the switch in there but completely disable what it does.

    • The problem is that they can continue to block third-party cookies while, under this policy, allowing advertisers through because what FPS does is say "Cookies from this advertiser aren't third-party cookies, they're first-party.". It's still up to the web site to decide which domains are considered first-party domains, but you can be sure the first thing advertisers will do if FPS is ever accepted is tell sites "To carry our ads you have to add our domains to your FPS declarations.".

  • Google: Even when they win they try to ratfuck the rules so they win even more.

    "Don't be evil" is now "Don't give a shit and don't get caught".

  • Wasn't that a long long time ago...?

Slashdot Top Deals

For God's sake, stop researching for a while and begin to think!

Close