Third-party Cookie Access Heuristics explainer #42
Comments
johannhof
added
the
agenda+
|
This proposal seems like it would definitely help my use case (3P edTech embeds iframed into a top level 1P site), where I expect authentication to break with 3P cookie deprecation. My current hangup on the Storage Access API, which seems to be the explicit invocation of this proposed behavior, is the user prompt, which is challenging for my user base (underage students with limited consent ability, admin-limited Chrome settings, and high risk of confusion). At a minimum, it would give myself and my partners more time to evaluate APIs like CHIPS and FedCM, which are promising but still have limitations or still have features in flux. I have two questions/concerns for the proposed heuristics:
|
|
@johannhof are you still interested in having agenda time? How much time do you need? |
|
@martinthomson I presented this at the last call. Apologies if I should have removed the label, I feel like someone else did that in the past. We're happy to discuss again if there's interest / feedback from the community but we don't have any net new info from the last 2 weeks I think. |
|
Also, I think it would be good to know what the chairs think about adoption of this proposal. What we're describing here is (partially) shipped by WebKit and Firefox, with Chrome implementing. I think this warrants adoption in some shared venue for continued discussion (there was some contention on the level of standardization this should receive but that's a different step from CG discussions). |
martinthomson
removed
the
agenda+
|
Just off the cuff, I think that the question in front of us is whether formalizing these heuristics is something that people want to do. Implicit in the shipping of this feature is the idea that this is an area of differentiation between browsers, not standardization. I'm not sure that I personally agree with that conclusion, but we'd need to test it better. For me, I'd like to see explicit indications here from WebKit and Gecko before I was confident that we had agreement. |
|
I said this in the discussion at the last meeting, but it is worth putting in writing here: formalizing these heuristics is a good idea, assuming that we are clear that they are a temporary measure until we have a good solution for the use cases they cover. |
martinthomson
added
interest: gecko
|
@martinthomson ping on getting this moved into PCG given that there's two-implementor interest in incubation |
The web is moving to deprecate third-party cookies, and not every site developer will have the time and bandwidth to implement workarounds that mitigate user-facing breakage. In particular, flows involving authentication tokens from identity providers are a common web pattern that relies on third-party cookies.
There are established practices where a browser grants temporary storage access when a user satisfies a predefined flow. We have assessed a few existing heuristics for security and privacy concerns, and have decided to prototype the following two scenarios:
We presented this proposal at TPAC to generally positive feedback:
Explainer: https://github.com/amaliev/3pcd-exemption-heuristics/blob/main/explainer.md
Slides: https://docs.google.com/presentation/d/e/2PACX-1vQAjOEnKv3fyXchlYwO2JbPGrvaT7w3Q24ikac_1YWO8IhFJhPvaWBpXZPTMx0wYud1jgiM_TkVQIvw/pub
We appreciate any additional feedback, comments, or concerns from the broader community. Thank you!
The text was updated successfully, but these errors were encountered: