[whatwg] Cross-Origin Cookies Sharing Proposal

[Ian Hickson]

On Fri, 21 Jun 2013, Huan Du wrote:
> 
> As privacy awareness becomes prevelant, the trend is that future 
> browsers are going to ban third-party Cookies by default.
> 
> This is a good thing for users, but for giant internet companies, this 
> has no doubt increases the difficult and complexity of implementing user 
> session synchronization.
> 
> Is it possible to, like Cross-Origin Resource Sharing, allow a site to 
> indicate which domains it would like to share Cookies with?

Why would a user be ok with sharing cookies with these sites if they're 
not ok with sharing them otherwise?

I don't really understand what the user threat model is here.


On Fri, 21 Jun 2013, Nils Dagsson Moskopp wrote:
> 
> I have a suspicion that the only thing that cannot be done easily 
> without cookies is tracking – that is, pretending that a user has an 
> account, but ensuring that she has not made that choice consciously.

That's pretty easy to do even without cookies or other storage mechanisms. 
You can fingerprint a user pretty precisely.


On Sat, 22 Jun 2013, Huan Du wrote:
> 
> There are 3 web sites in Alibaba at least: taobao.com, tmall.com, 
> etao.com. all of them are using a same account management system 
> including Sign up, Sign in.
> 
> The requirement is simple for the account management system. when user A 
> signed in taobao.com, we expect A is signed in tmall.com and etao.com.

Right. There are lots of cases such as this where third-party cookies (or 
a similar mechanism) are an integral part of the experience.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'