[whatwg] Cross-Origin Cookies Sharing Proposal
Ian Hickson
ian at hixie.ch
Wed Sep 4 15:25:41 PDT 2013
On Fri, 21 Jun 2013, Huan Du wrote:
>
> As privacy awareness becomes prevelant, the trend is that future
> browsers are going to ban third-party Cookies by default.
>
> This is a good thing for users, but for giant internet companies, this
> has no doubt increases the difficult and complexity of implementing user
> session synchronization.
>
> Is it possible to, like Cross-Origin Resource Sharing, allow a site to
> indicate which domains it would like to share Cookies with?
Why would a user be ok with sharing cookies with these sites if they're
not ok with sharing them otherwise?
I don't really understand what the user threat model is here.
On Fri, 21 Jun 2013, Nils Dagsson Moskopp wrote:
>
> I have a suspicion that the only thing that cannot be done easily
> without cookies is tracking – that is, pretending that a user has an
> account, but ensuring that she has not made that choice consciously.
That's pretty easy to do even without cookies or other storage mechanisms.
You can fingerprint a user pretty precisely.
On Sat, 22 Jun 2013, Huan Du wrote:
>
> There are 3 web sites in Alibaba at least: taobao.com, tmall.com,
> etao.com. all of them are using a same account management system
> including Sign up, Sign in.
>
> The requirement is simple for the account management system. when user A
> signed in taobao.com, we expect A is signed in tmall.com and etao.com.
Right. There are lots of cases such as this where third-party cookies (or
a similar mechanism) are an integral part of the experience.
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list