-
Notifications
You must be signed in to change notification settings - Fork 72
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
First-Party Sets #350
Comments
Say rugby.example and football.example decided to create a first-party set together. How would you convey this information to the user? |
Are there parts of the updated explainer that respond to the five concerns brought up in krgovind/first-party-sets#6 and krgovind/first-party-sets#7? |
The set's owner domain could be displayed in the browser UI.
For krgovind/first-party-sets#6, please see replies here and here. Regarding the issues raised there:
For krgovind/first-party-sets#7, please see reply here. Regarding the issues raised there:
|
What's suggested there is basically not discoverable and seems like a huge step back for users once we have better partitioning between top-level sites. |
The Origin Info Bubble is only one possibility. Other UI surfaces may be more appropriate, potentially depending on the browser. |
In my opinion this proposal looks reasonable and we should participate in evolving it, but I think the broad definition of "UA Policy" isn't really acceptable to us. Some things I'd like to see formalized across browsers instead:
Not having this standardized will have the effect that browsers with a stricter policy will need to spend a lot of time and energy on dealing with the Web Compat fallout. Also, IIUC in the case of an owner change we would clear all site data from the transferred domain before proceeding? From a purely technical Firefox standpoint, the idea of clearing all site data immediately before proceeding to a site and relying on all caches to be evicted and everything to be gone feels prone to races. I know this is already the case with Clear-Site-Data but there websites don't really have a reason to exploit it. With regards to the UI, I'm not sure whether it's critical to communicate this to the user in primary UI if the restrictions mentioned above are kept. Showing it in the site identity panel (the Firefox version of Chrome's origin info bubble) might suffice. |
As I summarized here, I see several fundamental issues with the proposal, and think it would be harmful to adopt without first showing that those issues can be resolved. |
First-Party Sets has undergone quite a few changes since this issue was closed. In particular:
These changes were introduced in WICG/first-party-sets#92. They align the proposal with other browsers' approaches of using the Storage Access API to mediate sites' requests for cross-site cookie access. Given the extent of the changes, I'd like to request a re-review of the First-party Sets proposal. Thanks! |
The changes that are proposed don't really address any of the central issues we (and others) originally raised.
I don't personally see the move to using the storage access as strictly positive. This change really only buries the true changes that are being pursued here. Unpermissioned, cross-site flows of data about site visitors is really what is being sought, but this is the antithesis of many of the privacy actions browsers have taken recently. Permissioned flows, such as the storage access API enables, isn't really that much better. I have heard strong criticism from a number of people about the effectiveness of that API in terms of ensuring that people understand and truly assent to the things that storage access enables. I tend to agree with that criticism. Storage access is only really tolerable as a pressure-release, a temporary hack that lets sites delay the more significant architectural changes that a better default privacy stance might demand. That browsers - or perhaps their users - each get to choose what policy to apply is at the core of the problems here. Whatever Google Chrome chooses for its default policy will have a huge influence on what sites will expect. It appears that the policy will involve some amount of unpermissioned cross-site linkage. Otherwise, why insist on having an option to choose? People who reject that default will inevitably need to deal with broken experiences. As Maciej said, let us instead concentrate on the hard part: agreeing on shared semantics. (This is just my view of the situation; I will need to confer with others and get you a more concrete answer.) |
In addition to the above, Apple have helpfully provided updated feedback on FPS. On the whole, we agree with Apple. As such, we're not seeing any reason to change the position from "negative". Thanks for checking. |
(disclaimer: I previously commented on this proposal while being employed by Mozilla, I now work at Google) Hi Martin, thank you for taking another look. I understand that this issue is closed and I'm not asking you to re-open, but I wanted to add a response nonetheless.
I should call out that this is not an updated response from Apple and rather a copy-paste from John Wilander's previous comments on FPS in May '22.
Working closely with the FedCM team, I don't think that FPS and FedCM are currently targeting the same use cases. There are some organizations which happen to be identity providers and also run sites where a social/federated login functionality may be surfaced to users instead of using SAA with FPS. But I wouldn't expect that to be a common case, even for the "associated" set. We're (obviously) very supportive of FedCM and would like to explore ways that we could change it to help deliver better user experiences in other areas, but that doesn't mean it can replace FPS entirely. For things like service domains (JSFiddle/githubusercontent use cases) I'm quite sure that FedCM will never offer an adequate solution. I don't want to discuss FedCM too much here, but it's important to consider that its main strength comes from being so purpose-bound to federated/social-style login patterns. We have to be careful to not use FedCM prompts outside of where users would naturally understand them. FPS could help with that.
An explicit goal of the updated proposal is to put an upper bound on the negative effect on browsers who will choose more restrictive handling (or ignoring) of FPS.
Strictly comparing "(un)permissioned cross-site data flows" vs. "better default privacy stance" may be simplifying things a bit too much. Sharing any high-entropy identifier between two sites is equivalent to full cross-site cookie access from a privacy perspective. As such, any API that does this, such as FedCM, will need to be "permissioned" in some way. Given that, we need to think about how we can help the user experience through these flows that necessarily need to share the full user identity. Our hypothesis is that we can reduce the number of prompts in these necessary flows through the trust in pre-declared use cases established through FPS. Aside from that we also need better prompts, but that's not really a goal for FPS.
As mentioned before, I don't think that even in the long term we can build a version of the web where the user or the user agent doesn't have to make choices about sharing identities in some form, nor do I think that this would be desirable. Things being "broken" (i.e. users being logged out or services not being integrated) when "permission" is not given is a side effect of that. |
Request for Mozilla Position on an Emerging Web Specification
Other information
The text was updated successfully, but these errors were encountered: