-
Notifications
You must be signed in to change notification settings - Fork 77
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Trade-offs of FPS vs. requiring sites to unify on a single parent domain #19
Comments
It might be useful to keep in mind some of the multi-domain first-party situations we know of:
|
I don't think it's beyond customer's knowledge or understanding that Disney also owns ESPN and ABC. Do we really want to force such organizations to change domains to espn.disneyholding.com? I'd prefer to see effort put into how browsers can expose the details of the site's privacy policy to users in a user understandable way. This would give the user a better understanding of who they are interacting with and what that site is going to do with their data. This could also expose the "parent" company from the privacy policy. Making that data easy for the user to digest would be super valuable to users as they navigate the web. |
It is within understanding if it is actively called out. It's not reasonable to assume a priori knowledge of who-owns-what-this-year. (e.g. I didn't know about Disney and ABC until I read this. I still tend to forget that Comcast owns Universal. And if I gave you a list of consumer brands, could you pick out - reliably - which are Proctor and Gamble v. which are Kraft v. which are Kellogg's? I surely couldn't.) |
So in this context, what is considered... "actively called out"? Something on the page that says "A Proctor and Gamble company"? I will note that with edge proxies it is not that hard to put all brands on a single domain... I just wonder if that is what we really want for the web? I don't know how many consumers really look at the domain. Are there any research studies that show how much users rely on the domain in the URL bar? For instance... if I enter www.espn.com into the URL bar and then the edge system does a 301 to www.espn.disney.com will the user even notice? |
@gffletch say that users don't notice, why would we go through the trouble of FPS? And if they do notice, it seems like it would be a useful deterrent. |
As we (Mozilla) mentioned in the Privacy CG meeting on 2020-08-27, in our view it's not the role of the W3C to "require sites to unify on a single parent domain"; whether that makes sense for any particular organization is not a technical decision but a business decision. With that said, Internet users have been trained for the past 25+ years to use a registrable domain (i.e., eTLD+1) or a narrower selector (e.g., origin) as the basis for making decisions about who the first party is. We think that broadening the definition of first party now will violate the principle of least user astonishment, with potentially serious implications for user privacy and security. Although it's true that large consumer-oriented corporations sometimes have multiple brands (and it makes sense for each of those brands to be hosted on its own domain), the point at issue is what is clear to the consumers of those brands. A few examples:
As discussed on the call, there are many wrinkles here, including:
These and other issues could be sources of significant confusion to users and even to the organizations involved. Our view is that it's best not to open this large can of worms. |
Consider how we use domains at Lucid Software, Inc. We have a set of domains associated with two web apps (Lucidchart and Lucidspark):
This set of domains is desirable for multiple reasons, including security reasons, SEO and discoverability, branding, etc. And even if using a single domain for all of these were a viable option, migrating to a single domain from our existing setup would require significant effort and coordination, and would likely cause confusion and disruption for existing customers, especially since migrating domains would cause them to lose cookies and local storage on the existing domains (thus losing settings, login tokens, etc.) We currently rely on third party cookies for several user-facing features, including:
The storage access api would technically work for this. However, prompting the user for lucid.app to be able to access storage on lucidchart.com (and vice versa) would not be a great experience for the user. I understand the reasons for wanting to remove third-party cookies, and the concerns with the First Party Sets proposal. However, if third party cookies go away without something like a FPS, it is unclear to me how to maintain our current feature set without compromising the user's experience. |
I think in this issue we've established some use cases for entities operating separate domains, which helped inspire the subset-based approach to FPS, e.g. the "service" domains that enable separation of content for security reasons, among other things. In our new proposal we've also acknowledged some of the concerns around common ownership as the primary criterion for set membership that were brought up here and in other places, and rely primarily on technical checks and assertions instead. It seems appropriate to close this now. |
Let me just say that I very much doubt the claim that FPS is for security. If security was the concern I'm sure there would be plenty of support to address the scoping issues around cookies. |
This comment was marked as spam.
This comment was marked as spam.
|
|
On the PrivacyCG Work Item proposal discussion (privacycg/proposals/issues/17), feedback from Mozilla indicated that the page URL is the simplest/clearest definition of "first party" to users. I am creating this issue for further discussion on that topic.
@englehardt said:
In addition, @annevk said this about the prospect of multi-domain first-parties being forced to move to sub-domains of a common parent domain:
The text was updated successfully, but these errors were encountered: