generated from privacycg/template
-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Explore cookie partitioning #15
Comments
Interesting conversation on this topic happening here: privacycg/storage-access#75 |
Yeah, I think the two meetings and the various proposals in this space kinda settled this really high-level question. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
EDIT: We published an explainer expanding on this idea: https://github.com/DCtheTall/CHIPS/
During the CG meeting today, the topic of partitioning cookies came up.
@annevk mentioned that Firefox is currently experimenting with this. Also see his previous comment.
@johnwilander previously wrote that Safari attempted this change and rolled it back due to a couple of concerns that are broadly relevant:
Both of these issues might be alleviated by using an opt-in model for partitioned cookies.
One potential solution is to have the developer specify a cookie attribute
PerPartition
(name needs bikeshedding), that is parsed in embedded/third-party contexts:Set-Cookie: SID=31d4d96e407aad42; Secure; HttpOnly; PerPartition
The browser then stores that cookie in a partition keyed on
(top-level-site, embedded-site)
Subsequently, when the browser makes a request to the embedee, it includes a cookie header with only the opted-in cookies and a header to indicate the top-level site:
Note: The question of whether it is acceptable to expose the first-party to a partitioned third-party is being explored in #14
The text was updated successfully, but these errors were encountered: