Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Definition of third party #16

Open
annevk opened this issue Sep 3, 2020 · 5 comments
Open

Definition of third party #16

annevk opened this issue Sep 3, 2020 · 5 comments

Comments

@annevk
Copy link
Collaborator

annevk commented Sep 3, 2020
edited
Loading

I think there's roughly two definitions of third party that are important for the web platform:

  1. Third-party origin: settings object's origin is not same origin with the settings object's top-level origin. (E.g., Permissions Policy largely uses this.)
  2. Third-party site: settings object's origin is not same site with the settings object's top-level origin. (E.g., state partitioning largely uses this.)

Potential usage in prose if we want to formalize these as terms rather than using the longer phrase: If settingsObject has a third-party origin, then ...?

There's an interesting thing that @bakulf pointed out to me which is that cookies have their own definition of this concept and that considers the entire ancestor chain. So when example.com/1 embeds thirdparty.example and that embeds example.com/2 per the above definitions /2 would not have a third-party origin/site, but at the same time it would not get SameSite cookies.

This does not seem hugely problematic to me and I don't think we can/should really change either definition at this point, but it's worth keeping this in mind.

Mainly wanted to write this down here to ensure we actually have agreement on this as we often say third party without being concrete about it.

cc @clelland
@annevk annevk added the agenda+ Request to add this issue to the agenda of our next telcon or F2F label Sep 3, 2020
@domenic
Copy link

domenic commented Sep 3, 2020

cookies have their own definition of this concept and that considers the entire ancestor chain

It might be worthwhile to define this as a third definition alongside the other two, so that it's clear to the reader what is in use across the web platform. E.g. "third-party site considering ancestors". Then you could add a note that that definition is only used for cookies and shouldn't be used for anything else.

Basically I think it'd be ideal to have an exhaustive set of definitions, instead of just the two in the OP, which people might mistake for being exhaustive.

@AramZS
Copy link

AramZS commented Sep 10, 2020

Adding that we have existing definitions of parties over here: https://www.w3.org/TR/tracking-dnt/#terminology.participants

@pbannist
Copy link

I do think that those definitions are very vague when you start getting into the details of corporate ownership, etc. I have documented this issue at WICG/first-party-sets#18. I don't think that definition is anywhere near sufficient to help solve this particular problem.

@annevk
Copy link
Collaborator Author

annevk commented Sep 10, 2020

To be clear, this is not meant to be about third-party sets as that is not an agreed upon security boundary. This is about formalizing existing security boundaries with easy-to-understand terminology.

@annevk annevk removed the agenda+ Request to add this issue to the agenda of our next telcon or F2F label Sep 11, 2020
@annevk annevk mentioned this issue Sep 15, 2020
Merged
@hober hober mentioned this issue Oct 4, 2020
Open
@hober
Copy link
Member

hober commented Oct 8, 2020

I wrote up some thoughts on this over here: https://tess.oconnor.cx//2020/10/parties

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@hober @domenic @AramZS @annevk @pbannist