first-party-sets icon indicating copy to clipboard operation
first-party-sets copied to clipboard

Published 20 hours ago verified publisher icon WICG

service and associated Subset Interaction

Open bvandersloot-mozilla opened this issue 2 years ago • 1 comments

Consider the domains from the spec as an example:

  • Set primary: exampleA.com
  • Service: exampleA-usercontent.com
  • Associated: exampleB.com

From the spec it is clear that as a top-level context exampleA.com would be able to use the cookies of exampleA-usercontent.com without a prompt, but would (may?) show a user prompt to use the cookies of exampleB.com.

What about exampleB.com as a top-level context? Does it auto-grant when requesting to use the cookies of exampleA-usercontent.com? If not, I’m concerned that exampleA.com and exampleB.com can cookie sync via exampleA-usercontent.com.

bvandersloot-mozilla avatar Aug 24 '22 15:08 bvandersloot-mozilla

The answer is yes, if in this scenario associated domains are required to show prompts or use other protective heuristics, then that needs to apply to access on the entire set, including service domains. I think we were aware of that consideration but may not have spelled it out properly in the explainer. Let's leave this issue open to track making this more explicit, maybe in the future spec.

johannhof avatar Aug 31 '22 07:08 johannhof