compat icon indicating copy to clipboard operation
compat copied to clipboard
verified publisher icon whatwg

Add Third-Party Cookie Deprecation Heuristics to Web Compat

Open amaliev opened this issue 2 years ago • 8 comments

Proposal to add third-party cookie deprecation heuristics to the web compat spec.

Explainer: https://github.com/amaliev/3pcd-exemption-heuristics/blob/main/explainer.md

Issue #254

  • [ ] At least two implementers are interested (and none opposed):
    • Chrome
    • Firefox
  • [ ] Tests are written and can be reviewed and commented upon at:
    • https://github.com/web-platform-tests/wpt/tree/master/cookies/third-party-cookies
  • [ ] Implementation bugs are filed:
    • Chromium: https://issues.chromium.org/u/2/issues/40282235
  • [ ] MDN issue is filed: …
  • [ ] The top of this comment includes a clear commit message to use.

Preview | Diff

amaliev avatar Nov 17 '23 03:11 amaliev

+1. It's unclear why Google believe this is the right venue for this. The Privacy CG, where most of Google's CHIPS proposal has been discussed, would be an obvious first port of call—other options include the Fetch Workstream (which does deal with integration with the Cookies spec today), or the HTTP WG.

I realise many of these groups are unlikely to take on a pure description of Chromium's current implementation, which seems to be what you want to do here. After all, standards groups deal in normative requirements, not descriptions of varying implementations. But that's true of the Compat workstream too, and we should still be focused on normative requirements.

So, two questions:

  1. Is this the right venue? (And I'd suggest it is not.)
  2. Should this be outlining a normative set of requirements about when third-party cookies are allowed, rather than documentation a single implementation's choices of implementation-defined behaviour? (And that's definitely going to require a lot more consensus building!)

gsnedders avatar Nov 17 '23 11:11 gsnedders

For context, this was discussed in the privacycg session at TPAC. Our original idea was it should go in html spec, but it was suggested somewhere else, like web compat spec, would be better to indicate its not intended to be a permanent feature of the web. We could investigate privacycg as well, but it's not clear where it would go in there either.

Should this be outlining a normative set of requirements about when third-party cookies are allowed, rather than documentation a single implementation's choices of implementation-defined behaviour? (And that's definitely going to require a lot more consensus building!)

As browsers are moving to blocking 3P cookies by default it seems relevant to specify when cookies are permitted due to web site actions. This is definitely web observable in default modes in browsers that have already shipped blocking 3P cookies. Why would default web observable behavior not be specified? Both firefox and safari ship these heuristics or something very similar, so this is definitely not a chrome-only thing.

We're happy to collaborate with other browser vendors on the appropriate place and shape of the spec, but just not specifying default web observable behavior does not seem like a good choice.

cc @miketaylr @johannhof

wanderview avatar Nov 17 '23 14:11 wanderview

I realize there was probably some confusion around the line:

The following spec represents the Chromium implementation of this feature.

This wasn't meant to imply this feature is Chrome-specific, but rather that each browser has a slightly different implementation. The explainer I added to the description goes into more detail, but similar heuristics have been shipped by Firefox (docs) and Safari (docs). We'll want to either establish a normative standard (we haven't had concrete discussions yet) or at least reflect the current differences in the spec (similarly to the UA section).

amaliev avatar Nov 17 '23 15:11 amaliev

@amaliev can you go ahead and open an issue in this repo for discussion? Personally I think it's fine to document these heuristics here, even if they get moved to another spec down the road (we've done this multiple times in the past). But I agree that we don't want to just document the Chromium implementation and should aim for a normative interoperable ideal (and if there are UA-specific differences, we should file bugs against them and possible add non-normative notes describing them in the spec).

FWIW, the User-Agent section is unique in describing UA-specific differences. But the User-Agent string is unique (and terrible) in many ways. 🙈

miketaylr avatar Nov 17 '23 15:11 miketaylr

SGTM. Sorry for the trouble, I will open an issue and move these changes into a separate repo for the time being.

amaliev avatar Nov 17 '23 17:11 amaliev

SGTM. Sorry for the trouble, I will open an issue and move these changes into a separate repo for the time being.

Thanks. An issue has been opened

karlcow avatar Nov 20 '23 01:11 karlcow

I don't think this necessarily had to be closed @amaliev. One thing I'd recommend is to always include the pull request template to avoid any misunderstandings. Perhaps you created this through CLI and therefore it got excluded. That's unfortunately a shortcoming of this process.

annevk avatar Nov 20 '23 12:11 annevk