Design Review #595

#595: SameParty cookie attribute

Opened Jan 11, 2021

Hello TAG!

I'm requesting a TAG review of the proposed SameParty cookie attribute.

The SameParty cookie attribute provides web developers a means to annotate cookies that are allowed to be set or sent in same-party (where "party" is defined by the collection of domains within the same First-Party Set), cross-site contexts; and hence should not be subject to the obsoletion/restrictions planned/shipped for third-party cookies in major browsers. In addition, SameParty cookies are blocked in cross-party, cross-site contexts.

Explainer: https://github.com/cfredric/sameparty
Security & Privacy self-review: https://github.com/cfredric/sameparty/blob/main/security_and_privacy.md
Primary contacts (and their relationship to the specification):
- @chlily1, author, Google Chrome
- @krgovind, author, Google Chrome
- @davidben, author, Google Chrome
- @cfredric, author, Google Chrome
Organization/project driving the design: Google Chrome

Further details:

I have reviewed the TAG's API Design Principles
The group where the incubation/design work on this is being done (or is intended to be done in the future): Plan to be discussed in conjunction with First-Party Sets in PrivacyCG
The group where standardization of this work is intended to be done ("unknown" if not known): IETF HTTP Working Group
This work is being funded by: Google

You should also know that…

This is related to First-Party Sets, which was previously reviewed and discussed here: https://github.com/w3ctag/design-reviews/issues/342.

We'd prefer the TAG provide feedback as:

💬 leave review feedback as a comment in this issue and @-notify [cfredric, krgovind]

Discussions

Discussed Jan 1, 2021 (See Github)

Dan: what is the status of this work?

Peter: tied to first party sets

Dan: there was significant pushback from other parties, was discussed in the PrivacyCG. I think the tie in is it's using the same conceptual framework

Rossen: it builds on it. Are we assuming that first party sets are a thing?

Dan: our review of first party sets is closed - and we identified issues which were not resolved to my knowledge ... Mozilla thinks its harmful.

Rossen: the first party sets itself is problematic. It says we don't trust who is first and third party, we will tell you who is first party, we are going to group domains to say they are first party, trust us. Based on this proposal is extending it and we'll also tell you what third party cookies are on top of this first party sets. In the security and privacy, they are going to good detail to what the different proposals are.

Dan: I want to push back and say before you start building stuff on top of first party sets then asking the TAG to review it, get yoru story straight with first party sets and get consensus and multiple implementations behind first party sets. this is not a thing where some browsers can support it and some can't and that's okay, this is much more fundamental to how the web operates. If you don't have inteorperability it's not going to function and there's something to the notion it might be a harmful feature.

Rossen: No official MS position, I have my personal opinion that doesn't stand for MS.

Dan: where is this being worked on? In a private repo.

Dan: proposed comment ` Hi folks - this is an interesting proposal. We are just picking it up at our virtual f2f this week and discussing. I note that it builds on First Party Sets, which we previously reviewed and found issues with, which were not resolved. Furthermore there seems to be lack of multi-implementer support for First Party Sets based on e.g. the Mozilla feedback. Therefore it feels to me like it's premature to build things on top of First Party Sets?

Comment by @torgo Jan 27, 2021 (See Github)

Hi folks - this is an interesting proposal. We are just picking it up at our virtual f2f this week and discussing. I note that it builds on First Party Sets, which we previously reviewed and found issues with, which were not resolved. Furthermore there seems to be lack of multi-implementer support for First Party Sets based on e.g. the Mozilla feedback. Therefore it feels to me like it's premature to build things on top of First Party Sets?

Comment by @krgovind Jan 27, 2021 (See Github)

@torgo Thank you for taking a look at this proposal! I'd like to point to support from Edge, and support to adopt in PrivacyCG from Safari. First-Party Sets is currently under discussion in PrivacyCG, and the SameParty cookie attribute was also discussed there. The result of the SameParty discussion is cfredric/sameparty/issues/2

My impression was that we had responded to the issues raised on #342, but perhaps we need to articulate that better back on that thread? Here is my enumeration of our response to the various issues:

Mozilla's concern around self-declared vs. curated lists (in comparison with Firefox's use of disconnect-entitylist.json) were addressed in the rewrite of the proposal with the UA Policy section.
Preventing use of First-Party Sets as a cross-site tracking vector is addressed in this section.
We propose to aid user understanding via UI Treatment.
We are considering options for enforcement against creation of excessively large sets in privacycg/first-party-sets/issues/29

Discussed Feb 1, 2021 (See Github)

[relationship to 1st party set is an issue]

[discussion on how this depends on privacy budget and how privacy budget is not a well defined concept at this point]

Tess: large ecommerce sites often have 100s of domains that they own.. Amazon.co.uk, amazon.mx, etc... All of their national TLDs are the same set. That might be reasonable but once you get into high numbers like that then the potential for abuse skyrockets. Ad-tech companies might abuse this.

Dan: what's the mitigation being discussed in the Privacy CG for this?

Tess: the mitigation linked to here is that the privacy budget would apply across all sites across the first party set. Another mitigation would be to limit the size to 10 or 20 domains. Once you get into high numbers then the harm of using it as a tracking vector overrides the benefit.

Rossen: where is the ... expanding and registering domains that are part of the set? Who registers the sets?

Tess: every party in the set needs to declare.

Rossen: legit subsidiary issues. Also enterprises with different companies. Does current 1st party set thinking consider these the same? Or is there a grey line? All of your TLDs around the world.

Tess: don't know if you draw that distinction

Hadley: this is companies saying "we understand the same origin policy but we're annoyed by it so we want to scrap it in certain circumstances".

Tess: there are multiple reasons why you might want to have these sets - different properties (all the same legal entity, vs looser...)

Tess: what's tricky here is that 1st party sets is agnostic. Doesn't say what they use it for. Same party cookies are the first example of an application of 1st party sets. Rossen identified at least 2 cases that are interesting. I think there are more. There could be a way to share a set of domains that share certain aspects - e.g. ethical principles...

Hadley: it reminds me of a proposal from the IAB (the advertising one)- they wanted to let brands designate places that could sell their stuff legitimately. They could use that to cut down on counterfeiting.

Rossen: what is the governance model for this? Do we have a def of that?

Tess: not sure if there is any kind of governance.

Ken: they are sending an intent to experiment.

Dan: you would end up with defacto browser allow lists of which 1st party sets are ok

Tess: and then you have the compatiility problem.. different browsers have different lists, it's a race to the bottom

Hadley: rife for conflicts of interest. Crosses out of user agents...

Rossen: the whole domain registry well-established governance model shifts completely.

Dan: this is a destabilizer.

Dan: doesn't this fundamentally harm web architecture?

Rossen: should we reopen first party sets? and continue the conversation there. It's no longer "too early".

Hadley: same people? no

Rossen: some similar folks, and much livilier discussion

Hadley: 342 has discussion around governance but doesn't really conclude

Dan: left a comment redirecting back to the first party sets issue.

Hadley: will leave a comment on that issue.

Comment by @torgo Feb 8, 2021 (See Github)

OK - we have had a more detailed discussion on the proposal today on our TAG call. We have some very strong concerns about the underlying first party sets proposal #342 which I think that discussion has unearthed. Hence we're going to move the discussion back there and re-open that issue. Also pinging @chrishtr.

Discussed Mar 1, 2021 (See Github)

Rossen: discussion was moved into first party sets right?

Discussed May 1, 2021 (See Github)

Marked this as blocked on dependency (waiting on #342 First-Party Sets).

Comment by @hober May 12, 2021 (See Github)

Marking this as blocked on dependency for #342.

Discussed Sep 1, 2021 (See Github)

Dan: noted we feel it's blocked behind FPS. Feel like we need another session with Kaustubha where we talk about this, FPS and CHIPS. Next week?

Discussed Sep 1, 2021 (See Github)

Dan: stil blocked on first party sets...

Discussed Sep 1, 2021 (See Github)

Amy: last update is that this is blocked on FPS

Comment by @torgo Sep 14, 2021 (See Github)

@cfredric we are just reviewing again at our virtual f2f. We still feel this is blocked on First Party Sets - a spec which is in active development in the Privacy CG. Is there any additional info on multi-implementer support?

Discussed Oct 1, 2021 (See Github)

Dan: still blocked on FPS discussion

Discussed Nov 1, 2021 (See Github)

Dan: still blocked on FPS.

Comment by @rhiaro Jul 26, 2022 (See Github)

We are closing this due to the dependency on First Party Sets.