[Webkit-unassigned] [Bug 272189] ITP 7-day exception for origins that don’t communicate with other origins

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Apr 12 14:48:32 PDT 2024


--- Comment #2 from John Wilander <wilander at apple.com> ---
Thanks for filing!

Let me start by saying that sarcasm is rarely a good starting point for a productive conversation.

There is a significant difference between a web*page* and a web*site*. A browser engine only ever sees webpages and doesn't know about the content of pages not visited yet. Thus, a browser engine cannot know if a website or web app has cross-site content or not. It only knows about visited webpages since the user last cleared history or for the current session/tab in the case of ephemeral browsing.

A policy along the lines that you propose would have to consider both the past and the future.

Past: Only if visited pages from the website have been free of cross-site content for N+ days will it be exempt from certain tracking prevention measures.

Future: As soon as a visited page from the website is found to load cross-site content, it needs to be opted in to the tracking prevention measures, including for website data created in the past.

The future perspective also applies to a single webpage since it can dynamically pull in cross-site resources at any point in time. So that would also have to be covered by the policy.

1. Is the above what you are envisioning?
2. Would tying it to a strict CSP work as technical enforcement?
3. Do you have thoughts on how developers can manage their websites to not make a cross-site resource load mistake on some page? As mentioned, CSP is an obvious tool, but one can make mistakes with CSP too.

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240412/2f52f7ca/attachment.htm>

More information about the webkit-unassigned mailing list