[Webkit-unassigned] [Bug 272189] ITP 7-day exception for origins that don’t communicate with other origins

Fri Apr 12 14:48:32 PDT 2024

https://bugs.webkit.org/show_bug.cgi?id=272189

--- Comment #2 from John Wilander <wilander at apple.com> ---
Thanks for filing!

Let me start by saying that sarcasm is rarely a good starting point for a productive conversation.

There is a significant difference between a web*page* and a web*site*. A browser engine only ever sees webpages and doesn't know about the content of pages not visited yet. Thus, a browser engine cannot know if a website or web app has cross-site content or not. It only knows about visited webpages since the user last cleared history or for the current session/tab in the case of ephemeral browsing.

A policy along the lines that you propose would have to consider both the past and the future.

Past: Only if visited pages from the website have been free of cross-site content for N+ days will it be exempt from certain tracking prevention measures.

Future: As soon as a visited page from the website is found to load cross-site content, it needs to be opted in to the tracking prevention measures, including for website data created in the past.

The future perspective also applies to a single webpage since it can dynamically pull in cross-site resources at any point in time. So that would also have to be covered by the policy.

Questions:
1. Is the above what you are envisioning?
2. Would tying it to a strict CSP work as technical enforcement?
3. Do you have thoughts on how developers can manage their websites to not make a cross-site resource load mistake on some page? As mentioned, CSP is an obvious tool, but one can make mistakes with CSP too.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240412/2f52f7ca/attachment.htm>