[Webkit-unassigned] [Bug 273452] New: Safari privacy settings menu implies site-based partitioning model
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Apr 29 16:55:29 PDT 2024
https://bugs.webkit.org/show_bug.cgi?id=273452
Bug ID: 273452
Summary: Safari privacy settings menu implies site-based
partitioning model
Product: WebKit
Version: Safari 17
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: Website Storage
Assignee: webkit-unassigned at lists.webkit.org
Reporter: bugmail at eligrey.com
CC: sihui_liu at apple.com
Under Privacy -> Website tracking, the toggle option for "Prevent cross-site tracking" implies that 'site' is the partition boundary, and that this checkbox will only 'prevent cross-site tracking'. Instead, this on-by-default privacy setting prevents cross-domain tracking as well as cross-site tracking.
I was genuinely confused by this setting myself.
Please adjust your partitioning model to reflect the expected user assumptions for storage partitioning given this option title. Most storage mechanisms should be partitioned using site instead of origin; not just cookies. This cookie-preferential partitioning policy may have had a negative impact on the privacy practices implemented in practice for web applications developed in the past 13 years.
Developers that want to implement the easiest cross-browser solutions may simply expose data over the network using cookies. In Firefox and Chrome, they can also use postMessage + non-cookie-storage solutions to privately share state across subdomains.
( Related to but not a dupe of https://bugs.webkit.org/show_bug.cgi?id=168631 )
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240429/ba28e62f/attachment-0001.htm>
More information about the webkit-unassigned
mailing list