[Webkit-unassigned] [Bug 273193] Safari Intelligent Tracking Prevention is breaking same-site cross-subdomain sync for Transcend Consent Manager

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Apr 29 17:44:02 PDT 2024


https://bugs.webkit.org/show_bug.cgi?id=273193

--- Comment #14 from John Wilander <wilander at apple.com> ---
We started partitioning HTML storage when the feature was new to the web (implementation in 2012, shipped 2013). The main reason for storage and cache partitioning was to not further compound the problem of tracking on the web. The natural security boundary for the web is origin and so it was used for partitioning. It would be great for web security and privacy if origin was the consistent boundary.

However, cookies are much older, dating back to the 90s. The cookie attribute "domain" combined with the advent of the Public Suffix List established website, or registrable domain, as the boundary for cookies. Thus it has never been considered web compatible to restrict cookies to origins.

The current belief in the web community is instead that we'd have to replace cookies with something else to get what's called origin-bound session identifiers. That's where Mike West's now obsolete "HTTP State Tokens" proposal came from: https://datatracker.ietf.org/doc/html/draft-west-http-state-tokens-00

As you can see, we ended up here by trying to make the best decisions for the web as the platform evolved.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240430/a485408c/attachment.htm>


More information about the webkit-unassigned mailing list