[Webkit-unassigned] [Bug 273193] Safari Intelligent Tracking Prevention is breaking same-site cross-subdomain sync for Transcend Consent Manager

Tue Apr 30 11:39:34 PDT 2024

https://bugs.webkit.org/show_bug.cgi?id=273193

--- Comment #17 from John Wilander <wilander at apple.com> ---
(In reply to Eli Grey (:sephr) from comment #15)
> John, is syncing data privately same-site without cookies a currently
> supported or planned use case of WebKit?

As already mentioned above, you can use postMessage for this. I know you've mentioned persistence of partitioned data but that's not what you're asking about here.

We do not make commitments to changes or plan in open source. However, your feedback has been well received and we always take developers' input into account.

> If the answer is no, and if WebKit has no immediate plans to replace cookies or
> change how they work, then the net effect is a loss of privacy on the web as
> developers end up using cookies to fill this gap.

You can use postMessage, as mentioned.

> I believe that, barring a declaration to partition/replace/deprecate cookies,
> WebKit's current storage partitioning model effectively encourages privacy-harmful
> behavior among site owners by incentivizing the use of cookies to share state across
> subdomains.

Feedback noted. As mentioned, the origin boundary is typically favored by browsers, not in the least to decrease the pressure on the Public Suffix List. A good way forward may be to see if other browsers can partition by origin rather than site. I believe they have expressed a desire to do so but have not looked for supporting statements in standards issues.

The historical mistakes around how cookies work are well-known. They are rarely a good guide for how to develop modern web features.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240430/f9676d27/attachment-0001.htm>