W3C Technical Architecture Group slaps down Google's proposal to treat multiple domains as same origin
First Party Sets 'harmful to the web in its current form'
A Google proposal which enables a web browser to treat a group of domains as one for privacy and security reasons has been opposed by the W3C Technical Architecture Group (TAG).
Google's First Party Sets (FPS) relates to the way web browsers determine whether a cookie or other resource comes from the same site to which the user has navigated or from another site. The browser is likely to treat these differently, an obvious example being the plan to block third-party cookies.
The proposal suggests that where multiple domains owned by the same entity – such as google.com, google.co.uk, and youtube.com – they could be grouped into sets which "allow related domain names to declare themselves as the same first-party."
The idea allows for sites to declare their own sets by means of a manifest in a known location. It also states that "the browser vendor could maintain a list of domains which meet its UA [User Agent] policy, and ship it in the browser."
This could lead to more application developers targeting specific browsers and writing web apps that only work (or are limited to) those browsers
In February 2019, Google software engineer Mike West requested a TAG review and feedback on the proposal was published yesterday. "It has been reviewed by the TAG and represents a consensus view," the document says.
According to the TAG, "the architectural plank of the origin has remained relatively steady" over the last 10 years, despite major changes in web technology. It added: "We are concerned that this proposal weakens the concept of origin without considering the full implications of this action." The group identified some vagueness in the proposal, such as whether FPS applies to permissions such as access to microphone and camera.
Google says once third-party cookies are toast, Chrome won't help ad networks track individuals around the webREAD MORE
A Google Chrome engineering manager has stated: "No, we are not proposing to change the scope for permissions. The current scope for FPS is only to be treated as a privacy boundary where browsers impose cross-site tracking limitations." But the TAG reckons that the precise scope of FPS should be laid out in the proposal.
A second concern is over the suggestion that browser vendors would ship their own lists. "This could lead to more application developers targeting specific browsers and writing web apps that only work (or are limited to) those browsers, which is not a desirable outcome," said the TAG.
Defaults have a powerful effect, and it is easy to imagine, for example, Google shipping its market-dominating Chrome browser with a list that said youtube.com and google.co.uk are the same site from a privacy perspective, while the user may want to distinguish them but might not know how to change the setting or be aware of it. "First Party Sets could let a user agent or browser approve sites as a set in the interest of those sites or cookie-issuers (like advertisers), rather than in the interest of the user," said the TAG.
The TAG had particular concerns about FPS in the context of Google's separate proposal for a "privacy sandbox."
FPS "seeks to redefine what it means to be a third-party cookie," said the TAG, which throws into question "the efficacy of the privacy sandbox." From Google's perspective, FPS is listed as one of the building blocks of the privacy sandbox technology.
The group also objected to the way FPS "adds a complex configuration layer to the web" and noted "strong objections by other implementers" including Mozilla and Apple. Apple's WebKit lead, Maciej Stachowiak, for example, was concerned about "bad faith claims," adding:.
How to prevent domains that are not actually owned and controlled by the same party from making claims of being related? For example, an ad network could get its top publishers to enter an association to regain a certain level of tracking powers.
The TAG concluded that "we consider the First Party Sets proposal harmful to the web in its current form... this proposal undermines the concept of origin, and we see origin as a load-bearing structural pillar of web architecture."
The review added: "It is likely that this proposal only benefits powerful, large entities that control both an implementation and services," leaving the reader to work out examples of such entities. Finally, the TAG warned of requests for new features "that depend on First Party Sets," noting that one such feature, SameParty Cookies, had already been submitted for review.
There are some strong words in this review, and it is also worth noting that TAG members include Tim Berners-Lee, inventor of the Web. Google has already implemented both First Party Sets and SameParty cookies in Chrome 89, the current version, where they are included as an "origin trial" to "allow developers to try out new features and give feedback." Origin trials are off by default, but can be enabled by developers for a specific site after registration, or by the user in Chrome settings. ®