W3C Technical Architecture Group slaps down Google's proposal to treat multiple domains as same origin

First Party Sets 'harmful to the web in its current form'

A Google proposal which enables a web browser to treat a group of domains as one for privacy and security reasons has been opposed by the W3C Technical Architecture Group (TAG).

Google's First Party Sets (FPS) relates to the way web browsers determine whether a cookie or other resource comes from the same site to which the user has navigated or from another site. The browser is likely to treat these differently, an obvious example being the plan to block third-party cookies.

The proposal suggests that where multiple domains owned by the same entity – such as google.com, google.co.uk, and youtube.com – they could be grouped into sets which "allow related domain names to declare themselves as the same first-party."

The idea allows for sites to declare their own sets by means of a manifest in a known location. It also states that "the browser vendor could maintain a list of domains which meet its UA [User Agent] policy, and ship it in the browser."

This could lead to more application developers targeting specific browsers and writing web apps that only work (or are limited to) those browsers

In February 2019, Google software engineer Mike West requested a TAG review and feedback on the proposal was published yesterday. "It has been reviewed by the TAG and represents a consensus view," the document says.

According to the TAG, "the architectural plank of the origin has remained relatively steady" over the last 10 years, despite major changes in web technology. It added: "We are concerned that this proposal weakens the concept of origin without considering the full implications of this action." The group identified some vagueness in the proposal, such as whether FPS applies to permissions such as access to microphone and camera.

Illustration of an eye looking at you through binary numbers

Google says once third-party cookies are toast, Chrome won't help ad networks track individuals around the web


A Google Chrome engineering manager has stated: "No, we are not proposing to change the scope for permissions. The current scope for FPS is only to be treated as a privacy boundary where browsers impose cross-site tracking limitations." But the TAG reckons that the precise scope of FPS should be laid out in the proposal.

A second concern is over the suggestion that browser vendors would ship their own lists. "This could lead to more application developers targeting specific browsers and writing web apps that only work (or are limited to) those browsers, which is not a desirable outcome," said the TAG.

Defaults have a powerful effect, and it is easy to imagine, for example, Google shipping its market-dominating Chrome browser with a list that said youtube.com and google.co.uk are the same site from a privacy perspective, while the user may want to distinguish them but might not know how to change the setting or be aware of it. "First Party Sets could let a user agent or browser approve sites as a set in the interest of those sites or cookie-issuers (like advertisers), rather than in the interest of the user," said the TAG.

The TAG had particular concerns about FPS in the context of Google's separate proposal for a "privacy sandbox."

FPS "seeks to redefine what it means to be a third-party cookie," said the TAG, which throws into question "the efficacy of the privacy sandbox." From Google's perspective, FPS is listed as one of the building blocks of the privacy sandbox technology.

The group also objected to the way FPS "adds a complex configuration layer to the web" and noted "strong objections by other implementers" including Mozilla and Apple. Apple's WebKit lead, Maciej Stachowiak, for example, was concerned about "bad faith claims," adding:.

How to prevent domains that are not actually owned and controlled by the same party from making claims of being related? For example, an ad network could get its top publishers to enter an association to regain a certain level of tracking powers.

The TAG concluded that "we consider the First Party Sets proposal harmful to the web in its current form... this proposal undermines the concept of origin, and we see origin as a load-bearing structural pillar of web architecture."

The review added: "It is likely that this proposal only benefits powerful, large entities that control both an implementation and services," leaving the reader to work out examples of such entities. Finally, the TAG warned of requests for new features "that depend on First Party Sets," noting that one such feature, SameParty Cookies, had already been submitted for review.

There are some strong words in this review, and it is also worth noting that TAG members include Tim Berners-Lee, inventor of the Web. Google has already implemented both First Party Sets and SameParty cookies in Chrome 89, the current version, where they are included as an "origin trial" to "allow developers to try out new features and give feedback." Origin trials are off by default, but can be enabled by developers for a specific site after registration, or by the user in Chrome settings. ®

Similar topics

Broader topics

Other stories you might like

  • Deepfake attacks can easily trick live facial recognition systems online
    Plus: Next PyTorch release will support Apple GPUs so devs can train neural networks on their own laptops

    In brief Miscreants can easily steal someone else's identity by tricking live facial recognition software using deepfakes, according to a new report.

    Sensity AI, a startup focused on tackling identity fraud, carried out a series of pretend attacks. Engineers scanned the image of someone from an ID card, and mapped their likeness onto another person's face. Sensity then tested whether they could breach live facial recognition systems by tricking them into believing the pretend attacker is a real user.

    So-called "liveness tests" try to authenticate identities in real-time, relying on images or video streams from cameras like face recognition used to unlock mobile phones, for example. Nine out of ten vendors failed Sensity's live deepfake attacks.

    Continue reading
  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading
  • Conti: Russian-backed rulers of Costa Rican hacktocracy?
    Also, Chinese IT admin jailed for deleting database, and the NSA promises no more backdoors

    In brief The notorious Russian-aligned Conti ransomware gang has upped the ante in its attack against Costa Rica, threatening to overthrow the government if it doesn't pay a $20 million ransom. 

    Costa Rican president Rodrigo Chaves said that the country is effectively at war with the gang, who in April infiltrated the government's computer systems, gaining a foothold in 27 agencies at various government levels. The US State Department has offered a $15 million reward leading to the capture of Conti's leaders, who it said have made more than $150 million from 1,000+ victims.

    Conti claimed this week that it has insiders in the Costa Rican government, the AP reported, warning that "We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power, you have introduced an emergency." 

    Continue reading

Biting the hand that feeds IT © 1998–2022