back to article W3C Technical Architecture Group slaps down Google's proposal to treat multiple domains as same origin

A Google proposal which enables a web browser to treat a group of domains as one for privacy and security reasons has been opposed by the W3C Technical Architecture Group (TAG). Google's First Party Sets (FPS) relates to the way web browsers determine whether a cookie or other resource comes from the same site to which the …

  1. Mage Silver badge
    Devil

    Google: Only Do Evil

    This proposal is evil beyond belief!

    1. hoola Silver badge

      Re: Google: Only Do Evil

      It is Google, what more could you want.

      It really does just beggar belief some of the stuff the come up with. Who knows what they will be doing under the covers in Chrome Browser with this sort of stuff, even if they don't get their way.

  2. Tom Chiverton 1

    If Chrome wants to do this, they can just shove all their domains into the same origin anyway. It's their browser, if they want to break it. Stay out of everyone elses'.

    At this point, if Google suggest something, the default should be "nope"; much like when the NSA 'suggest' encryption parameters...

  3. The commentard formerly known as Mister_C
    WTF?

    Nay, Nay and Thrice Nay

    This is a malignant at sooo many levels.

    google.com and google.co.uk are owned by the same corporation (*). There will be many, many cases where foo.com, foo.org, foo.co.uk and foo.eu below to different organisations. How will a user be able to give informed consent for blanket cookies to any of the foo?

    That youtube belongs to google is (sort of) widespread knowledge. How does the average user know who "newly_aquired_startup.com" belongs to - the original founders, or the megacorp that bought them yesterday? And next week, when the megacorp sells them on? Which entity owns the blanket cookie then?

    If I need to enable cookies in order to access a .gov.uk website, does this give the government carte blanche for a blanket cookie? Or does Crapita (provider of the service behind the .gov.uk) get the blanket cookie? Or do both get a golden ticket?

    (*) They'll point out that they are discrete entities when they need - tax reasons, for instance.

    1. stiine Silver badge

      Re: Nay, Nay and Thrice Nay

      Its worse than that. Think of parked domains? They're all owned by a small set of companies and would all fall under the same small set of origins.

    2. Roland6 Silver badge

      Re: Nay, Nay and Thrice Nay

      You've missed the best part: "The idea allows for sites to declare their own sets by means of a manifest in a known location.manifest in a known location"

      To me a known location is remote to the user ie. part of the website under the control of a third-party. Which means that I could dynamically add all sorts of domains on the fly to my manifest eg:

      mydomain.com

      google.co.uk

      facebook.com

      malvertising.com

      1. Nick Ryan Silver badge

        Re: Nay, Nay and Thrice Nay

        From my understanding a site could declare whatever it wants, however the site that it declares domain equivalence with must also declare the same in return. Therefore while your website could declare facebook.com to be a part of your domain, facebook.com would also have to declare your website to be a part of your domain for the equivalence to hold. Quite a lot of cross-domain requests could stem from such an implementation and if not careful it could be relatively easy to abuse, which is where the problems start

        1. moonchild

          Re: Nay, Nay and Thrice Nay

          I think you're missing the point. Websites can make a browser treat any domain as if it was the visited domain, including e.g. advertising or social media that you don't want to be tracked by (and would normally be restricted by same-origin policies). Of course advertisers will have the broadest allowance possible to be trusted for inclusion in first party sets because it will only benefit them.

    3. ewanm89

      Re: Nay, Nay and Thrice Nay

      Think of doubleclick.com, that is the one they really want in there

  4. b0llchit Silver badge
    Mushroom

    Evolution

    Next project is to morph chrome into the WWGW (World Wide Google Web) browser. It is a fork from the WWW and guarantees a platform with no interference from W3C. Finally we can evolve the web into a progressive vehicle, where only commercial interests will rule as it should be. Amazon, Microsoft and Facebook have already showed interest in the concept and have indicated a shared interest. Apple did not comment directly, but it is assumed, from off-the-record talks, that Apple's garden wall will soon be reinforced to new heights and an Apple iFork for iWeb may be in consideration.

    The rest of the online shops will soon have to decide to become iShops or Gshops. This will be known to future generations as the Great Split of Power. There can no longer be an unprofitable backward compatible middle way.

    1. RegGuy1 Silver badge

      Re: Evolution

      Hey, now that we have brexit we can do what we want and tell Google, Facebook, M$ and the rest to fuck off. We are sovereign and that's all that matters.

      No, wait.

      I don't think I've thought this through.

      EU. Hello, EU. Can we come back again please? I think we may have shafted ourselves,

    2. Nick Ryan Silver badge

      Re: Evolution

      We already had Internet Explorer screwing over standards and even the most basic elements of security all in the name of Microsoft's crap ActiveX toolchain. Might as well repeat the same mistake...

  5. Pascal Monett Silver badge
    Mushroom

    "No, we are not proposing to change the scope for permissions"

    All we want is that everything Alphabet be recognized as a single entity, so we can scrape, pilfer and track everything with even more ease.

    Google, go fuck yourself.

  6. sbt
    Mushroom

    Tell me again why it's OK that ...

    ... the dominant advertising broker is also the dominant browser developer?

    De-verticalise big tech now!

    Don't be fooled, these aren't walled gardens, they're prisons.

    1. Anonymous Coward
      Anonymous Coward

      Re: Tell me again why it's OK that ...

      They give the browser away for free, how can you stop that? Now you see the evil of the Silicon Valley business model, and how ruthlessly effective it is for the chosen few companies. It's designed to crush any potential competition, and powerful monopolies are the natural result.

      1. sbt
        Go

        Re: They give the browser away for free, how can you stop that?

        Separate the browser business from the advertising business. Then they'd have to look at how their business model as a browser vendor supports giving it away. Like the others do.

  7. RM Myers
    Coat

    the W3C Technical Architecture Group (TAG)

    I don't understand. Is W3C a standard setting group for the internet? If so, why do we need another one? I thought that was Google's job. I'm fairly sure that Google agrees with me.

    1. nematoad Silver badge

      Re: the W3C Technical Architecture Group (TAG)

      Be careful.

      Irony detection is a little lacking in some of the denizens of El Reg and you might get a load of down votes.

      There really should be an "Irony" icon to avoid these little misunderstandings.

      1. a pressbutton

        Re: the W3C Technical Architecture Group (TAG)

        Perhaps a picture of the Spanish Inquisition?

        - unexpected and funny

      2. ecarlseen

        Re: the W3C Technical Architecture Group (TAG)

        I currently have a 4:1 upvote:downvote ratio, which I think is healthy. If I'm not getting blasted with downvotes on occasion then I'm probably not contributing anything interesting to the discussion. If people can't detect irony, sarcasm, or satire then... oh well. Their tears taste sweet to me.

        And, yes, I already know which groups of people might upvote this and which groups of people might downvote this. Whatever.

  8. Anonymous Coward
    Anonymous Coward

    Google is becoming more and more desperate

    and they will stop at nothing to make sure they can maintain dominance of the advertising market. They shouldn't be allowed to participate in those standards groups.

  9. This post has been deleted by its author

  10. deive

    If Google want their domains to be as one... then they can move to one domain.

  11. Claverhouse Silver badge
    Mushroom

    Who the hell collects cookies ?

    1. gerdesj Silver badge
      Gimp

      The cookie monster: Google ommmnomnomnom

  12. Rich 2

    Google are being “honest” for once

    "No, we are not proposing to change the scope for permissions. The current scope for FPS is only to be treated as a privacy boundary where browsers impose cross-site tracking limitations.“

    See - they are being very clear what the proposal is for - it’s to make it easier to track you. What’s the problem with that?

  13. moonchild

    Add Goanna to the list

    You can add Goanna/Pale Moon to the list of implementers with "strong objections". We've opposed this from the moment it was mentioned.

    While it may not change the scope of the device permissions system implemented by Google, it does change the scope of permissions in a much broader sense.

    We (all implementers) have worked hard for over a decade to strictly separate origins as an essential security and privacy measure. FPS would erode that, especially with the ambiguous wording of the proposal as it stands now. A same-origin policy is a good thing. You don't want to start making exceptions to it that are out of the user's control; that's a slippery slope towards full control over content by the web, not the user.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

  • Google has more reasons why it doesn't like antitrust law that affects Google
    It'll ruin Gmail, claims web ads giant

    Google has a fresh list of reasons why it opposes tech antitrust legislation making its way through Congress but, like others who've expressed discontent, the ad giant's complaints leave out mention of portions of the proposed law that address said gripes.

    The law bill in question is S.2992, the Senate version of the American Innovation and Choice Online Act (AICOA), which is closer than ever to getting votes in the House and Senate, which could see it advanced to President Biden's desk.

    AICOA prohibits tech companies above a certain size from favoring their own products and services over their competitors. It applies to businesses considered "critical trading partners," meaning the company controls access to a platform through which business users reach their customers. Google, Apple, Amazon, and Meta in one way or another seemingly fall under the scope of this US legislation. 

    Continue reading
  • Hangouts hangs up: Google chat app shuts this year
    How many messaging services does this web giant need? It's gotta be over 9,000

    Google is winding down its messaging app Hangouts before it officially shuts in November, the web giant announced on Monday.

    Users of the mobile app will see a pop-up asking them to move their conversations onto Google Chat, which is yet another one of its online services. It can be accessed via Gmail as well as its own standalone application. Next month, conversations in the web version of Hangouts will be ported over to Chat in Gmail. 

    Continue reading
  • It's a crime to use Google Analytics, watchdog tells Italian website
    Because data flows into the United States, not because of that user interface

    Updated Another kicking has been leveled at American tech giants by EU regulators as Italy's data protection authority ruled against transfers of data to the US using Google Analytics.

    The ruling by the Garante was made yesterday as regulators took a close look at a website operator who was using Google Analytics. The regulators found that the site collected all manner of information.

    So far, so normal. Google Analytics is commonly used by websites to analyze traffic. Others exist, but Google's is very much the big beast. It also performs its analysis in the USA, which is what EU regulators have taken exception to. The place is, after all, "a country without an adequate level of data protection," according to the regulator.

    Continue reading
  • End of the road for biz living off free G Suite legacy edition
    Firms accustomed to freebies miffed that web giant's largess doesn't last

    After offering free G Suite apps for more than a decade, Google next week plans to discontinue its legacy service – which hasn't been offered to new customers since 2012 – and force business users to transition to a paid subscription for the service's successor, Google Workspace.

    "For businesses, the G Suite legacy free edition will no longer be available after June 27, 2022," Google explains in its support document. "Your account will be automatically transitioned to a paid Google Workspace subscription where we continue to deliver new capabilities to help businesses transform the way they work."

    Small business owners who have relied on the G Suite legacy free edition aren't thrilled that they will have to pay for Workspace or migrate to a rival like Microsoft, which happens to be actively encouraging defectors. As noted by The New York Times on Monday, the approaching deadline has elicited complaints from small firms that bet on Google's cloud productivity apps in the 2006-2012 period and have enjoyed the lack of billing since then.

    Continue reading
  • I was fired for blowing the whistle on cult's status in Google unit, says contractor
    The internet giant, a doomsday religious sect, and a lawsuit in Silicon Valley

    A former Google video producer has sued the internet giant alleging he was unfairly fired for blowing the whistle on a religious sect that had all but taken over his business unit. 

    The lawsuit demands a jury trial and financial restitution for "religious discrimination, wrongful termination, retaliation and related causes of action." It alleges Peter Lubbers, director of the Google Developer Studio (GDS) film group in which 34-year-old plaintiff Kevin Lloyd worked, is not only a member of The Fellowship of Friends, the exec was influential in growing the studio into a team that, in essence, funneled money back to the fellowship.

    In his complaint [PDF], filed in a California Superior Court in Silicon Valley, Lloyd lays down a case that he was fired for expressing concerns over the fellowship's influence at Google, specifically in the GDS. When these concerns were reported to a manager, Lloyd was told to drop the issue or risk losing his job, it is claimed. 

    Continue reading
  • Google recasts Anthos with hitch to AWS Outposts
    If at first you don't succeed, change names and try again

    Google Cloud's Anthos on-prem platform is getting a new home under the search giant’s recently announced Google Distributed Cloud (GDC) portfolio, where it will live on as a software-based competitor to AWS Outposts and Microsoft Azure Stack.

    Introduced last fall, GDC enables customers to deploy managed servers and software in private datacenters and at communication service provider or on the edge.

    Its latest update sees Google reposition Anthos on-prem, introduced back in 2020, as the bring-your-own-server edition of GDC. Using the service, customers can extend Google Cloud-style management and services to applications running on-prem.

    Continue reading
  • FTC urged to probe Apple, Google for enabling ‘intense system of surveillance’
    Ad tracking poses a privacy and security risk in post-Roe America, lawmakers warn

    Democrat lawmakers want the FTC to investigate Apple and Google's online ad trackers, which they say amount to unfair and deceptive business practices and pose a privacy and security risk to people using the tech giants' mobile devices.

    US Senators Ron Wyden (D-OR), Elizabeth Warren (D-MA), and Cory Booker (D-NJ) and House Representative Sara Jacobs (D-CA) requested on Friday that the watchdog launch a probe into Apple and Google, hours before the US Supreme Court overturned Roe v. Wade, clearing the way for individual states to ban access to abortions. 

    In the days leading up to the court's action, some of these same lawmakers had also introduced data privacy bills, including a proposal that would make it illegal for data brokers to sell sensitive location and health information of individuals' medical treatment.

    Continue reading
  • Google: How we tackled this iPhone, Android spyware
    Watching people's every move and collecting their info – not on our watch, says web ads giant

    Spyware developed by Italian firm RCS Labs was used to target cellphones in Italy and Kazakhstan — in some cases with an assist from the victims' cellular network providers, according to Google's Threat Analysis Group (TAG).

    RCS Labs customers include law-enforcement agencies worldwide, according to the vendor's website. It's one of more than 30 outfits Google researchers are tracking that sell exploits or surveillance capabilities to government-backed groups. And we're told this particular spyware runs on both iOS and Android phones.

    We understand this particular campaign of espionage involving RCS's spyware was documented last week by Lookout, which dubbed the toolkit "Hermit." We're told it is potentially capable of spying on the victims' chat apps, camera and microphone, contacts book and calendars, browser, and clipboard, and beam that info back to base. It's said that Italian authorities have used this tool in tackling corruption cases, and the Kazakh government has had its hands on it, too.

    Continue reading
  • Brave Search leaves beta, offers Goggles for filtering, personalizing results
    Freedom or echo chamber?

    Brave Software, maker of a privacy-oriented browser, on Wednesday said its surging search service has exited beta testing while its Goggles search personalization system has entered beta testing.

    Brave Search, which debuted a year ago, has received 2.5 billion search queries since then, apparently, and based on current monthly totals is expected to handle twice as many over the next year. The search service is available in the Brave browser and in other browsers by visiting search.brave.com.

    "Since launching one year ago, Brave Search has prioritized independence and innovation in order to give users the privacy they deserve," wrote Josep Pujol, chief of search at Brave. "The web is changing, and our incredible growth shows that there is demand for a new player that puts users first."

    Continue reading
  • Google, EFF back Cloudflare in row over pirate streams
    Ban akin to 'ordering a telephone company to prevent a person from having conversations' over its lines

    Google, EFF, and the Computer and Communications Industry Association (CCIA) have filed court documents supporting Cloudflare after it was sued for refusing to block a streaming site.

    Earlier this year, a handful of Israel-based media companies took Israel.tv to court, accusing it of streaming TV and movie content it had no right to distribute. The corporations — United King Film Distribution, D.B.S. Satellite Services, HOT Communication Systems, Charlton, Reshet Media and Keshet Broadcasting — won the lawsuit after Israel.tv's creators failed to show up to their hearings, and the judge ordered Israel-tv.com, Israel.tv and Sdarot.tv each pay $7,650,000 in damages. 

    In a more surprising move, however, the media outfits also won an injunction [PDF] in the United States in April against a slew of internet companies, among others, banning them from aiding Israel.tv in its piracy.

    Continue reading

Biting the hand that feeds IT © 1998–2022