back to article W3C Technical Architecture Group slaps down Google's proposal to treat multiple domains as same origin

A Google proposal which enables a web browser to treat a group of domains as one for privacy and security reasons has been opposed by the W3C Technical Architecture Group (TAG). Google's First Party Sets (FPS) relates to the way web browsers determine whether a cookie or other resource comes from the same site to which the …

  1. Mage Silver badge
    Devil

    Google: Only Do Evil

    This proposal is evil beyond belief!

    1. hoola Silver badge

      Re: Google: Only Do Evil

      It is Google, what more could you want.

      It really does just beggar belief some of the stuff the come up with. Who knows what they will be doing under the covers in Chrome Browser with this sort of stuff, even if they don't get their way.

  2. Tom Chiverton 1

    If Chrome wants to do this, they can just shove all their domains into the same origin anyway. It's their browser, if they want to break it. Stay out of everyone elses'.

    At this point, if Google suggest something, the default should be "nope"; much like when the NSA 'suggest' encryption parameters...

  3. The commentard formerly known as Mister_C
    WTF?

    Nay, Nay and Thrice Nay

    This is a malignant at sooo many levels.

    google.com and google.co.uk are owned by the same corporation (*). There will be many, many cases where foo.com, foo.org, foo.co.uk and foo.eu below to different organisations. How will a user be able to give informed consent for blanket cookies to any of the foo?

    That youtube belongs to google is (sort of) widespread knowledge. How does the average user know who "newly_aquired_startup.com" belongs to - the original founders, or the megacorp that bought them yesterday? And next week, when the megacorp sells them on? Which entity owns the blanket cookie then?

    If I need to enable cookies in order to access a .gov.uk website, does this give the government carte blanche for a blanket cookie? Or does Crapita (provider of the service behind the .gov.uk) get the blanket cookie? Or do both get a golden ticket?

    (*) They'll point out that they are discrete entities when they need - tax reasons, for instance.

    1. stiine Silver badge

      Re: Nay, Nay and Thrice Nay

      Its worse than that. Think of parked domains? They're all owned by a small set of companies and would all fall under the same small set of origins.

    2. Roland6 Silver badge

      Re: Nay, Nay and Thrice Nay

      You've missed the best part: "The idea allows for sites to declare their own sets by means of a manifest in a known location.manifest in a known location"

      To me a known location is remote to the user ie. part of the website under the control of a third-party. Which means that I could dynamically add all sorts of domains on the fly to my manifest eg:

      mydomain.com

      google.co.uk

      facebook.com

      malvertising.com

      1. Nick Ryan Silver badge

        Re: Nay, Nay and Thrice Nay

        From my understanding a site could declare whatever it wants, however the site that it declares domain equivalence with must also declare the same in return. Therefore while your website could declare facebook.com to be a part of your domain, facebook.com would also have to declare your website to be a part of your domain for the equivalence to hold. Quite a lot of cross-domain requests could stem from such an implementation and if not careful it could be relatively easy to abuse, which is where the problems start

        1. moonchild

          Re: Nay, Nay and Thrice Nay

          I think you're missing the point. Websites can make a browser treat any domain as if it was the visited domain, including e.g. advertising or social media that you don't want to be tracked by (and would normally be restricted by same-origin policies). Of course advertisers will have the broadest allowance possible to be trusted for inclusion in first party sets because it will only benefit them.

    3. ewanm89

      Re: Nay, Nay and Thrice Nay

      Think of doubleclick.com, that is the one they really want in there

  4. b0llchit Silver badge
    Mushroom

    Evolution

    Next project is to morph chrome into the WWGW (World Wide Google Web) browser. It is a fork from the WWW and guarantees a platform with no interference from W3C. Finally we can evolve the web into a progressive vehicle, where only commercial interests will rule as it should be. Amazon, Microsoft and Facebook have already showed interest in the concept and have indicated a shared interest. Apple did not comment directly, but it is assumed, from off-the-record talks, that Apple's garden wall will soon be reinforced to new heights and an Apple iFork for iWeb may be in consideration.

    The rest of the online shops will soon have to decide to become iShops or Gshops. This will be known to future generations as the Great Split of Power. There can no longer be an unprofitable backward compatible middle way.

    1. RegGuy1 Silver badge

      Re: Evolution

      Hey, now that we have brexit we can do what we want and tell Google, Facebook, M$ and the rest to fuck off. We are sovereign and that's all that matters.

      No, wait.

      I don't think I've thought this through.

      EU. Hello, EU. Can we come back again please? I think we may have shafted ourselves,

    2. Nick Ryan Silver badge

      Re: Evolution

      We already had Internet Explorer screwing over standards and even the most basic elements of security all in the name of Microsoft's crap ActiveX toolchain. Might as well repeat the same mistake...

  5. Pascal Monett Silver badge
    Mushroom

    "No, we are not proposing to change the scope for permissions"

    All we want is that everything Alphabet be recognized as a single entity, so we can scrape, pilfer and track everything with even more ease.

    Google, go fuck yourself.

  6. sbt
    Mushroom

    Tell me again why it's OK that ...

    ... the dominant advertising broker is also the dominant browser developer?

    De-verticalise big tech now!

    Don't be fooled, these aren't walled gardens, they're prisons.

    1. Anonymous Coward
      Anonymous Coward

      Re: Tell me again why it's OK that ...

      They give the browser away for free, how can you stop that? Now you see the evil of the Silicon Valley business model, and how ruthlessly effective it is for the chosen few companies. It's designed to crush any potential competition, and powerful monopolies are the natural result.

      1. sbt
        Go

        Re: They give the browser away for free, how can you stop that?

        Separate the browser business from the advertising business. Then they'd have to look at how their business model as a browser vendor supports giving it away. Like the others do.

  7. RM Myers
    Coat

    the W3C Technical Architecture Group (TAG)

    I don't understand. Is W3C a standard setting group for the internet? If so, why do we need another one? I thought that was Google's job. I'm fairly sure that Google agrees with me.

    1. nematoad

      Re: the W3C Technical Architecture Group (TAG)

      Be careful.

      Irony detection is a little lacking in some of the denizens of El Reg and you might get a load of down votes.

      There really should be an "Irony" icon to avoid these little misunderstandings.

      1. a pressbutton

        Re: the W3C Technical Architecture Group (TAG)

        Perhaps a picture of the Spanish Inquisition?

        - unexpected and funny

      2. ecarlseen

        Re: the W3C Technical Architecture Group (TAG)

        I currently have a 4:1 upvote:downvote ratio, which I think is healthy. If I'm not getting blasted with downvotes on occasion then I'm probably not contributing anything interesting to the discussion. If people can't detect irony, sarcasm, or satire then... oh well. Their tears taste sweet to me.

        And, yes, I already know which groups of people might upvote this and which groups of people might downvote this. Whatever.

  8. Anonymous Coward
    Anonymous Coward

    Google is becoming more and more desperate

    and they will stop at nothing to make sure they can maintain dominance of the advertising market. They shouldn't be allowed to participate in those standards groups.

  9. This post has been deleted by its author

  10. deive

    If Google want their domains to be as one... then they can move to one domain.

  11. Claverhouse Silver badge
    Mushroom

    Who the hell collects cookies ?

    1. Anonymous Coward
      Gimp

      The cookie monster: Google ommmnomnomnom

  12. Rich 2 Silver badge

    Google are being “honest” for once

    "No, we are not proposing to change the scope for permissions. The current scope for FPS is only to be treated as a privacy boundary where browsers impose cross-site tracking limitations.“

    See - they are being very clear what the proposal is for - it’s to make it easier to track you. What’s the problem with that?

  13. moonchild

    Add Goanna to the list

    You can add Goanna/Pale Moon to the list of implementers with "strong objections". We've opposed this from the moment it was mentioned.

    While it may not change the scope of the device permissions system implemented by Google, it does change the scope of permissions in a much broader sense.

    We (all implementers) have worked hard for over a decade to strictly separate origins as an essential security and privacy measure. FPS would erode that, especially with the ambiguous wording of the proposal as it stands now. A same-origin policy is a good thing. You don't want to start making exceptions to it that are out of the user's control; that's a slippery slope towards full control over content by the web, not the user.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like