Thirdparty: Difference between revisions

Thirdparty (view source)

Revision as of 22:11, 24 May 2010

5 bytes added , 24 May 2010

→‎Analysis

Dwitte

148

edits

@@ Line 51: / Line 51: @@
 With that, I propose (where it is implied that the first party domain carries over, until reset):
-) Typing in the urlbar, loading bookmarks, other totally toplevel actions -- resets first party domain.
+:1. Typing in the urlbar, loading bookmarks, other totally toplevel actions -- resets first party domain.
-) Link clicks (href tags) -- resets (but I'm not sure about this yet).
+:2. Link clicks (href tags) -- resets (but I'm not sure about this yet).
-) Setting document.location -- carries over first party domain. (It's hard to distinguish a user-initiated action that results in a document.location change vs. an automated change. So we have to go with carrying over here.)
+:3. Setting document.location -- carries over first party domain. (It's hard to distinguish a user-initiated action that results in a document.location change vs. an automated change. So we have to go with carrying over here.)
-) Redirects -- carries over.
+:4. Redirects -- carries over.
-) Popup windows -- carries over.
+:5. Popup windows -- carries over.
 We might want to make link clicks carry over the first party. Rationale: a site that relies on an href click (to a third party) to perform a login operation, rather than using a redirect or document.location, needs that load to carry over the first party such that things work when redirected back. The downside is that long browsing sessions in a single tab, across multiple sites, will result in them all being considered third party. (And thus allow behavioral tracking during that tab lifetime.) Having it reset is probably a good tradeoff, since it's less surprising. But it would allow holes, e.g. where a site has a link targeted at ads.google.com which then redirects back to some content.