HTTP State Tokens #297
Comments
|
Maybe we can talk about this at TPAC, since we'll all(?) be there? |
|
Would you be able to compile security & privacy considerations? |
|
That's basically the whole explainer? What would you like to see? |
|
So it seems like this turns something that currently requires sites to actively track (i.e., set a cookie) into something that can now be done passively, since it at least looks like this is proposing that the HTTP state token be sent whether or not the site requests it. Though maybe that's not the intent, and the idea is that it would only be sent after |
|
@mikewest - we didn't get a chance to discuss this at TPAC. Is there any additional implementer interest? Also to David's point, will implementation of this proposal diminish the ability for the user to measure how they are being tracked? Also, will an origin get different tokens depending on the top level origin (i.e. double-keying). |
torgo
added
Progress: pending external feedback
Two points:
None that I know of.
I don't see how it would. Users would remain in control of these tokens in the same way they're in control of cookies.
That seems like a choice specific user agents could make. I'd note that Safari is the only browser to double-key storage, and they've just removed cookie partitioning from tip-of-tree WebKit. It seems more likely to me that folks will follow Firefox's approach of gating access completely for particular origins rather than attempting to shard identity across top-level pages, but I think this proposal would give user agents flexibility to do so as they see fit. |
|
Assuming |
The proposal suggests that we mint tokens proactively for things that the user navigates to as first-parties. It does not suggest that we do the same for things that the user does not navigate to as a first-party, even if they really want it. Can you help me understand the scenario in which Lightbeam would show users bad information, or somehow misunderstand/underestimate the tracking potential a user's navigations expose? |
|
There's an enum in the explainer? (I don't see one.) So perhaps not Lightbeam exactly -- but tools that help users understand what's happening with their information. So just as we try to minimize passive fingerprinting opportunities while worrying less about active fingerprinting, it seems like we ought to be concerned about the distinction between passive tracking versus active tracking -- probably even more so in tools designed for tracking than for the fingerprinting case. |
You're right. It's much more implicit than I thought it was in the
I agree that we need to be cognizant of the opportunities we're creating, and mindful of the ways in which they'll be abused. That said, this proposal is strictly narrower than status quo insofar as it does not allow tokens to be minted in third-party contexts, but only in first-party contexts. That is, the site which wishes to track users will need to "actively" deliver a |
|
It still seems like there is a reduction in the ability to study/monitor first-party tracking. I'm not sure how big a deal that reduction is -- but I'd think some people are interested in how much they're tracked by first parties. |
I don't understand how. But I'd love to chat about it more! :) |
|
Third-party tracking would still be possible, even without access to third-party cookies. A first-party browsing context could create an element, or execute an xhr, with a url formed from the session token.
var img = new Image();
img.src= //www.third-party-tracker.com?token= <http://www.third-party-tracker.com?token=> " +token;
www.third-party-tracker.com <http://www.third-party-tracker.com> could concatenate the token with the Referrer header to create a cross-origin unique identifier, or the first-party origin could be in another url param.
From: Mike West <[email protected]>
Sent: 01 November 2018 10:19
To: w3ctag/design-reviews <[email protected]>
Cc: Subscribed <[email protected]>
Subject: Re: [w3ctag/design-reviews] HTTP State Tokens (#297)
It still seems like there is a reduction in the ability to study/monitor first-party tracking.
I don't understand how. But I'd love to chat about it more! :)
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub <#297 (comment)> , or mute the thread <https://github.com/notifications/unsubscribe-auth/AEBCIkNn6bafSeLimw4Ex4NS9MqWX2WLks5uqsqHgaJpZM4V8N8q> . <https://github.com/notifications/beacon/AEBCIh-DRwu6iYGL4n2V-hkCn49IQoV2ks5uqsqHgaJpZM4V8N8q.gif>
|
|
Y'all might be interested in skimming through https://speakerdeck.com/mikewest/cookies-are-bad-at-http-workshop-2019, which walks through the proposal at a very high level. The spec linked above should be detailed enough to pick at, but the high-level direction is what I'm most interested in at this point: is this the right shape for a state management primitive? Should some of the constraints be loosened, tightened, etc? |
|
It doesn't really seem to me that cookies are beyond fixing. And web developers would be suited by incremental evolution of them (e.g., easier ways of clearing, truly origin-bound cookies, etc.). It's not really clear that reduction in size and no possibility for user-information in (these) headers is sufficient motivation for replacing them. And there's also massive infrastructure changes required that make adoption seem somewhat unlikely. |
|
I agree with @annevk: we should make today's cookies better incrementally and create a forward-looking, aspirational replacement in parallel so that the one approach doesn't block the other. |
|
This is a great idea, and I agree the short duration default of 1 hour is in the right ballpark.
One thing to consider: text that the user agent SHOULD alert the user when the response header calls for a longer duration, or raises scope from same-origin. This could be a prompt as in ITP or some kind of visible indication in the chrome, and the user should be able to interact with it to deny or restrict the change.
MikeO
From: Mike West <[email protected]>
Sent: 08 April 2019 13:36
To: w3ctag/design-reviews <[email protected]>
Cc: michael-oneill <[email protected]>; Comment <[email protected]>
Subject: Re: [w3ctag/design-reviews] HTTP State Tokens (#297)
Y'all might be interested in skimming through https://speakerdeck.com/mikewest/cookies-are-bad-at-http-workshop-2019, which walks through the proposal at a very high level. The spec linked above should be detailed enough to pick at, but the high-level direction is what I'm most interested in at this point.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub <#297 (comment)> , or mute the thread <https://github.com/notifications/unsubscribe-auth/AEBCIvNHrNYqrW3RZiWkzA1ly_Vcophpks5vezeqgaJpZM4V8N8q> . <https://github.com/notifications/beacon/AEBCIh3emTlICNMX_wZrjFYK6noXdjAzks5vezeqgaJpZM4V8N8q.gif>
|
|
Another thought: why not allow the expiry be delayed by resetting on user activity, key strokes etc. So the token stays alive while there is an active session, then times out after an hour. The default duration could be smaller then also (<1hr).
From: Mike West <[email protected]>
Sent: 08 April 2019 13:36
To: w3ctag/design-reviews <[email protected]>
Cc: michael-oneill <[email protected]>; Comment <[email protected]>
Subject: Re: [w3ctag/design-reviews] HTTP State Tokens (#297)
Y'all might be interested in skimming through https://speakerdeck.com/mikewest/cookies-are-bad-at-http-workshop-2019, which walks through the proposal at a very high level. The spec linked above should be detailed enough to pick at, but the high-level direction is what I'm most interested in at this point.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub <#297 (comment)> , or mute the thread <https://github.com/notifications/unsubscribe-auth/AEBCIvNHrNYqrW3RZiWkzA1ly_Vcophpks5vezeqgaJpZM4V8N8q> . <https://github.com/notifications/beacon/AEBCIh3emTlICNMX_wZrjFYK6noXdjAzks5vezeqgaJpZM4V8N8q.gif>
|
|
@mikewest to be clear, I don't think the case for the replacement has been sufficiently made. |
|
Picking this up at our f2f meeting today... |
|
After reviewing your RFC and especially point 1.2, I remain puzzled as to why developers would switch to http state tokens at all if cookies still exist? Why not "fix" cookies so that they have the security behaviour you're describing. @dbaron points out that this would "break" some content. Maybe it's time to break some content? Having said that, our proposal is that this should progress in the http working group rather than here and so we think this issue should probably be closed for now and then reopened when and if the http working group requests TAG review. @mikewest is it ok for us to close the comment for now? |
Will you be posting minutes? Stalking through GitHub and the usual places didn't turn anything up for me...
Technically, this proposal does some things that cookies can't (cookies don't do ports, for instance, nor can they directly assert provenance), which creates some security advantage to adoption. I know of ~3 places in Google that want some of these things, and I can imagine marginal adoption amongst the particularly savvy and beautiful developers. Non-technically, resetting expectations is, IMO, best done with a new thing that has a new name. I tried to make that case in the section of the ID that you mentioned. It appears you didn't find that work compelling, but I'd like to understand why?
We briefly touched on this in #297 (comment), and https://speakerdeck.com/mikewest/cookies-are-bad-at-http-workshop-2019:
I'll defer to y'all on this, but it surprises me. My impression has been that the TAG has generally been happier when looped into discussions that affect the underlying framework on which other things are built. I'd expect y'all to have somewhat authoritative opinions both about core concepts like authentication and state management. HTTPWG is clearly where standardization would happen, but it's not clear to me that there's as much of a liaison relationship there as you're suggesting (friendly folks like @mnot nonwithstanding!). I don't think the HTTPWG is in the habit of poking at the TAG for feedback. For example, https://httpwg.org/http-extensions/draft-ietf-httpbis-header-structure.html seems like something that y'all could weigh in on, as it has pretty clear implications for the design of APIs at the application layer. So far, I haven't seen that happen. Perhaps @mnot was planning on asking y'all to weigh in as the document moves to last call? |
|
W3C and IETF have a liaison, of course (ping @wseltzer), and we do try to keep the TAG in the loop on major developments where we can. IIRC I've brought SH up in person during our occasional syncs, but I don't think we've had a format TAG review. I'll be at TPAC next week (well, Tuesday to Thursday); if folks want to talk about it or just an overview, happy to oblige. |
|
@mikewest what is the status of this issue? Main concerns are the transition plan from Cookies to state tokens, and if smooth transition cannot be achieved, how can Cookies be modified to inherit the new properties of State Tokens? |
|
Hey, @ylafon!
It's on the back burner at the moment; Chrome has been focusing on the less-radical approach initiated in https://mikewest.github.io/cookie-incrementalism/draft-west-cookie-incrementalism.html for the near term, and I expect more incremental proposals to follow. I do intend to come back to this in light of some of the other cookie-related proposals Chrome is pushing for in the mid-term. That said, there's no action for y'all to take a the moment, and closing this out until I've found time to rewrite the proposal is probably reasonable. |
|
Thanks, @mikewest! We're just coming back to this at our Wellington face-to-face. We're happy to close it, and will look forward to seeing your new incremental proposals whenever you'd like us to. Cheers! |
Guten TAG,
I'm requesting a TAG review of:
Further details (optional):
You should also know that...
I'm only sending this to y'all at this point because I alluded to it in our last meeting. I'd appreciate y'all's feedback, but this isn't something folks have solidly bought into yet, and there's no risk of it shipping (or being implemented) anytime soon. It's a thought experiment I'd like y'all to participate in, which hopefully will lead to a reasonable design in the future.
We'd prefer the TAG provide feedback as (please select one):
The text was updated successfully, but these errors were encountered: