by NayamAmarshe on 8/29/24, 2:53 PM with 311 comments
by codedokode on 8/29/24, 8:33 PM
Regarding analytics, I believe browsers should take user's side and do not cooperate with marketing companies; even better, they should implement measures to make user tracking and fingerprinting more difficult. There is no need to track user's browsing history; just make a product better than competitors (so that it gets first place in reviews and comparisons) and buy ads from influencers.
It would be great if browsers made fingerprinting more difficult, i.e.: not allowed to read canvas data, not allowed to read GPU name, enumerate audio cards, probe for installed extensions etc. Every new web API should guarantee that it doesn't provide more fingerprinting data or hides the data behind a permission.
Regarding 3rd party cookies: instead of shady lists like RWS browsers should just add a button that allows 3rd party cookies as an exception on a legacy website relying on them (which is probably not very secure). Although, there is a risk that newspaper websites, blog websites and question-answers websites will force users to press the button to see the content.
by JohnFen on 8/29/24, 7:00 PM
> Related Website Sets (RWS) is a way for a company to declare relationships among sites, so that browsers allow limited third-party cookie access for specific purposes.
So the website itself gets to declare other "blessed" domains that can bypass third party cookie blocks? Big websites are constantly looking for ways to abuse users by bypassing their attempts at protecting themselves. How would anyone think these sites can be trusted not to abuse this?
by thayne on 8/30/24, 6:56 AM
Yes, this can, and will, be abused for tracking users across domains that they don't expect to be related.
But there are also legitimate use cases for this.
For example, consider the stackexchange family of sites. They are clearly related, have a unified branding, etc. but are on separate domains. On Firefox, which blocks third party cookies, I have to log in to each of those domains separately. I can't log in to stackoverflow.com, then go to superuser.com and already be logged in. That is a problem that First party sets would solve.
You can argue that it would be better for those sites to be subdomains of a single unified domain, but when the sites were created there wasn't any compelling reason to need to do that, because third party cookies were still very much alive and kicking. And I can say from experience that migrating an app to a different domain without breaking things for users is a royal pain, and can be very expensive.
I'm not saying that First Party Sets should be accepted as is, but it is attempting to solve real problems. And I think a solution that simultaneously protects users' privacy and maintains a good experience for sites that are legitimately related will be difficult to find, or maybe impossible.
by styfle on 8/30/24, 11:29 AM
Or are developers supposed to submit their related domains to each browser and they all have their own list to maintain?
This sounds like HSTS.
[0]: https://github.com/GoogleChrome/related-website-sets/blob/ma...
by tomComb on 8/29/24, 5:06 PM
by callmeal on 8/29/24, 7:21 PM
by namdnay on 8/29/24, 4:05 PM
apparently this was written a few weeks ago :)
by knallfrosch on 8/29/24, 6:58 PM
by acheron on 8/29/24, 5:44 PM
by aftbit on 8/29/24, 6:14 PM
by enhancer on 8/30/24, 10:06 AM
by ssss11 on 8/30/24, 4:19 AM
by martinald on 8/30/24, 8:33 AM
by doo_daa on 8/29/24, 8:58 PM
by bugtodiffer on 8/30/24, 9:06 AM
Is that enough rationale to add this to the list?
by hashtag-til on 8/29/24, 4:49 PM
by nashashmi on 8/29/24, 5:33 PM
by mrwww on 8/30/24, 4:55 AM
by cabbageicefruit on 8/29/24, 5:09 PM
by svieira on 8/29/24, 4:32 PM
> In our study, the large majority of users (~73%) made at least one incorrect determination of whether two sites were related to each other, and almost half (~42%) of the determinations made during the study (i.e., all determinations from all users) were incorrect. Most concerning, of the cases where both sites were related (according to the RWS feature), users guessed that the sites were unrelated ~37% of the time, meaning that users would have thought Chrome was protecting them when it was not.
> ... We conclude from this that the premise underlying RWS is fundamentally incorrect; Web users are (understandably, predictably) not able to accurately determine whether two sites are owned by the same organization. And as a result, RWS is reintroducing exactly the kinds of privacy harms that third-party cookies cause.
> Lest anyone judge the study participants for being uninformed, or not taking the study seriously, consider for yourself: which of the following pairs of sites are related?
1. hindustantimes.com and healthshots.com
2. vwo.com and wingify.com
3. economictimes.com and cricbuzz.com
4. indiatoday.in and timesofindia.com
> (For the above quiz, if you chose “4”, then, unfortunately that is incorrect. That is in fact the only pair of the four that isn’t considered “related” to each other.)
by bradley13 on 8/29/24, 8:18 PM
by andresp on 8/30/24, 9:17 AM