Currently we don’t have any proper mechanisms to request a permission to store cookies of certain third-party domains. I think there should be a way to request a permission for storing third-party cookies for certain domains. Including “third-party cookies” into Permission Registry looks like a good solution.
You mean, one permission per domain? So for example, Facebook would ask “Can I store cookies across the web (all websites)?,” and if the user clicked yes, that would be it, and Facebook would not have to ask ever again?
There is also a proposal for a Feature Policy which would enable web authors to control which domains are allowed to store cookies on their sites: https://github.com/WICG/feature-policy/issues/85
You mean, one permission per domain? So for example, Facebook would ask “Can I store cookies across the web (all websites)?,”
No, I mean one permission per first-party domain. Example: “mycoolsite.com asks permission to store cookies for third-party site facebook.com”. If user clicked yes, facebook.com will be allowed to store and recieve cookies when user visits mycoolsite.com.
Are there any stats on how many third-party cookies websites use on average?
I did a quick test loading cnn.com in an unprotected browser (Chrome without tracking protection and ad blocking), and I counted 16 third-party domains that set cookies (via Chrome DevTools). Would this not mean that the user would be shown just as many permission requests?
I think the more feasible solution is to let extensions (and browsers themselves) handle this, instead of asking users for permission on a case-by-case basis. For example, I use Ghostery and DuckDuck Go Privacy Essentials in Firefox. These extensions automatically block trackers, and i expect them to block tracking cookies as well, based on their reasonable defaults.
No, this would mean that the user would be shown one request for all third-party domains that need cookies to be accepted. User should have an option to allow or disallow cookies for any of these third-party domains.
Those extensions rely on blocklisting. Blocklisting never was a good solution for tracking protection.
I don’t think it’s a good idea to expose such a permission prompt to the user. If someone visits CNN’s website, and a prompt appears with a list of 16 domains requesting cookie-setting permissions, how can we expect the user to know which of these domains should be allowed?
If a power user really needs this functionality, there are probably browser extensions for that. But we have to consider average users here. They just couldn’t handle such a prompt properly.
Hence, blocklists are the only solution for most users.
Whitelisting seems to be better solution here. It would break third-party cookie tracking mechanisms, but it wouldn’t cause any compatibility problems for whitelisted domains.
- All prompts should be initiated by user, not a website. ([Proposal] Permission requests should be available only in context of user-initiated events )
- Whitelisted domains should be allowed to store and read their cookies across the web.
- User should have an option to include any domain into whitelist.
- User should have an option to exclude any domain from whitelist.