[Proposal] Use permissions API to request third-party cookie permissions

permissions
Tags: #<Tag:0x00007f8c1c9cd128>

#1

Currently we don’t have any proper mechanisms to request a permission to store cookies of certain third-party domains. I think there should be a way to request a permission for storing third-party cookies for certain domains. Including “third-party cookies” into Permission Registry looks like a good solution.


#2

You mean, one permission per domain? So for example, Facebook would ask “Can I store cookies across the web (all websites)?,” and if the user clicked yes, that would be it, and Facebook would not have to ask ever again?


#3

There is also a proposal for a Feature Policy which would enable web authors to control which domains are allowed to store cookies on their sites: https://github.com/WICG/feature-policy/issues/85


#4

You mean, one permission per domain? So for example, Facebook would ask “Can I store cookies across the web (all websites)?,”

No, I mean one permission per first-party domain. Example: “mycoolsite.com asks permission to store cookies for third-party site facebook.com”. If user clicked yes, facebook.com will be allowed to store and recieve cookies when user visits mycoolsite.com.


#5

Are there any stats on how many third-party cookies websites use on average?

I did a quick test loading cnn.com in an unprotected browser (Chrome without tracking protection and ad blocking), and I counted 16 third-party domains that set cookies (via Chrome DevTools). Would this not mean that the user would be shown just as many permission requests?

I think the more feasible solution is to let extensions (and browsers themselves) handle this, instead of asking users for permission on a case-by-case basis. For example, I use Ghostery and DuckDuck Go Privacy Essentials in Firefox. These extensions automatically block trackers, and i expect them to block tracking cookies as well, based on their reasonable defaults.


#6

No, this would mean that the user would be shown one request for all third-party domains that need cookies to be accepted. User should have an option to allow or disallow cookies for any of these third-party domains.

Those extensions rely on blocklisting. Blocklisting never was a good solution for tracking protection.


#7

I don’t think it’s a good idea to expose such a permission prompt to the user. If someone visits CNN’s website, and a prompt appears with a list of 16 domains requesting cookie-setting permissions, how can we expect the user to know which of these domains should be allowed?

If a power user really needs this functionality, there are probably browser extensions for that. But we have to consider average users here. They just couldn’t handle such a prompt properly.

Hence, blocklists are the only solution for most users.


#8

Whitelisting seems to be better solution here. It would break third-party cookie tracking mechanisms, but it wouldn’t cause any compatibility problems for whitelisted domains.

  1. All prompts should be initiated by user, not a website. ([Proposal] Permission requests should be available only in context of user-initiated events )
  2. Whitelisted domains should be allowed to store and read their cookies across the web.
  3. User should have an option to include any domain into whitelist.
  4. User should have an option to exclude any domain from whitelist.