
Full Third-Party Cookie Blocking - avastel
https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more/#:~:text=Service%20Worker%20registrations%20and%20cache
======
saagarjha
Previously:
[https://news.ycombinator.com/item?id=22677605](https://news.ycombinator.com/item?id=22677605).

I think the specific thing being highlighted here is that some wording has
been changed since the original post; it used to only read "Service Worker
registrations"
([https://web.archive.org/web/20200324185029/https://webkit.or...](https://web.archive.org/web/20200324185029/https://webkit.org/blog/10218/full-
third-party-cookie-blocking-and-more/)) but now is "Service Worker
registrations _and cache_ ". This section right under it was also added:

> A Note On Web Applications Added to the Home Screen

> As mentioned, the seven-day cap on script-writable storage is gated on
> “after seven days of Safari use without user interaction on the site.” That
> is the case in Safari. Web applications added to the home screen are not
> part of Safari and thus have their own counter of days of use. Their days of
> use will match actual use of the web application which resets the timer. We
> do not expect the first-party in such a web application to have its website
> data deleted.

> If your web application does experience website data deletion, please let us
> know since we would consider it a serious bug. It is not the intention of
> Intelligent Tracking Prevention to delete website data for first parties in
> web applications.

------
lilyball
This was discussed previously at
[https://news.ycombinator.com/item?id=22677605](https://news.ycombinator.com/item?id=22677605)

------
Animats
How could browsers go further?

How about true opt-in? If you don't have to sign up for a site, with a login
known to the browser, all interaction with that site is forgotten at browser
exit or in an hour, and the site can't see any state from other sites.

If you do create an account and sign in, the browser should warn you that
tracking has now started.

------
mac-reality
I am wondering when/if Safari and Chrome are going to address CNAME cloaking.
Marketing and tracking companies are just having all their clients setup CNAME
records to alias their domains back to the tracking domain and setting it to
be a first party cookie to get around the new blocking techniques browsers are
using.

~~~
bad_user
I would argue that's OK.

The problem with third-party cookies is that information gets shared across
websites and thus your behavior can be tracked across websites.

If you set a CNAME to point to a third-party, the cookies become in fact
first-party and cross-domain tracking no longer works.

~~~
uallo
No it is not OK.

Cross-domain tracking still works. While every domain has its own cookie, it
is extremely simple to use fingerprinting to connect those cookies to a single
user.

------
Animats
In an unrelated note, Firefox just had a major screwup. They forced an update
to Firefox 75 on users without asking. At least on Linux, the update is broken
- right click menus are mostly blank.

There's no going back. Firefox now has "downgrade protection" \- if you
install an older version, it erases your preferences for "security".[1]

[1] [https://support.mozilla.org/en-US/kb/install-older-
version-o...](https://support.mozilla.org/en-US/kb/install-older-version-of-
firefox)

