On Thu, Oct 20, 2022 at 10:57 PM 'Dylan Cutler' via blink-dev < blink-dev@chromium.org> wrote:
> Contact emails: > > dylancut...@google.com, kaustub...@google.com > > Proposal repository: > > https://github.com/privacycg/CHIPS > > Design doc: > > > https://docs.google.com/document/d/1wL2lCXpaVOi0cWOn_ehfLFIZQxT3t0SH-ANnZYPEB0I/edit?usp=sharing > > Specification: > > https://datatracker.ietf.org/doc/draft-cutler-httpbis-partitioned-cookies/ > Can you expand on the plans for this I-D? Have y'all talked to the HTTPWG? > > Summary: > > Given that Chrome plans to deprecate unpartitioned third-party cookies, we > want to give developers the ability to use cookies in cross-site contexts > that are partitioned by top-level site to meet use cases > <https://developer.chrome.com/en/docs/privacy-sandbox/chips/#use-cases> > that don't track users cross-site (e.g. SaaS embeds, headless CMS, sandbox > domains, etc.). Chrome will introduce a mechanism to opt into having > third-party cookies partitioned by top-level site using a new cookie > attribute, Partitioned. > > Since we announced our Intent to Experiment > <https://groups.google.com/a/chromium.org/g/blink-dev/c/_dJFNJpf91U/m/OXzFi_6wAwAJ?utm_medium=email&utm_source=footer> > with CHIPS, there have been some changes to the API: > > > - > > The Partitioned attribute no longer requires > <https://github.com/privacycg/CHIPS/pull/46> the __Host- prefix or its > required attributes. The Secure requirement remains. > - > > We are changing the per-partition-per-domain limit to be based on the > total size (in bytes) of the cookies set by a domain in a particular > partition in addition to the number of cookies. We intend > <https://github.com/privacycg/CHIPS/issues/48#issuecomment-1264126065> > to impose a limit of 10 KB per-embedded-site, per-top-level-site and > increase the numeric limit from 10 to 180. > - > > For sites embedded in top-level domains that are in a First-Party Set > <https://github.com/WICG/first-party-sets>, their cookies' partition > key will no longer be the owner domain of that set. Rather, the partition > key will always be the top-level domain that the cookie was created on. > > > Blink component: > > Internals>Network>Cookies > <https://bugs.chromium.org/p/chromium/issues/list?q=component:Internals%3ENetwork%3ECookies> > > TAG review: > > https://github.com/w3ctag/design-reviews/issues/654 (Supportive early > review) > > https://github.com/w3ctag/design-reviews/issues/779 (Oct 19 specification > review) > > Risks > > Interoperability and Compatibility > > Firefox: Positive <https://mozilla.github.io/standards-positions/#chips> > > WebKit: Supported incubation > <https://github.com/privacycg/proposals/issues/30#issuecomment-1113257336>, > Official position pending > <https://github.com/WebKit/standards-positions/issues/50> > > Web developers: Developers have indicated that CHIPS does solve for many > use cases that depend on access to cookies in cross-site contexts (1 > <https://github.com/privacycg/CHIPS/issues/8>, 2 > <https://github.com/privacycg/CHIPS/issues/30#issuecomment-1104225686>, 3 > <https://triplelift.com/privacy-hub/w3c-proposals-explained-privacy-with-a-side-of-chips/>). > Through incubation, and the Origin Trial, we received feedback to improve > ease-of-use, particularly to allow for easier migration of existing systems > to use CHIPS. We believe we have satisfactorily resolved these concerns > (see changes made listed under Summary section). > > Other signals: > > Ergonomics > > N/A > > > Activation > > This feature introduces a new cookie attribute, Partitioned, which is > opt-in only. Sites which do not set their cookies with Partitioned should > not see any change in the browser's behavior when we ship. > > > Security > > See S&P questionnaire for TAG > <https://github.com/privacycg/CHIPS/blob/main/TAG-S%26P-questionnaire.md> > > > WebView application risks > > Does this intent deprecate or change behavior of existing APIs, such that > it has potentially high risk for Android WebView-based applications? > > This feature does not deprecate or change behavior of existing APIs. This > feature is behind a killswitch. > > > Will this feature be supported on all six Blink platforms (Windows, Mac, > Linux, Chrome OS, Android, and Android WebView)? > > Yes > > Is this feature covered by web platform tests? > > Yes > <https://github.com/web-platform-tests/wpt/tree/master/cookies/partitioned-cookies> > > Flag name > > partitioned-cookies > > Requires code in //chrome? > > No > > Tracking bug: > > https://crbug.com/1225444 > > Non-OSS dependencies > > Does the feature depend on any code or APIs outside the Chromium open > source repository and its open-source dependencies to function? > > Not anymore than cookies already do now. > > Estimated milestones > > OriginTrial desktop last > > 106 > > OriginTrial desktop first > > 100 > > OriginTrial Android last > > 106 > > OriginTrial Android first > > 100 > > Anticipated spec changes > > Open questions about a feature may be a source of future web compat or > interop issues. Please list open issues (e.g. links to known github issues > in the project for the feature specification) whose resolution may > introduce web compat/interop risk (e.g., changing to naming or structure of > the API in a non-backward-compatible way). > > List of open issues: https://github.com/privacycg/CHIPS/issues > > Chrome Platform Status page: > > https://chromestatus.com/feature/5179189105786880 > > Links to previous Intent discussions > > Intent to Prototype: > > https://groups.google.com/a/chromium.org/g/blink-dev/c/hvMJ33kqHRo/ > > Intent to Experiment: > https://groups.google.com/a/chromium.org/g/blink-dev/c/_dJFNJpf91U/m/YqP09XbbAgAJ > > Intent to Extend Experiment: > > > https://groups.google.com/a/chromium.org/g/blink-dev/c/kZRtetS8jsY/m/ppK4kDbqAwAJ > > > https://groups.google.com/a/chromium.org/g/blink-dev/c/MKQODOL0Fso/m/nZXI2dqwAQAJ > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAMCNMFTt9hEnH1%2BBzB6c0qQijbBEJwvUKPKSO2gu7E-A%2BY_v8w%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAMCNMFTt9hEnH1%2BBzB6c0qQijbBEJwvUKPKSO2gu7E-A%2BY_v8w%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfUDzq6pUpw_%2BGMBxzrsb23qtw5Vnv-QG6yZQ35G_j%2BZfQ%40mail.gmail.com.
